0 ratings0% found this document useful (0 votes)
15K views403 pages4 2 2
This document contains a collection of rules for detecting malware and backdoors. It includes over 30 rules describing network signatures for various malware families such as Dagger, QAZ Worm, Netbus, and more. The rules specify things like ports, traffic directions, and content matching to detect malware network activity and communications.
Uploaded by
joCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
0 ratings0% found this document useful (0 votes)
15K views403 pages4 2 2
This document contains a collection of rules for detecting malware and backdoors. It includes over 30 rules describing network signatures for various malware families such as Dagger, QAZ Worm, Netbus, and more. The rules specify things like ports, traffic directions, and content matching to detect malware network activity and communications.
Uploaded by
joCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 403
# Copyright 2001-2018 Sourcefire, Inc. All Rights Reserved.
#
# This file contains rules that were created by Sourcefire, Inc. and other third
parties
# (the "GPL Rules") that are distributed under the GNU General Public License
(GPL),
# v2. The GPL Rules created by Sourcefire are owned by Sourcefire, Inc., and the
GPL
# Rules not created by Sourcefire are owned by their respective owners. Please see
# the AUTHORS file included in the community package for a list of third party
owners and their
# respective copyrights.
#
# This file does not contain any Sourcefire VRT Certified Rules; the VRT Certified
# Rules are distributed by Sourcefire separately under the VRT Certified Rules
License
# Agreement (v 2.0)
#
#-----------------
# COMMUNITY RULES
#-----------------
# alert tcp $HOME_NET 2589 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR -
Dagger_1.4.0"; flow:to_client,established; content:"2|00 00 00 06 00 00 00|Drives|
24 00|"; depth:16; metadata:ruleset community; classtype:misc-activity; sid:105;
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 (msg:"MALWARE-BACKDOOR QAZ Worm
Client Login access"; flow:to_server,established; content:"qazwsx.hsq";
metadata:ruleset community; reference:mcafee,98775; classtype:misc-activity;
sid:108; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"MALWARE-BACKDOOR
netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|";
metadata:ruleset community; classtype:trojan-activity; sid:110; rev:10;)
# alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR NetBus Pro
2.0 connection established"; flow:to_client,established;
flowbits:isset,backdoor.netbus_2.connect; content:"BN|10 00 02 00|"; depth:6;
content:"|05 00|"; depth:2; offset:8; metadata:ruleset community; classtype:trojan-
activity; sid:115; rev:15;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR
Infector.1.x"; flow:established,to_client; content:"WHATISIT"; depth:9;
metadata:impact_flag red, ruleset community; reference:nessus,11157;
classtype:misc-activity; sid:117; rev:17;)
# alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR
SatansBackdoor.2.0.Beta"; flow:to_client,established; content:"Remote|3A| ";
depth:11; nocase; content:"You are connected to me.|0D 0A|Remote|3A| Ready for
commands"; distance:0; nocase; metadata:ruleset community;
reference:url,www.megasecurity.org/trojans/s/satanzbackdoor/SBD2.0b.html;
reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5260; classtype:trojan-
activity; sid:118; rev:12;)
# alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Doly 2.0
access"; flow:established,to_client; content:"Wtzup Use"; depth:32;
metadata:ruleset community; classtype:misc-activity; sid:119; rev:11;)
# alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 (msg:"MALWARE-BACKDOOR
Infector 1.6 Client to Server Connection Request"; flow:to_server,established;
content:"FC "; metadata:ruleset community; reference:nessus,11157; classtype:misc-
activity; sid:121; rev:14;)
# alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR HackAttack
1.20 Connect"; flow:established,to_client; content:"host"; metadata:ruleset
community; classtype:misc-activity; sid:141; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP ADMw0rm ftp login
attempt"; flow:to_server,established; content:"USER"; nocase; content:"w0rm";
distance:1; nocase; pcre:"/^USER\s+w0rm/smi"; metadata:ruleset community, service
ftp; classtype:suspicious-login; sid:144; rev:16;)
# alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR
NetSphere access"; flow:established,to_client; content:"NetSphere";
metadata:ruleset community; classtype:trojan-activity; sid:146; rev:13;)
# alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR
GateCrasher"; flow:established,to_client; content:"GateCrasher"; depth:11; nocase;
content:"Server"; distance:0; nocase; content:"On-Line..."; distance:0; nocase;
pcre:"/^GateCrasher\s+v\d+\x2E\d+\x2C\s+Server\s+On-Line\x2E\x2E\x2E/smi";
metadata:ruleset community; reference:url,www.spywareguide.com/product_show.php?
id=973; classtype:trojan-activity; sid:147; rev:11;)
# alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR
BackConstruction 2.1 Connection"; flow:established,to_client; content:"c|3A 5C|";
metadata:ruleset community; classtype:misc-activity; sid:152; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"MALWARE-BACKDOOR
BackConstruction 2.1 Client FTP Open Request"; flow:to_server,established;
content:"FTPON"; metadata:ruleset community; classtype:misc-activity; sid:157;
rev:9;)
# alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR
BackConstruction 2.1 Server FTP Open Reply"; flow:to_client,established;
content:"FTP Port open"; metadata:ruleset community; classtype:misc-activity;
sid:158; rev:10;)
# alert udp $EXTERNAL_NET 3344 -> $HOME_NET 3345 (msg:"MALWARE-BACKDOOR Matrix 2.0
Client connect"; flow:to_server; content:"activate"; metadata:ruleset community;
classtype:misc-activity; sid:161; rev:10;)
# alert udp $EXTERNAL_NET 3345 -> $HOME_NET 3344 (msg:"MALWARE-BACKDOOR Matrix 2.0
Server access"; flow:to_server; content:"logged in"; metadata:ruleset community;
classtype:misc-activity; sid:162; rev:10;)
# alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR WinCrash 1.0
Server Active"; flow:stateless; flags:SA,12; content:"|B4 B4|"; metadata:ruleset
community; classtype:misc-activity; sid:163; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"MALWARE-BACKDOOR CDK";
flow:to_server,established; content:"ypi0ca"; depth:15; nocase; metadata:ruleset
community; classtype:misc-activity; sid:185; rev:10;)
# alert udp $HOME_NET 2140 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR DeepThroat
3.1 Server Response"; flow:to_client; content:"Ahhhh My Mouth Is Open";
metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053;
classtype:trojan-activity; sid:195; rev:14;)
# alert tcp $HOME_NET 555 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR PhaseZero
Server Active on Network"; flow:established,to_client; content:"phAse zero server";
depth:17; nocase; metadata:ruleset community;
reference:url,www.megasecurity.org/trojans/p/phasezero/PhaseZero1.0b.html;
reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4539; classtype:trojan-
activity; sid:208; rev:12;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR w00w00
attempt"; flow:to_server,established; content:"w00w00"; metadata:ruleset community;
classtype:attempted-admin; sid:209; rev:9;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR
attempt"; flow:to_server,established; content:"backdoor"; nocase; metadata:ruleset
community; classtype:attempted-admin; sid:210; rev:7;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC
r00t attempt"; flow:to_server,established; content:"r00t"; metadata:ruleset
community; classtype:attempted-admin; sid:211; rev:7;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC
rewt attempt"; flow:to_server,established; content:"rewt"; metadata:ruleset
community; classtype:attempted-admin; sid:212; rev:7;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC
Linux rootkit attempt"; flow:to_server,established; content:"wh00t!";
metadata:ruleset community; classtype:attempted-admin; sid:213; rev:8;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC
Linux rootkit attempt lrkr0x"; flow:to_server,established; content:"lrkr0x";
metadata:ruleset community; classtype:attempted-admin; sid:214; rev:8;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC
Linux rootkit attempt"; flow:to_server,established; content:"d13hh["; nocase;
metadata:ruleset community; classtype:attempted-admin; sid:215; rev:8;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC
Linux rootkit satori attempt"; flow:to_server,established; content:"satori";
metadata:ruleset community; classtype:attempted-admin; sid:216; rev:11;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC
sm4ck attempt"; flow:to_server,established; content:"hax0r"; metadata:ruleset
community; classtype:attempted-admin; sid:217; rev:7;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC
Solaris 2.5 attempt"; flow:to_server,established; content:"friday";
metadata:ruleset community; classtype:attempted-user; sid:218; rev:8;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR HidePak
backdoor attempt"; flow:to_server,established; content:"StoogR"; metadata:ruleset
community; classtype:misc-activity; sid:219; rev:10;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR
HideSource backdoor attempt"; flow:to_server,established; content:"wank";
metadata:ruleset community; classtype:misc-activity; sid:220; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP TFN Probe";
icmp_id:678; itype:8; content:"1234"; fast_pattern:only; metadata:ruleset
community; reference:cve,2000-0138; classtype:attempted-dos; sid:221; rev:12;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP tfn2k icmp
possible communication"; icmp_id:0; itype:0; content:"AAAAAAAAAA";
fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138;
classtype:attempted-dos; sid:222; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [31335,35555] (msg:"MALWARE-OTHER Trin00
Daemon to Master PONG message detected"; flow:to_server; content:"PONG";
fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138;
classtype:attempted-dos; sid:223; rev:13;)
# alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Stacheldraht
server spoof"; icmp_id:666; itype:0; metadata:ruleset community;
reference:cve,2000-0138; classtype:attempted-dos; sid:224; rev:10;)
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Stacheldraht
gag server response"; icmp_id:669; itype:0; content:"sicken"; metadata:ruleset
community; reference:cve,2000-0138; classtype:attempted-dos; sid:225; rev:13;)
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Stacheldraht
server response"; icmp_id:667; itype:0; content:"ficken"; metadata:ruleset
community; reference:cve,2000-0138; classtype:attempted-dos; sid:226; rev:13;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht
client spoofworks"; icmp_id:1000; itype:0; content:"spoofworks"; metadata:ruleset
community; reference:cve,2000-0138; classtype:attempted-dos; sid:227; rev:13;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP TFN client
command BE"; icmp_id:456; icmp_seq:0; itype:0; pcre:"/^[0-9]{1,5}\x00/";
metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos;
sid:228; rev:11;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht
client check skillz"; icmp_id:666; itype:0; content:"skillz"; metadata:ruleset
community; reference:cve,2000-0138; classtype:attempted-dos; sid:229; rev:12;)
# alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER shaft client
login to handler"; flow:to_client,established; content:"login|3A|";
fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138;
reference:url,security.royans.net/info/posts/bugtraq_ddos3.shtml;
classtype:attempted-dos; sid:230; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"MALWARE-OTHER Trin00 Daemon
to Master message detected"; flow:to_server; content:"l44"; fast_pattern:only;
metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos;
sid:231; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"MALWARE-OTHER Trin00 Daemon
to Master *HELLO* message detected"; flow:to_server; content:"*HELLO*";
metadata:ruleset community; reference:cve,2000-0138;
reference:url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm; classtype:attempted-
dos; sid:232; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"MALWARE-OTHER Trin00
Attacker to Master default startup password"; flow:established,to_server;
content:"betaalmostdone"; metadata:ruleset community; reference:cve,2000-0138;
classtype:attempted-dos; sid:233; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"MALWARE-OTHER Trin00
Attacker to Master default password"; flow:established,to_server; content:"gOrave";
metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos;
sid:234; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"MALWARE-OTHER Trin00
Attacker to Master default mdie password"; flow:established,to_server;
content:"killme"; metadata:ruleset community; reference:cve,2000-0138;
classtype:attempted-dos; sid:235; rev:8;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht
client check gag"; icmp_id:668; itype:0; content:"gesundheit!"; metadata:ruleset
community; reference:cve,2000-0138; classtype:attempted-dos; sid:236; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"MALWARE-OTHER Trin00 Master
to Daemon default password attempt"; flow:to_server; content:"l44adsl";
metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos;
sid:237; rev:10;)
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP TFN server
response"; icmp_id:123; itype:0; content:"shell bound"; metadata:ruleset community;
reference:cve,2000-0138; classtype:attempted-dos; sid:238; rev:14;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 18753 (msg:"MALWARE-OTHER shaft handler
to agent"; flow:to_server; content:"alive tijgu"; metadata:ruleset community;
reference:cve,2000-0138; classtype:attempted-dos; sid:239; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 20433 (msg:"MALWARE-OTHER shaft agent to
handler"; flow:to_server; content:"alive"; metadata:ruleset community;
reference:cve,2000-0138; classtype:attempted-dos; sid:240; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6838 (msg:"MALWARE-OTHER mstream agent
to handler"; flow:to_server; content:"newserver"; metadata:ruleset community;
reference:cve,2000-0138; classtype:attempted-dos; sid:243; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"MALWARE-OTHER mstream
handler to agent"; flow:to_server; content:"stream/"; metadata:ruleset community;
reference:cve,2000-0138; classtype:attempted-dos; sid:244; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"MALWARE-OTHER mstream
handler ping to agent"; flow:to_server; content:"ping"; metadata:ruleset community;
reference:cve,2000-0138; classtype:attempted-dos; sid:245; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"MALWARE-OTHER mstream agent
pong to handler"; flow:to_server; content:"pong"; metadata:ruleset community;
reference:cve,2000-0138; classtype:attempted-dos; sid:246; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (msg:"MALWARE-OTHER mstream client
to handler"; flow:to_server,established; content:">"; metadata:ruleset community;
reference:cve,2000-0138; classtype:attempted-dos; sid:247; rev:8;)
# alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER mstream
handler to client"; flow:to_client,established; content:">"; metadata:ruleset
community; reference:cve,2000-0138; classtype:attempted-dos; sid:248; rev:8;)
# alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER mstream
handler to client"; flow:to_client,established; content:">"; metadata:ruleset
community; reference:cve,2000-0138; classtype:attempted-dos; sid:250; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP - TFN client
command LE"; icmp_id:51201; icmp_seq:0; itype:0; pcre:"/^[0-9]{1,5}\x00/";
metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos;
sid:251; rev:11;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS SPOOF query
response PTR with TTL of 1 min. and no authority"; flow:to_client; content:"|85 80
00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|";
fast_pattern:only; metadata:ruleset community, service dns; classtype:bad-unknown;
sid:253; rev:14;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS SPOOF query
response with TTL of 1 min. and no authority"; flow:to_client; content:"|81 80|";
depth:4; offset:2; fast_pattern; byte_test:2,>,0,0,relative,big;
byte_test:2,>,0,2,relative,big; content:"|00 00 00 00|"; within:4; distance:4;
content:"|C0 0C 00 01 00 01|"; distance:0; byte_test:4,<,61,0,relative,big;
byte_test:4,>,0,0,relative,big; metadata:ruleset community, service dns;
classtype:bad-unknown; sid:254; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dns zone transfer
via TCP detected"; flow:to_server,established; content:"|00 01 00 00 00 00 00|";
depth:8; offset:6; byte_test:1,!&,0xF8,4; content:"|00 00 FC 00 01|"; fast_pattern;
isdataat:!1,relative; metadata:ruleset community, service dns; reference:cve,1999-
0532; reference:nessus,10595; classtype:attempted-recon; sid:255; rev:23;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named authors
attempt"; flow:to_server; content:"|07|authors"; offset:12; nocase; content:"|04|
bind|00|"; offset:12; nocase; metadata:ruleset community, service dns;
reference:nessus,10728; classtype:attempted-recon; sid:256; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named version
attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase;
content:"|04|bind|00|"; offset:12; nocase; metadata:ruleset community, service dns;
reference:nessus,10028; classtype:attempted-recon; sid:257; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer
Overflow via NXT records"; flow:to_server,established; content:"../../../";
fast_pattern:only; metadata:ruleset community, service dns; reference:bugtraq,788;
reference:cve,1999-0833; classtype:attempted-admin; sid:258; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer
Overflow via NXT records named overflow ADM"; flow:to_server,established;
content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhoca
reshorizongotitworkingsoalliscool"; fast_pattern:only; metadata:ruleset community,
service dns; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-
admin; sid:259; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer
Overflow via NXT records named overflow ADMROCKS"; flow:to_server,established;
content:"ADMROCKS"; metadata:ruleset community, service dns; reference:bugtraq,788;
reference:cve,1999-0833; reference:url,www.cert.org/advisories/CA-1999-14.html;
classtype:attempted-admin; sid:260; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind named
overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF
FF|/bin/sh"; fast_pattern:only; metadata:ruleset community, service dns;
reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin;
sid:261; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-LINUX x86 Linux overflow
attempt"; flow:to_server,established; content:"1|C0 B0|?1|DB B3 FF|1|C9 CD 80|1|
C0|"; fast_pattern:only; metadata:ruleset community, service dns;
classtype:attempted-admin; sid:262; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-LINUX x86 Linux overflow
attempt"; flow:to_server,established; content:"1|C0 B0 02 CD 80 85 C0|uL|EB|L^|
B0|"; metadata:ruleset community, service dns; classtype:attempted-admin; sid:264;
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-LINUX x86 Linux overflow
attempt ADMv2"; flow:to_server,established; content:"|89 F7 29 C7 89 F3 89 F9 89 F2
AC|<|FE|"; fast_pattern:only; metadata:ruleset community, service dns;
classtype:attempted-admin; sid:265; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-OTHER x86 FreeBSD overflow
attempt"; flow:to_server,established; content:"|EB|n^|C6 06 9A|1|C9 89|N|01 C6|F|
05|"; metadata:ruleset community, service dns; classtype:attempted-admin; sid:266;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-SOLARIS EXPLOIT sparc
overflow attempt"; flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92
02| |0F D0 23 BF F8|"; fast_pattern:only; metadata:ruleset community, service dns;
classtype:attempted-admin; sid:267; rev:13;)
# alert udp any 19 <> any 7 (msg:"SERVER-OTHER UDP echo+chargen bomb";
flow:to_server; metadata:ruleset community; reference:cve,1999-0103;
reference:cve,1999-0635; classtype:attempted-dos; sid:271; rev:11;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft WIndows
IGMP dos attack"; fragbits:M+; ip_proto:2; metadata:ruleset community;
reference:bugtraq,514; reference:cve,1999-0918;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-034;
classtype:attempted-dos; sid:272; rev:16;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP ath"; itype:8;
content:"+++ath"; fast_pattern:only; metadata:ruleset community;
reference:cve,1999-1228; classtype:attempted-dos; sid:274; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"SERVER-OTHER RealNetworks
Audio Server denial of service attempt"; flow:to_server,established; content:"|FF
F4 FF FD 06|"; fast_pattern:only; metadata:ruleset community; reference:cve,1999-
0271; reference:nessus,10183; classtype:attempted-dos; sid:276; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"SERVER-OTHER RealNetworks
Server template.html"; flow:to_server,established;
content:"/viewsource/template.html?"; fast_pattern:only; metadata:ruleset
community; reference:bugtraq,1288; reference:cve,2000-0474; reference:nessus,10461;
classtype:attempted-dos; sid:277; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-OTHER RealNetworks
Server template.html"; flow:to_server,established;
content:"/viewsource/template.html?"; fast_pattern:only; metadata:ruleset
community; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-
dos; sid:278; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SERVER-OTHER Bay/Nortel
Nautica Marlin"; flow:to_server; dsize:0; metadata:ruleset community;
reference:bugtraq,1009; reference:cve,2000-0221; classtype:attempted-dos; sid:279;
rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"SERVER-OTHER Ascend Route";
flow:to_server; content:"NAMENAME"; depth:50; offset:25; metadata:ruleset
community; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos;
sid:281; rev:12;)
# alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"BROWSER-OTHER Netscape 4.7
client overflow"; flow:to_client,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|
C0|P|F7 D0|P"; metadata:ruleset community; reference:bugtraq,822;
reference:cve,1999-1189; reference:cve,2000-1187; classtype:attempted-user;
sid:283; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT x86 BSD
overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89
F9|"; fast_pattern:only; metadata:ruleset community, service pop3;
reference:bugtraq,133; reference:cve,1999-0006; reference:nessus,10196;
classtype:attempted-admin; sid:286; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT x86 BSD
overflow"; flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1";
fast_pattern:only; metadata:ruleset community, service pop3; classtype:attempted-
admin; sid:287; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT x86 Linux
overflow"; flow:to_server,established; content:"|D8|@|CD 80 E8 D9 FF FF
FF|/bin/sh"; fast_pattern:only; metadata:ruleset community, service pop3;
classtype:attempted-admin; sid:288; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT x86 SCO
overflow"; flow:to_server,established; content:"V|0E|1|C0 B0 3B 8D|~|12 89 F9 89
F9|"; fast_pattern:only; metadata:ruleset community, service pop3;
reference:bugtraq,133; reference:bugtraq,156; reference:cve,1999-0006;
classtype:attempted-admin; sid:289; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT qpopper
overflow"; flow:to_server,established; content:"|E8 D9 FF FF FF|/bin/sh";
fast_pattern:only; metadata:ruleset community, service pop3; reference:bugtraq,830;
reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin;
sid:290; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-LINUX x86 Linux samba
overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|";
metadata:ruleset community; reference:bugtraq,1816; reference:bugtraq,536;
reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin;
sid:292; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 (msg:"OS-SOLARIS Oracle Solaris
npls x86 overflow"; flow:to_server,established; content:"|EB 23|^3|C0 88|F|FA 89|F|
F5 89|6"; metadata:ruleset community; reference:bugtraq,2319; reference:cve,1999-
1588; classtype:attempted-admin; sid:300; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER LPRng overflow";
flow:to_server,established; content:"C|07 89|[|08 8D|K|08 89|C|0C B0 0B CD 80|1|C0
FE C0 CD 80 E8 94 FF FF FF|/bin/sh|0A|"; metadata:ruleset community;
reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin;
sid:301; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-LINUX Redhat 7.0 lprd
overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n";
metadata:ruleset community; reference:bugtraq,1712; reference:cve,2000-0917;
classtype:attempted-admin; sid:302; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer
Overflow named tsig overflow attempt"; flow:to_server,established; content:"|AB CD
09 80 00 00 00 01 00 00 00 00 00 00 01 00 01| |02|a"; metadata:ruleset
community, service dns; reference:bugtraq,2302; reference:cve,2001-0010;
reference:nessus,10605; classtype:attempted-admin; sid:303; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"SERVER-OTHER SCO calserver
overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|";
metadata:ruleset community; reference:bugtraq,2353; reference:cve,2000-0306;
classtype:attempted-admin; sid:304; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-OTHER delegate proxy
overflow"; flow:to_server,established; isdataat:1000; content:"whois|3A|//";
nocase; metadata:ruleset community; reference:bugtraq,808; reference:cve,2000-0165;
classtype:attempted-admin; sid:305; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-OTHER VQServer admin";
flow:to_server,established; content:"GET / HTTP/1.1"; nocase; metadata:ruleset
community; reference:bugtraq,1610; reference:cve,2000-0766; reference:nessus,10354;
reference:url,www.vqsoft.com/vq/server/docs/other/control.html;
classtype:attempted-admin; sid:306; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 (msg:"SERVER-OTHER CHAT IRC
topic overflow"; flow:to_client,established; content:"|EB|K[S2|E4 83 C3 0B|K|88 23
B8|Pw"; metadata:ruleset community; reference:bugtraq,573; reference:cve,1999-0672;
classtype:attempted-user; sid:307; rev:12;)
# alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"SERVER-OTHER NextFTP client
overflow"; flow:to_client,established; content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|
C9|f|B9 10|"; metadata:ruleset community, service ftp; reference:bugtraq,572;
reference:cve,1999-0671; classtype:attempted-user; sid:308; rev:14;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL sniffit
overflow"; flow:to_server,established; dsize:>512; flags:A+; content:"from|3A 90 90
90 90 90 90 90 90 90 90 90|"; nocase; metadata:ruleset community, service smtp;
reference:bugtraq,1158; reference:cve,2000-0343; classtype:attempted-admin;
sid:309; rev:16;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL x86 windows
MailMax overflow"; flow:to_server,established; content:"|EB|E|EB| [|FC|3|C9 B1 82
8B F3 80|+"; fast_pattern:only; metadata:ruleset community, service smtp;
reference:bugtraq,2312; reference:cve,1999-0404; classtype:attempted-admin;
sid:310; rev:13;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BROWSER-OTHER Netscape 4.7
unsucessful overflow"; flow:to_server,established; content:"3|C9 B1 10|?|E9 06|Q<|
FA|G3|C0|P|F7 D0|P"; metadata:ruleset community; reference:bugtraq,822;
reference:cve,1999-1189; reference:cve,2000-1187; classtype:unsuccessful-user;
sid:311; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 518 (msg:"OS-LINUX ntalkd x86 Linux
overflow"; flow:to_server; content:"|01 03 00 00 00 00 00 01 00 02 02 E8|";
fast_pattern:only; metadata:ruleset community; reference:bugtraq,210;
classtype:attempted-admin; sid:313; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer
Overflow named tsig overflow attempt"; flow:to_server; content:"|80 00 07 00 00 00
00 00 01|?|00 01 02|"; fast_pattern:only; metadata:ruleset community, service dns;
reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-admin;
sid:314; rev:22;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"OS-LINUX x86 Linux mountd
overflow"; flow:to_server; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F";
metadata:ruleset community; reference:bugtraq,121; reference:cve,1999-0002;
classtype:attempted-admin; sid:315; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"OS-LINUX x86 Linux mountd
overflow"; flow:to_server; content:"|EB|V^VVV1|D2 88|V|0B 88|V|1E|";
metadata:ruleset community; reference:bugtraq,121; reference:cve,1999-0002;
classtype:attempted-admin; sid:316; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"OS-LINUX x86 Linux mountd
overflow"; flow:to_server; content:"|EB|@^1|C0|@|89|F|04 89 C3|@|89 06|";
metadata:ruleset community; reference:bugtraq,121; reference:cve,1999-0002;
classtype:attempted-admin; sid:317; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER cmd_rootsh
backdoor attempt"; flow:to_server,established; content:"cmd_rootsh";
metadata:ruleset community; reference:nessus,10070;
reference:url,www.sans.org/y2k/TFN_toolkit.htm;
reference:url,www.sans.org/y2k/fingerd.htm; classtype:attempted-admin; sid:320;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER account
enumeration attempt"; flow:to_server,established; content:"a b c d e f"; nocase;
metadata:ruleset community; reference:nessus,10788; classtype:attempted-recon;
sid:321; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER search query";
flow:to_server,established; content:"search"; metadata:ruleset community;
reference:cve,1999-0259; classtype:attempted-recon; sid:322; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER root query";
flow:to_server,established; content:"root"; metadata:ruleset community;
classtype:attempted-recon; sid:323; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER null request";
flow:to_server,established; content:"|00|"; metadata:ruleset community;
reference:cve,1999-0612; classtype:attempted-recon; sid:324; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER remote command
execution attempt"; flow:to_server,established; content:"|3B|"; metadata:ruleset
community; reference:bugtraq,974; reference:cve,1999-0150; classtype:attempted-
user; sid:326; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER remote command
pipe execution attempt"; flow:to_server,established; content:"|7C|";
metadata:ruleset community; reference:bugtraq,2220; reference:cve,1999-0152;
classtype:attempted-user; sid:327; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER bomb attempt";
flow:to_server,established; content:"@@"; metadata:ruleset community;
reference:cve,1999-0106; classtype:attempted-dos; sid:328; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER redirection
attempt"; flow:to_server,established; content:"@"; metadata:ruleset community;
reference:cve,1999-0105; reference:nessus,10073; classtype:attempted-recon;
sid:330; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER cybercop
query"; flow:to_server,established; content:"|0A| "; depth:10; metadata:ruleset
community; reference:cve,1999-0612; classtype:attempted-recon; sid:331; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER 0 query";
flow:to_server,established; content:"0"; metadata:ruleset community;
reference:cve,1999-0197; reference:nessus,10069; classtype:attempted-recon;
sid:332; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER . query";
flow:to_server,established; content:"."; metadata:ruleset community;
reference:cve,1999-0198; reference:nessus,10072; classtype:attempted-recon;
sid:333; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP .forward";
flow:to_server,established; content:".forward"; metadata:ruleset community, service
ftp; classtype:suspicious-filename-detect; sid:334; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP .rhosts";
flow:to_server,established; content:".rhosts"; metadata:policy max-detect-ips drop,
ruleset community, service ftp; classtype:suspicious-filename-detect; sid:335;
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD ~root
attempt"; flow:to_server,established; content:"CWD"; nocase; content:"~root";
distance:1; nocase; pcre:"/^CWD\s+~root/smi"; metadata:ruleset community, service
ftp; reference:cve,1999-0082; classtype:bad-unknown; sid:336; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CEL overflow
attempt"; flow:to_server,established; content:"CEL"; nocase; isdataat:100,relative;
pcre:"/^CEL(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community, service ftp;
reference:bugtraq,679; reference:cve,1999-0789; reference:nessus,10009;
classtype:attempted-admin; sid:337; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP adm scan";
flow:to_server,established; content:"PASS ddd@|0A|"; fast_pattern:only;
metadata:ruleset community, service ftp; classtype:suspicious-login; sid:353;
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP iss scan";
flow:to_server,established; content:"pass -iss@iss"; fast_pattern:only;
metadata:ruleset community, service ftp; classtype:suspicious-login; sid:354;
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP pass wh00t";
flow:to_server,established; content:"pass wh00t"; fast_pattern:only;
metadata:ruleset community, service ftp; classtype:suspicious-login; sid:355;
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP passwd retrieval
attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd";
metadata:ruleset community, service ftp; classtype:suspicious-filename-detect;
sid:356; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP piss scan";
flow:to_server,established; content:"pass -cklaus"; fast_pattern:only;
metadata:ruleset community, service ftp;
reference:url,www.mines.edu/fs_home/dlarue/cc/baby-doe.html; classtype:suspicious-
login; sid:357; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP saint scan";
flow:to_server,established; content:"pass -saint"; fast_pattern:only;
metadata:ruleset community, service ftp; classtype:suspicious-login; sid:358;
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP satan scan";
flow:to_server,established; content:"pass -satan"; fast_pattern:only;
metadata:ruleset community, service ftp; classtype:suspicious-login; sid:359;
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP serv-u directory
traversal"; flow:to_server,established; content:".%20."; fast_pattern:only;
metadata:ruleset community, service ftp; reference:bugtraq,2052;
reference:cve,2001-0054; reference:nessus,10565; classtype:bad-unknown; sid:360;
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE EXEC
attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC";
distance:0; nocase; pcre:"/^SITE\s+EXEC/smi"; metadata:ruleset community, service
ftp; reference:bugtraq,2241; reference:cve,1999-0080; reference:cve,1999-0955;
classtype:bad-unknown; sid:361; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP tar parameters";
flow:to_server,established; content:" --use-compress-program "; fast_pattern:only;
metadata:ruleset community, service ftp; reference:bugtraq,2240;
reference:cve,1999-0202; reference:cve,1999-0997; classtype:bad-unknown; sid:362;
rev:20;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IRDP router
advertisement"; itype:9; metadata:ruleset community; reference:bugtraq,578;
reference:cve,1999-0875; classtype:misc-activity; sid:363; rev:11;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IRDP router
selection"; itype:10; metadata:ruleset community; reference:bugtraq,578;
reference:cve,1999-0875; classtype:misc-activity; sid:364; rev:11;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING undefined
code"; icode:>0; itype:8; metadata:ruleset community; classtype:misc-activity;
sid:365; rev:11;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Unix";
itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32;
metadata:ruleset community; classtype:misc-activity; sid:366; rev:11;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING BSDtype";
itype:8; content:"|08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17|"; depth:32;
metadata:ruleset community; classtype:misc-activity; sid:368; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING BayRS
Router"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F|";
depth:32; metadata:ruleset community; classtype:misc-activity; sid:369; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING BeOS4.x";
itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 08 09 0A 0B|"; depth:32;
metadata:ruleset community; classtype:misc-activity; sid:370; rev:11;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Cisco
Type.x"; itype:8; content:"|AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD|";
depth:32; metadata:ruleset community; classtype:misc-activity; sid:371; rev:11;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Delphi-
Piette Windows"; itype:8; content:"Pinging from Del"; depth:32; metadata:ruleset
community; classtype:misc-activity; sid:372; rev:11;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING
Flowpoint2200 or Network Management Software"; itype:8; content:"|01 02 03 04 05 06
07 08 09 0A 0B 0C 0D 0E 0F 10|"; depth:32; metadata:ruleset community;
classtype:misc-activity; sid:373; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING IP
NetMonitor Macintosh"; itype:8; content:"|A9| Sustainable So"; depth:32;
metadata:ruleset community; classtype:misc-activity; sid:374; rev:11;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING
LINUX/*BSD"; dsize:8; id:13170; itype:8; metadata:ruleset community;
classtype:misc-activity; sid:375; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Microsoft
Windows"; itype:8; content:"0123456789abcdefghijklmnop"; depth:32; metadata:ruleset
community; classtype:misc-activity; sid:376; rev:11;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Network
Toolbox 3 Windows"; itype:8; content:"================"; depth:32; metadata:ruleset
community; classtype:misc-activity; sid:377; rev:11;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Ping-O-
MeterWindows"; itype:8; content:"OMeterObeseArmad"; depth:32; metadata:ruleset
community; classtype:misc-activity; sid:378; rev:11;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Pinger
Windows"; itype:8; content:"Data|00 00 00 00 00 00 00 00 00 00 00 00|"; depth:32;
metadata:ruleset community; classtype:misc-activity; sid:379; rev:11;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Seer
Windows"; itype:8; content:"|88 04| "; depth:32; metadata:ruleset
community; classtype:misc-activity; sid:380; rev:11;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Oracle
Solaris"; dsize:8; itype:8; metadata:ruleset community; classtype:misc-activity;
sid:381; rev:11;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Windows";
itype:8; content:"abcdefghijklmnop"; depth:16; metadata:ruleset community;
classtype:misc-activity; sid:382; rev:11;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING"; icode:0;
itype:8; metadata:ruleset community; classtype:misc-activity; sid:384; rev:8;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP traceroute";
itype:8; ttl:1; metadata:ruleset community; classtype:attempted-recon; sid:385;
rev:8;)
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Address Mask
Reply"; icode:0; itype:18; metadata:ruleset community; classtype:misc-activity;
sid:386; rev:8;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Address Mask
Reply undefined code"; icode:>0; itype:18; metadata:ruleset community;
classtype:misc-activity; sid:387; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Address Mask
Request"; icode:0; itype:17; metadata:ruleset community; classtype:misc-activity;
sid:388; rev:8;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Address Mask
Request undefined code"; icode:>0; itype:17; metadata:ruleset community;
classtype:misc-activity; sid:389; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Alternate Host
Address"; icode:0; itype:6; metadata:ruleset community; classtype:misc-activity;
sid:390; rev:8;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Alternate Host
Address undefined code"; icode:>0; itype:6; metadata:ruleset community;
classtype:misc-activity; sid:391; rev:11;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Datagram
Conversion Error"; icode:0; itype:31; metadata:ruleset community; classtype:misc-
activity; sid:392; rev:8;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Datagram
Conversion Error undefined code"; icode:>0; itype:31; metadata:ruleset community;
classtype:misc-activity; sid:393; rev:11;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination
Unreachable Destination Host Unknown"; icode:7; itype:3; metadata:ruleset
community; classtype:misc-activity; sid:394; rev:9;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination
Unreachable Destination Network Unknown"; icode:6; itype:3; metadata:ruleset
community; classtype:misc-activity; sid:395; rev:9;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination
Unreachable Fragmentation Needed and DF bit was set"; icode:4; itype:3;
metadata:policy max-detect-ips drop, ruleset community; reference:cve,2004-0790;
reference:cve,2005-0068; reference:cve,2015-7759; classtype:misc-activity; sid:396;
rev:12;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination
Unreachable Host Precedence Violation"; icode:14; itype:3; metadata:ruleset
community; classtype:misc-activity; sid:397; rev:9;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination
Unreachable Host Unreachable for Type of Service"; icode:12; itype:3;
metadata:ruleset community; classtype:misc-activity; sid:398; rev:9;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination
Unreachable Host Unreachable"; icode:1; itype:3; metadata:ruleset community;
classtype:misc-activity; sid:399; rev:9;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination
Unreachable Network Unreachable for Type of Service"; icode:11; itype:3;
metadata:ruleset community; classtype:misc-activity; sid:400; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination
Unreachable Network Unreachable"; icode:0; itype:3; metadata:ruleset community;
classtype:misc-activity; sid:401; rev:9;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP destination
unreachable port unreachable packet detected"; icode:3; itype:3; metadata:policy
max-detect-ips drop, ruleset community; reference:cve,2004-0790;
reference:cve,2005-0068; classtype:misc-activity; sid:402; rev:16;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination
Unreachable Precedence Cutoff in effect"; icode:15; itype:3; metadata:ruleset
community; classtype:misc-activity; sid:403; rev:9;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination
Unreachable Protocol Unreachable"; icode:2; itype:3; metadata:policy max-detect-ips
drop, ruleset community; reference:cve,2004-0790; reference:cve,2005-0068;
classtype:misc-activity; sid:404; rev:14;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination
Unreachable Source Host Isolated"; icode:8; itype:3; metadata:ruleset community;
classtype:misc-activity; sid:405; rev:9;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination
Unreachable Source Route Failed"; icode:5; itype:3; metadata:ruleset community;
classtype:misc-activity; sid:406; rev:9;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination
Unreachable cndefined code"; icode:>15; itype:3; metadata:ruleset community;
classtype:misc-activity; sid:407; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Echo Reply";
icode:0; itype:0; metadata:ruleset community; classtype:misc-activity; sid:408;
rev:8;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Echo Reply
undefined code"; icode:>0; itype:0; metadata:ruleset community; classtype:misc-
activity; sid:409; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Fragment
Reassembly Time Exceeded"; icode:1; itype:11; metadata:ruleset community;
classtype:misc-activity; sid:410; rev:8;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPV6 I-Am-
Here"; icode:0; itype:34; metadata:ruleset community; classtype:misc-activity;
sid:411; rev:8;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPV6 I-Am-Here
undefined code"; icode:>0; itype:34; metadata:ruleset community; classtype:misc-
activity; sid:412; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPV6 Where-Are-
You"; icode:0; itype:33; metadata:ruleset community; classtype:misc-activity;
sid:413; rev:8;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPV6 Where-Are-
You undefined code"; icode:>0; itype:33; metadata:ruleset community;
classtype:misc-activity; sid:414; rev:10;)
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Information
Reply"; icode:0; itype:16; metadata:ruleset community; classtype:misc-activity;
sid:415; rev:8;)
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Information
Reply undefined code"; icode:>0; itype:16; metadata:ruleset community;
classtype:misc-activity; sid:416; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Information
Request"; icode:0; itype:15; metadata:ruleset community; classtype:misc-activity;
sid:417; rev:8;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Information
Request undefined code"; icode:>0; itype:15; metadata:ruleset community;
classtype:misc-activity; sid:418; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile Host
Redirect"; icode:0; itype:32; metadata:ruleset community; classtype:misc-activity;
sid:419; rev:8;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile Host
Redirect undefined code"; icode:>0; itype:32; metadata:ruleset community;
classtype:misc-activity; sid:420; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile
Registration Reply"; icode:0; itype:36; metadata:ruleset community; classtype:misc-
activity; sid:421; rev:8;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile
Registration Reply undefined code"; icode:>0; itype:36; metadata:ruleset community;
classtype:misc-activity; sid:422; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile
Registration Request"; icode:0; itype:35; metadata:ruleset community;
classtype:misc-activity; sid:423; rev:8;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile
Registration Request undefined code"; icode:>0; itype:35; metadata:ruleset
community; classtype:misc-activity; sid:424; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Parameter
Problem Bad Length"; icode:2; itype:12; metadata:ruleset community; classtype:misc-
activity; sid:425; rev:9;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Parameter
Problem Missing a Required Option"; icode:1; itype:12; metadata:ruleset community;
classtype:misc-activity; sid:426; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Parameter
Problem Unspecified Error"; icode:0; itype:12; metadata:ruleset community;
classtype:misc-activity; sid:427; rev:9;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Parameter
Problem undefined Code"; icode:>2; itype:12; metadata:ruleset community;
classtype:misc-activity; sid:428; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Photuris
Reserved"; icode:0; itype:40; metadata:ruleset community; classtype:misc-activity;
sid:429; rev:9;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Photuris
Unknown Security Parameters Index"; icode:1; itype:40; metadata:ruleset community;
classtype:misc-activity; sid:430; rev:9;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Photuris Valid
Security Parameters, But Authentication Failed"; icode:2; itype:40;
metadata:ruleset community; classtype:misc-activity; sid:431; rev:9;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Photuris Valid
Security Parameters, But Decryption Failed"; icode:3; itype:40; metadata:ruleset
community; classtype:misc-activity; sid:432; rev:9;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Photuris
undefined code!"; icode:>3; itype:40; metadata:ruleset community; classtype:misc-
activity; sid:433; rev:11;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Redirect for
TOS and Host"; icode:3; itype:5; metadata:ruleset community; reference:cve,1999-
0265; classtype:misc-activity; sid:436; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Redirect for
TOS and Network"; icode:2; itype:5; metadata:ruleset community; reference:cve,1999-
0265; classtype:misc-activity; sid:437; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Redirect
undefined code"; icode:>3; itype:5; metadata:ruleset community; reference:cve,1999-
0265; classtype:misc-activity; sid:438; rev:13;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Reserved for
Security Type 19"; icode:0; itype:19; metadata:ruleset community; classtype:misc-
activity; sid:439; rev:9;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Reserved for
Security Type 19 undefined code"; icode:>0; itype:19; metadata:ruleset community;
classtype:misc-activity; sid:440; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Router
Advertisement"; icode:0; itype:9; metadata:ruleset community; classtype:misc-
activity; sid:441; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Router
Selection"; icode:0; itype:10; metadata:ruleset community; classtype:misc-activity;
sid:443; rev:9;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP SKIP"; icode:0;
itype:39; metadata:ruleset community; classtype:misc-activity; sid:445; rev:8;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP SKIP undefined
code"; icode:>0; itype:39; metadata:ruleset community; classtype:misc-activity;
sid:446; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Source Quench
undefined code"; icode:>0; itype:4; metadata:ruleset community; classtype:misc-
activity; sid:448; rev:10;)
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Time-To-Live
Exceeded in Transit"; icode:0; itype:11; metadata:ruleset community;
classtype:misc-activity; sid:449; rev:9;)
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Time-To-Live
Exceeded in Transit undefined code"; icode:>1; itype:11; metadata:ruleset
community; classtype:misc-activity; sid:450; rev:11;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Timestamp
Reply"; icode:0; itype:14; metadata:ruleset community; classtype:misc-activity;
sid:451; rev:8;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Timestamp Reply
undefined code"; icode:>0; itype:14; metadata:ruleset community; classtype:misc-
activity; sid:452; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Timestamp
Request"; icode:0; itype:13; metadata:ruleset community; classtype:misc-activity;
sid:453; rev:8;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Timestamp
Request undefined code"; icode:>0; itype:13; metadata:ruleset community;
classtype:misc-activity; sid:454; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Traceroute";
icode:0; itype:30; metadata:ruleset community; classtype:misc-activity; sid:456;
rev:8;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Traceroute
undefined code"; icode:>0; itype:30; metadata:ruleset community; classtype:misc-
activity; sid:457; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type
1"; icode:0; itype:1; metadata:ruleset community; classtype:misc-activity; sid:458;
rev:12;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type
1 undefined code"; itype:1; metadata:ruleset community; classtype:misc-activity;
sid:459; rev:12;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type
2"; icode:0; itype:2; metadata:ruleset community; classtype:misc-activity; sid:460;
rev:12;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type
2 undefined code"; itype:2; metadata:ruleset community; classtype:misc-activity;
sid:461; rev:12;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type
7"; icode:0; itype:7; metadata:ruleset community; classtype:misc-activity; sid:462;
rev:12;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type
7 undefined code"; itype:7; metadata:ruleset community; reference:cve,1999-0454;
classtype:misc-activity; sid:463; rev:14;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP ISS Pinger";
itype:8; content:"ISSPNGRQ"; depth:32; metadata:ruleset community;
classtype:attempted-recon; sid:465; rev:8;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP L3retriever
Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32;
metadata:ruleset community; classtype:attempted-recon; sid:466; rev:9;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Nemesis v1.1
Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:ruleset
community; classtype:attempted-recon; sid:467; rev:9;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP superscan
echo"; dsize:8; itype:8; content:"|00 00 00 00 00 00 00 00|"; fast_pattern:only;
metadata:ruleset community; classtype:attempted-recon; sid:474; rev:9;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP webtrends
scanner"; icode:0; itype:8; content:"|00 00 00 00|EEEEEEEEEEEE"; fast_pattern:only;
metadata:ruleset community; classtype:attempted-recon; sid:476; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING speedera";
itype:8; content:"89|3A 3B|<=>?"; depth:100; metadata:ruleset community;
classtype:misc-activity; sid:480; rev:9;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP
TJPingPro1.1Build 2 Windows"; itype:8; content:"TJPingPro by Jim"; depth:32;
metadata:ruleset community; classtype:misc-activity; sid:481; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING
WhatsupGold Windows"; itype:8; content:"WhatsUp - A Netw"; depth:32;
metadata:ruleset community; classtype:misc-activity; sid:482; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING CyberKit
2.2 Windows"; itype:8; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|";
depth:32; metadata:ruleset community; classtype:misc-activity; sid:483; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Sniffer
Pro/NetXRay network scan"; itype:8; content:"Cinco Network, Inc."; depth:32;
metadata:ruleset community; classtype:misc-activity; sid:484; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP no password";
flow:to_server,established; content:"PASS"; fast_pattern:only;
pcre:"/^PASS\s*\n/smi"; metadata:policy max-detect-ips drop, ruleset community,
service ftp; classtype:unknown; sid:489; rev:19;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL battle-mail
traffic"; flow:to_server,established; content:"BattleMail"; metadata:ruleset
community, service smtp; classtype:policy-violation; sid:490; rev:12;)
# alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"PROTOCOL-FTP Bad login";
flow:to_client,established; content:"530 "; fast_pattern:only; pcre:"/^530\s+
(Login|User)/smi"; metadata:ruleset community, service ftp; classtype:bad-unknown;
sid:491; rev:15;)
# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET login
failed"; flow:to_client,established; content:"Login failed"; nocase;
metadata:ruleset community, service telnet; classtype:bad-unknown; sid:492;
rev:15;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT psyBNC access";
flow:to_client,established; content:"[email protected]"; fast_pattern:only;
metadata:ruleset community; classtype:bad-unknown; sid:493; rev:11;)
# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-
COMPROMISE command completed"; flow:established; content:"Command completed";
fast_pattern:only; pcre:"/^Command\s+?completed\b/sm"; metadata:ruleset community,
service http; reference:bugtraq,1806; reference:cve,2000-0884;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-078;
classtype:bad-unknown; sid:494; rev:20;)
# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-
COMPROMISE command error"; flow:established; content:"Bad command or filename";
nocase; metadata:ruleset community, service http; classtype:bad-unknown; sid:495;
rev:14;)
# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-
COMPROMISE file copied ok"; flow:to_client,established; file_data; content:"1 file|
28|s|29| copied"; fast_pattern:only; metadata:ruleset community, service http;
reference:bugtraq,1806; reference:cve,2000-0884; classtype:bad-unknown; sid:497;
rev:20;)
# alert ip any any -> any any (msg:"INDICATOR-COMPROMISE id check returned root";
content:"uid=0|28|root|29|"; metadata:ruleset community; classtype:bad-unknown;
sid:498; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1417 (msg:"SERVER-OTHER Insecure
TIMBUKTU Password"; flow:to_server,established; content:"|05 00|>"; depth:16;
metadata:ruleset community; classtype:bad-unknown; sid:505; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"PUA-OTHER PCAnywhere
Attempted Administrator Login"; flow:to_server,established;
content:"ADMINISTRATOR"; metadata:ruleset community; classtype:attempted-admin;
sid:507; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 70 (msg:"SERVER-OTHER gopher proxy";
flow:to_server,established; content:"ftp|3A|"; fast_pattern:only; content:"@/";
metadata:ruleset community; classtype:bad-unknown; sid:508; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PCCS
mysql database admin tool access"; flow:to_server,established;
content:"pccsmysqladm/incs/dbconnect.inc"; depth:36; nocase; metadata:ruleset
community, service http; reference:bugtraq,1557; reference:cve,2000-0707;
reference:nessus,10783; classtype:web-application-attack; sid:509; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 (msg:"POLICY-OTHER HP
JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL
RDYMSG DISPLAY ="; metadata:ruleset community; reference:bugtraq,2245;
classtype:misc-activity; sid:510; rev:12;)
# alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"PUA-OTHER PCAnywhere
Failed Login"; flow:to_client,established; content:"Invalid login"; depth:16;
metadata:ruleset community; classtype:unsuccessful-user; sid:512; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 (msg:"SERVER-OTHER ramen worm";
flow:to_server,established; content:"GET "; depth:8; nocase; metadata:ruleset
community; classtype:bad-unknown; sid:514; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP NT UserList";
flow:to_server; content:"+|06 10|@|14 D1 02 19|"; fast_pattern:only;
metadata:ruleset community, service snmp; reference:nessus,10546;
classtype:attempted-recon; sid:516; rev:12;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"X11 xdmcp query";
flow:to_server; content:"|00 01 00 03 00 01 00|"; fast_pattern:only;
metadata:ruleset community; classtype:attempted-recon; sid:517; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Put";
flow:to_server; content:"|00 02|"; depth:2; metadata:ruleset community;
reference:cve,1999-0183; reference:url,github.com/rapid7/metasploit-
framework/blob/unstable/unstable-modules/auxiliary/d20tftpbd.rb; classtype:bad-
unknown; sid:518; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP parent
directory"; flow:to_server; content:".."; offset:2; metadata:ruleset community;
reference:cve,1999-0183; reference:cve,2002-1209; reference:cve,2011-4722;
classtype:bad-unknown; sid:519; rev:14;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP root directory";
flow:to_server; content:"|00 01|/"; depth:3; metadata:ruleset community;
reference:cve,1999-0183; classtype:bad-unknown; sid:520; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"NETBIOS
DCERPC NCACN-IP-TCP srvsvc NetrShareEnum null policy handle attempt";
flow:established,to_server; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188;
dce_opnum:15; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-
4,relative,align,dce; content:"|00 00 00 00|"; within:4; distance:8;
metadata:ruleset community; classtype:protocol-command-decode; sid:529; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS NT NULL session";
flow:to_server,established; content:"|00 00 00 00|W|00|i|00|n|00|d|00|o|00|w|00|s|
00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; metadata:ruleset community;
reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon;
sid:530; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD..";
flow:to_server,established; content:"|5C|../|00 00 00|"; metadata:ruleset
community; classtype:attempted-recon; sid:534; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD...";
flow:to_server,established; content:"|5C|...|00 00 00|"; metadata:ruleset
community; classtype:attempted-recon; sid:535; rev:9;)
# alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"POLICY-SOCIAL Microsoft MSN
message"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|";
nocase; content:"text/plain"; distance:1; metadata:ruleset community;
classtype:policy-violation; sid:540; rev:17;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-SOCIAL ICQ access";
flow:to_server,established; content:"User-Agent|3A|ICQ"; fast_pattern:only;
metadata:ruleset community; classtype:policy-violation; sid:541; rev:15;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC nick
change"; flow:to_server,established; dsize:<140; content:"NICK ";
fast_pattern:only; metadata:ruleset community; classtype:policy-violation; sid:542;
rev:20;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'STOR
1MB' possible warez site"; flow:to_server,established; content:"STOR"; nocase;
content:"1MB"; distance:1; nocase; metadata:ruleset community, service ftp;
classtype:misc-activity; sid:543; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'RETR
1MB' possible warez site"; flow:to_server,established; content:"RETR"; nocase;
content:"1MB"; distance:1; nocase; metadata:ruleset community, service ftp;
classtype:misc-activity; sid:544; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'CWD /
' possible warez site"; flow:to_server,established; content:"CWD"; nocase;
content:"/ "; distance:1; metadata:ruleset community, service ftp; classtype:misc-
activity; sid:545; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'CWD
' possible warez site"; flow:to_server,established; content:"CWD "; depth:5;
nocase; metadata:ruleset community, service ftp; classtype:misc-activity; sid:546;
rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'MKD
' possible warez site"; flow:to_server,established; content:"MKD "; depth:5;
nocase; metadata:ruleset community, service ftp; classtype:misc-activity; sid:547;
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP
'MKD .' possible warez site"; flow:to_server,established; content:"MKD ."; depth:5;
nocase; metadata:ruleset community, service ftp; classtype:misc-activity; sid:548;
rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY-OTHER FTP anonymous
login attempt"; flow:to_server,established; content:"USER"; fast_pattern:only;
pcre:"/^USER\s+(anonymous|ftp)[^\w]*[\r\n]/smi"; metadata:ruleset community,
service ftp; classtype:misc-activity; sid:553; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'MKD /
' possible warez site"; flow:to_server,established; content:"MKD"; nocase;
content:"/ "; distance:1; metadata:ruleset community, service ftp; classtype:misc-
activity; sid:554; rev:10;)
# alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"POLICY-OTHER WinGate telnet
server response"; flow:to_client,established; content:"WinGate>"; metadata:ruleset
community; reference:cve,1999-0657; classtype:misc-activity; sid:555; rev:13;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P Outbound GNUTella
client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40;
metadata:ruleset community; classtype:policy-violation; sid:556; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P GNUTella client
request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40;
metadata:ruleset community; classtype:policy-violation; sid:557; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"APP-DETECT VNC server
response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2;
offset:7; metadata:ruleset community; classtype:misc-activity; sid:560; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"APP-DETECT PCAnywhere server
response"; content:"ST"; depth:2; metadata:ruleset community; classtype:misc-
activity; sid:566; rev:10;)
# alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SERVER-MAIL SMTP relaying
denied"; flow:established,to_client; content:"550 5.7.1"; depth:70;
metadata:ruleset community, service smtp; reference:url,mail-abuse.org/tsi/ar-
fix.html; classtype:misc-activity; sid:567; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"POLICY-OTHER HP JetDirect LCD
modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY =";
metadata:ruleset community; reference:bugtraq,2245; classtype:misc-activity;
sid:568; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC snmpXdmi overflow
attempt TCP"; flow:to_server,established; content:"|00 01 87 99|"; depth:4;
offset:16; content:"|00 00 01 01|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8;
metadata:policy max-detect-ips drop, ruleset community, service sunrpc;
reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659;
reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin;
sid:569; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"PROTOCOL-RPC DOS
ttdbserv Solaris"; flow:to_server,established; content:"|00 00 00 00|"; depth:4;
offset:8; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; depth:32;
offset:16; metadata:ruleset community; reference:bugtraq,122; reference:cve,1999-
0003; classtype:attempted-dos; sid:572; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP export
request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16;
content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4;
offset:8; metadata:ruleset community; classtype:attempted-recon; sid:574; rev:14;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap admind
request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12;
content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00
00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-
portmap-decode; sid:575; rev:16;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap amountd
request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12;
content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00
00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc;
reference:bugtraq,205; reference:bugtraq,235; reference:bugtraq,450;
reference:bugtraq,614; reference:cve,1999-0088; reference:cve,1999-0210;
reference:cve,1999-0493; reference:cve,1999-0704; classtype:rpc-portmap-decode;
sid:576; rev:16;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap bootparam
request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12;
content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00
00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-
portmap-decode; sid:577; rev:22;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap cmsd
request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12;
content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00
00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-
portmap-decode; sid:578; rev:16;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap mountd
request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12;
content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00
00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-
portmap-decode; sid:579; rev:16;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap nisd
request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12;
content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00
00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc;
reference:cve,1999-0008; classtype:rpc-portmap-decode; sid:580; rev:20;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap pcnfsd
request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12;
content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00
00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc;
reference:bugtraq,205; reference:bugtraq,4816; reference:cve,1999-0078;
reference:cve,1999-0353; reference:cve,2002-0910; classtype:rpc-portmap-decode;
sid:581; rev:17;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rexd
request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12;
content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00
00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-
portmap-decode; sid:582; rev:16;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rstatd
request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12;
content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00
00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-
portmap-decode; sid:583; rev:17;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rusers
request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12;
content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00
00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc;
reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:584; rev:19;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap sadmind
request UDP attempt"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12;
content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00
00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-
portmap-decode; sid:585; rev:16;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap
selection_svc request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
offset:12; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86
AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset
community, service sunrpc; reference:bugtraq,8; reference:cve,1999-0209;
classtype:rpc-portmap-decode; sid:586; rev:17;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap status
request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12;
content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00
00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-
portmap-decode; sid:587; rev:16;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ttdbserv
request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|";
within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community, service sunrpc; reference:bugtraq,122;
reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687;
reference:cve,1999-1075; reference:cve,2001-0717;
reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-
decode; sid:588; rev:26;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap yppasswd
request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|";
within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:589;
rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ypserv
request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12;
content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00
00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc;
reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042;
reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode;
sid:590; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ypupdated
request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86
BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-
detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,1749;
reference:cve,1999-0208; classtype:rpc-portmap-decode; sid:591; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap snmpXdmi
request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87
99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-
detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,2417;
reference:cve,2001-0236; reference:nessus,10659;
reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-
decode; sid:593; rev:31;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap espd
request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u";
within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community,
service sunrpc; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-
portmap-decode; sid:595; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap listing
TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16;
content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4;
offset:8; metadata:policy max-detect-ips drop, ruleset community, service sunrpc;
classtype:rpc-portmap-decode; sid:598; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"PROTOCOL-RPC portmap listing
TCP 32771"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|";
depth:4; offset:8; metadata:ruleset community; classtype:rpc-portmap-decode;
sid:599; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin
LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A
3A 3A 3A 3A 3A 3A|"; fast_pattern:only; metadata:ruleset community; classtype:bad-
unknown; sid:601; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin bin";
flow:to_server,established; content:"bin|00|bin|00|"; fast_pattern:only;
metadata:ruleset community; classtype:attempted-user; sid:602; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin echo+
+"; flow:to_server,established; content:"echo |22| + + |22|"; fast_pattern:only;
metadata:ruleset community; classtype:bad-unknown; sid:603; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES Unix rlogin
froot parameter root access attempt"; flow:to_server,established; content:"-froot|
00|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,458;
reference:cve,1999-0113; classtype:attempted-admin; sid:604; rev:13;)
# alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"PROTOCOL-SERVICES rlogin login
failure"; flow:to_client,established; content:"login incorrect"; fast_pattern:only;
metadata:ruleset community; classtype:unsuccessful-user; sid:605; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin
root"; flow:to_server,established; content:"root|00|root|00|"; fast_pattern:only;
metadata:ruleset community; classtype:attempted-admin; sid:606; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh bin";
flow:to_server,established; content:"bin|00|bin|00|"; fast_pattern:only;
metadata:ruleset community; classtype:attempted-user; sid:607; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh echo +
+"; flow:to_server,established; content:"echo |22|+ +|22|"; fast_pattern:only;
metadata:ruleset community; classtype:attempted-user; sid:608; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh froot";
flow:to_server,established; content:"-froot|00|"; fast_pattern:only;
metadata:ruleset community; classtype:attempted-admin; sid:609; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh root";
flow:to_server,established; content:"|00|root|00|"; fast_pattern:only;
pcre:"/^(\d{1,5})?\x00?[^\x00]+?\x00root\x00/i"; metadata:policy max-detect-ips
drop, ruleset community; classtype:attempted-admin; sid:610; rev:15;)
# alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"PROTOCOL-SERVICES rlogin login
failure"; flow:to_client,established; content:"|01|rlogind|3A| Permission denied.";
fast_pattern:only; metadata:ruleset community; classtype:unsuccessful-user;
sid:611; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC rusers query
UDP"; content:"|00 01 86 A2|"; depth:4; offset:12; content:"|00 00 00 02|";
within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset
community; reference:cve,1999-0626; classtype:attempted-recon; sid:612; rev:11;)
# alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"INDICATOR-SCAN myscan";
flow:stateless; ack:0; flags:S; ttl:>220; metadata:ruleset community;
classtype:attempted-recon; sid:613; rev:10;)
# alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (msg:"MALWARE-BACKDOOR hack-a-
tack attempt"; flow:stateless; flags:A+; content:"A"; depth:1; metadata:ruleset
community; classtype:attempted-recon; sid:614; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"INDICATOR-SCAN ident version
request"; flow:to_server,established; content:"VERSION|0A|"; depth:16;
metadata:ruleset community; classtype:attempted-recon; sid:616; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"INDICATOR-SCAN cybercop os
probe"; flow:stateless; dsize:0; flags:SF12; metadata:ruleset community;
classtype:attempted-recon; sid:619; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN ipEye SYN
scan"; flow:stateless; flags:S; seq:1958810375; metadata:ruleset community;
classtype:attempted-recon; sid:622; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN cybercop os
PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16;
metadata:ruleset community; classtype:attempted-recon; sid:626; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN cybercop os
SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA";
depth:16; metadata:ruleset community; classtype:attempted-recon; sid:627; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN synscan
portscan"; flow:stateless; flags:SF; id:39426; metadata:ruleset community;
classtype:attempted-recon; sid:630; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL ehlo cybercop
attempt"; flow:to_server,established; content:"ehlo cybercop|0A|quit|0A|";
fast_pattern:only; metadata:ruleset community, service smtp; classtype:protocol-
command-decode; sid:631; rev:16;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL expn cybercop
attempt"; flow:to_server,established; content:"expn cybercop"; fast_pattern:only;
metadata:ruleset community, service smtp; classtype:protocol-command-decode;
sid:632; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (msg:"INDICATOR-SCAN Amanda
client-version request"; flow:to_server; content:"Amanda"; fast_pattern:only;
metadata:ruleset community; classtype:attempted-recon; sid:634; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"INDICATOR-SCAN XTACACS logout";
flow:to_server; content:"|80 07 00 00 07 00 00 04 00 00 00 00 00|";
fast_pattern:only; metadata:ruleset community; classtype:bad-unknown; sid:635;
rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"INDICATOR-SCAN cybercop udp
bomb"; flow:to_server; content:"cybercop"; fast_pattern:only; metadata:ruleset
community; classtype:bad-unknown; sid:636; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN Webtrends
Scanner UDP Probe"; flow:to_server; content:"|0A|help|0A|quite|0A|";
fast_pattern:only; metadata:ruleset community;
reference:url,www.netiq.com/products/vsm/default.asp; classtype:attempted-recon;
sid:637; rev:11;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE SGI NOOP";
content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; fast_pattern:only;
metadata:ruleset community; classtype:shellcode-detect; sid:638; rev:11;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE SGI NOOP";
content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; fast_pattern:only;
metadata:ruleset community; classtype:shellcode-detect; sid:639; rev:11;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE AIX NOOP";
content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|"; fast_pattern:only;
metadata:ruleset community; classtype:shellcode-detect; sid:640; rev:11;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Digital
UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|";
fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:641;
rev:12;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE HP-UX
NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; fast_pattern:only;
metadata:ruleset community; classtype:shellcode-detect; sid:642; rev:12;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE HP-UX
NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; fast_pattern:only;
metadata:ruleset community; classtype:shellcode-detect; sid:643; rev:13;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE sparc
NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|";
fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:644;
rev:11;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE sparc
NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; fast_pattern:only;
metadata:ruleset community; classtype:shellcode-detect; sid:645; rev:11;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE sparc
NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|";
fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:646;
rev:11;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Oracle
sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; fast_pattern:only;
metadata:policy max-detect-ips drop, ruleset community; classtype:system-call-
detect; sid:647; rev:15;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 NOOP";
content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; fast_pattern:only;
metadata:policy max-detect-ips drop, ruleset community; classtype:shellcode-detect;
sid:648; rev:18;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 setgid
0"; content:"|B0 B5 CD 80|"; fast_pattern:only; metadata:ruleset community;
classtype:system-call-detect; sid:649; rev:14;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 setuid
0"; content:"|B0 17 CD 80|"; fast_pattern:only; metadata:ruleset community;
classtype:system-call-detect; sid:650; rev:14;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux
shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; fast_pattern:only;
metadata:ruleset community; classtype:shellcode-detect; sid:652; rev:15;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL RCPT TO
overflow"; flow:to_server,established; content:"rcpt to|3A|"; nocase;
isdataat:256,relative; pcre:"/^RCPT TO\x3a\s*\x3c?[^\n\x3e]{256}/im";
metadata:policy max-detect-ips drop, ruleset community, service smtp;
reference:bugtraq,2283; reference:bugtraq,43182; reference:bugtraq,9696;
reference:cve,2001-0260; reference:cve,2003-0694; reference:cve,2008-0394;
reference:cve,2009-0410; reference:cve,2010-2580; classtype:attempted-admin;
sid:654; rev:28;)
# alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.9
exploit"; flow:to_server,established; content:"|0A|D/"; metadata:ruleset community,
service smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-
admin; sid:655; rev:16;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Netmanager
chameleon SMTPd buffer overflow attempt"; flow:to_server,established;
content:"HELP"; nocase; isdataat:500,relative; pcre:"/^HELP\s[^\n]{500}/ism";
metadata:ruleset community, service smtp; reference:bugtraq,2387;
reference:cve,1999-0261; classtype:attempted-admin; sid:657; rev:20;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Microsoft
Windows Exchange Server 5.5 mime DOS"; flow:to_server,established; content:"charset
= |22 22|"; nocase; metadata:ruleset community, service smtp;
reference:bugtraq,1869; reference:cve,2000-1006; reference:nessus,10558;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-082;
classtype:attempted-dos; sid:658; rev:19;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail expn
decode"; flow:to_server,established; content:"expn"; nocase; content:"decode";
fast_pattern:only; pcre:"/^expn\s+decode/smi"; metadata:ruleset community, service
smtp; reference:cve,1999-0096; reference:nessus,10248; classtype:attempted-recon;
sid:659; rev:18;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL expn root";
flow:to_server,established; content:"expn"; nocase; content:"root";
fast_pattern:only; pcre:"/^expn\s+root/smi"; metadata:ruleset community, service
smtp; reference:nessus,10249; classtype:attempted-recon; sid:660; rev:19;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Majordomo ifs";
flow:to_server,established; content:"eply-to|3A| a~.`/bin/"; fast_pattern:only;
metadata:ruleset community, service smtp; reference:bugtraq,2310;
reference:cve,1999-0207; classtype:attempted-admin; sid:661; rev:18;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 5.5.5
exploit"; flow:to_server,established; content:"mail from|3A| |22 7C|";
fast_pattern:only; metadata:ruleset community, service smtp; reference:cve,1999-
0203; reference:nessus,10258; classtype:attempted-admin; sid:662; rev:17;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail rcpt
to command attempt"; flow:to_server,established; content:"rcpt to|3A|";
fast_pattern:only; pcre:"/^rcpt\s+to\:\s*[\x7c\x3b]/smi"; metadata:ruleset
community, service smtp; reference:bugtraq,1; reference:cve,1999-0095;
classtype:attempted-admin; sid:663; rev:24;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail RCPT
TO decode attempt"; flow:to_server,established; content:"rcpt to|3A|"; nocase;
content:"decode"; distance:0; nocase; pcre:"/^rcpt to\:\s*decode/smi";
metadata:ruleset community, service smtp; reference:bugtraq,2308;
reference:cve,1999-0203; classtype:attempted-admin; sid:664; rev:23;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 5.6.5
exploit"; flow:to_server,established; content:"MAIL FROM|3A| |7C|/usr/ucb/tail";
fast_pattern:only; metadata:ruleset community, service smtp;
reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-user; sid:665;
rev:17;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.10
exploit"; flow:to_server,established; content:"Croot|0D 0A|Mprog, P=/bin/";
fast_pattern:only; metadata:ruleset community, service smtp;
reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:667;
rev:17;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.10
exploit"; flow:to_server,established; content:"Croot|09 09 09 09 09 09 09|
Mprog,P=/bin"; fast_pattern:only; metadata:ruleset community, service smtp;
reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:668;
rev:17;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.9
exploit"; flow:to_server,established; content:"|0A|Croot|0A|Mprog";
fast_pattern:only; metadata:ruleset community, service smtp;
reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:669;
rev:17;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.9
exploit"; flow:to_server,established; content:"|0A|C|3A|daemon|0A|R";
fast_pattern:only; metadata:ruleset community, service smtp;
reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:670;
rev:16;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.9c
exploit"; flow:to_server,established; content:"|0A|Croot|0D 0A|Mprog";
fast_pattern:only; metadata:ruleset community, service smtp;
reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:671;
rev:17;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL vrfy decode";
flow:to_server,established; content:"vrfy"; nocase; content:"decode"; distance:1;
nocase; pcre:"/^vrfy\s+decode/smi"; metadata:ruleset community, service smtp;
reference:cve,1999-0096; classtype:attempted-recon; sid:672; rev:17;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL sp_start_job - program
execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|
00|t|00|_|00|j|00|o|00|b|00|"; fast_pattern:only; metadata:ruleset community;
classtype:attempted-user; sid:673; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL sp_start_job - program
execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|
00|t|00|_|00|j|00|o|00|b|00|"; depth:32; offset:32; nocase; metadata:ruleset
community; classtype:attempted-user; sid:676; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL sp_password password
change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|
00|o|00|r|00|d|00|"; fast_pattern:only; metadata:ruleset community;
classtype:attempted-user; sid:677; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL sp_delete_alert log
file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|
e|00|t|00|e|00|_|00|a|00|l|00|e|00|"; fast_pattern:only; metadata:ruleset
community; classtype:attempted-user; sid:678; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL sp_adduser database
user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|
u|00|s|00|e|00|r|00|"; depth:32; offset:32; nocase; metadata:ruleset community;
classtype:attempted-user; sid:679; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL xp_cmdshell program
execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|
00|h|00|e|00|l|00|l|00|"; offset:32; nocase; metadata:ruleset community;
reference:bugtraq,5309; classtype:attempted-user; sid:681; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL sp_password - password
change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|
00|o|00|r|00|d|00|"; fast_pattern:only; metadata:ruleset community;
classtype:attempted-user; sid:683; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL sp_delete_alert log
file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|
e|00|t|00|e|00|_|00|a|00|l|00|e|00|r|00|t|00|"; fast_pattern:only; metadata:ruleset
community; classtype:attempted-user; sid:684; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL sp_adduser - database
user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|
u|00|s|00|e|00|r|00|"; fast_pattern:only; metadata:ruleset community;
classtype:attempted-user; sid:685; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_reg* -
registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|
00|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,5205;
reference:cve,2002-0642; reference:nessus,10642;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-034;
classtype:attempted-user; sid:686; rev:17;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL xp_cmdshell - program
execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|
00|h|00|e|00|l|00|l|00|"; fast_pattern:only; metadata:ruleset community;
reference:bugtraq,5309; classtype:attempted-user; sid:687; rev:10;)
alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed";
flow:to_client,established; content:"Login failed for user 'sa'";
fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop,
policy security-ips drop, ruleset community; reference:bugtraq,4797;
reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user;
sid:688; rev:16;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL xp_reg*
registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|
00|"; depth:32; offset:32; nocase; metadata:ruleset community;
reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-034;
classtype:attempted-user; sid:689; rev:16;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"INDICATOR-SHELLCODE
shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|
U|00|9 |EC 00|"; metadata:ruleset community; classtype:shellcode-detect; sid:691;
rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"INDICATOR-SHELLCODE
shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|
U|00|9 |EC 00|"; metadata:ruleset community; classtype:shellcode-detect; sid:692;
rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"INDICATOR-SHELLCODE
shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00
90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; metadata:ruleset community;
classtype:shellcode-detect; sid:693; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"INDICATOR-SHELLCODE
shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00
90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; metadata:ruleset community;
classtype:attempted-user; sid:694; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL xp_sprintf
possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|
00|p|00|r|00|i|00|n|00|t|00|f|00|"; offset:32; nocase; metadata:ruleset community;
reference:bugtraq,1204; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS01-060; classtype:attempted-user; sid:695; rev:14;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_sprintf
possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|
00|p|00|r|00|i|00|n|00|t|00|f|00|"; fast_pattern:only; metadata:ruleset community;
reference:bugtraq,1204; reference:bugtraq,3733; reference:cve,2001-0542;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-060;
classtype:attempted-user; sid:704; rev:16;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET 4Dgifts
SGI account attempt"; flow:to_server,established; content:"4Dgifts";
metadata:ruleset community, service telnet; reference:cve,1999-0501;
reference:nessus,11243; classtype:suspicious-login; sid:709; rev:17;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET EZsetup
account attempt"; flow:to_server,established; content:"OutOfBox"; metadata:ruleset
community, service telnet; reference:cve,1999-0501; reference:nessus,11244;
classtype:suspicious-login; sid:710; rev:17;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET SGI
telnetd format bug"; flow:to_server,established; content:"_RLD"; fast_pattern:only;
content:"bin/sh"; metadata:ruleset community, service telnet;
reference:bugtraq,1572; reference:cve,2000-0733; classtype:attempted-admin;
sid:711; rev:18;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET
ld_library_path"; flow:to_server,established; content:"ld_library_path";
fast_pattern:only; metadata:ruleset community, service telnet;
reference:bugtraq,459; reference:cve,1999-0073; classtype:attempted-admin; sid:712;
rev:16;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET
livingston DOS"; flow:to_server,established; content:"|FF F3 FF F3 FF F3 FF F3 FF
F3|"; fast_pattern:only; rawbytes; metadata:ruleset community, service telnet;
reference:bugtraq,2225; reference:cve,1999-0218; classtype:attempted-dos; sid:713;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET
resolv_host_conf"; flow:to_server,established; content:"resolv_host_conf";
fast_pattern:only; metadata:ruleset community, service telnet;
reference:bugtraq,2181; reference:cve,2001-0170; classtype:attempted-admin;
sid:714; rev:15;)
# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET Attempted
SU from wrong group"; flow:to_client,established; content:"to su root";
fast_pattern:only; metadata:ruleset community, service telnet; classtype:attempted-
admin; sid:715; rev:14;)
# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET not on
console"; flow:to_client,established; content:"not on system console";
fast_pattern:only; metadata:ruleset community, service telnet; classtype:bad-
unknown; sid:717; rev:15;)
# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET login
incorrect"; flow:to_client,established; content:"Login incorrect"; metadata:ruleset
community, service telnet; classtype:bad-unknown; sid:718; rev:16;)
# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET root
login"; flow:to_client,established; content:"login|3A| root"; fast_pattern:only;
metadata:ruleset community, service telnet; classtype:suspicious-login; sid:719;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
HyperSeek hsx.cgi directory traversal attempt"; flow:to_server,established;
content:"/hsx.cgi"; http_uri; content:"../../"; http_raw_uri; content:"%00";
distance:1; http_raw_uri; metadata:ruleset community, service http;
reference:bugtraq,2314; reference:cve,2001-0253; reference:nessus,10602;
classtype:web-application-attack; sid:803; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
SWSoft ASPSeek Overflow attempt"; flow:to_server,established; content:"/s.cgi";
fast_pattern; nocase; http_uri; content:"tmpl="; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2492; reference:cve,2001-0476;
classtype:web-application-attack; sid:804; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Progress webspeed access"; flow:to_server,established;
content:"/wsisa.dll/WService="; fast_pattern; nocase; http_uri; content:"WSMadmin";
nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,969;
reference:cve,2000-0127; reference:nessus,10304; classtype:attempted-user; sid:805;
rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP yabb
directory traversal attempt"; flow:to_server,established; content:"/YaBB";
fast_pattern; nocase; http_uri; content:"../"; http_raw_uri; metadata:ruleset
community, service http; reference:bugtraq,1668; reference:cve,2000-0853;
reference:nessus,10512; classtype:attempted-recon; sid:806; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
/wwwboard/passwd.txt access"; flow:to_server,established;
content:"/wwwboard/passwd.txt"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,649; reference:cve,1999-0953;
reference:cve,1999-0954; reference:nessus,10321; classtype:attempted-recon;
sid:807; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
webdriver access"; flow:to_server,established; content:"/webdriver";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2166; reference:nessus,10592; classtype:attempted-recon; sid:808;
rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
whois_raw.cgi arbitrary command execution attempt"; flow:to_server,established;
content:"/whois_raw.cgi?"; http_uri; content:"|0A|"; metadata:ruleset community,
service http; reference:bugtraq,304; reference:cve,1999-1063;
reference:nessus,10306; classtype:web-application-attack; sid:809; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
whois_raw.cgi access"; flow:to_server,established; content:"/whois_raw.cgi";
http_uri; metadata:ruleset community, service http; reference:bugtraq,304;
reference:cve,1999-1063; reference:nessus,10306; classtype:attempted-recon;
sid:810; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
websitepro path access"; flow:to_server,established; content:" /HTTP/1.";
fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,932;
reference:cve,2000-0066; reference:nessus,10303; classtype:attempted-recon;
sid:811; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
webplus version access"; flow:to_server,established; content:"/webplus?about";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1102; reference:cve,2000-0282; classtype:attempted-recon;
sid:812; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
webplus directory traversal"; flow:to_server,established; content:"/webplus?
script"; fast_pattern; nocase; http_uri; content:"../"; http_raw_uri;
metadata:ruleset community, service http; reference:bugtraq,1102;
reference:cve,2000-0282; reference:nessus,10367; classtype:web-application-attack;
sid:813; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
websendmail access"; flow:to_server,established; content:"/websendmail";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2077; reference:cve,1999-0196; reference:nessus,10301;
classtype:attempted-recon; sid:815; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
dcboard.cgi invalid user addition attempt"; flow:to_server,established;
content:"/dcboard.cgi"; http_uri; content:"command=register"; content:"%7cadmin";
metadata:ruleset community, service http; reference:bugtraq,2728;
reference:cve,2001-0527; reference:nessus,10583; classtype:web-application-attack;
sid:817; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
dcforum.cgi access"; flow:to_server,established; content:"/dcforum.cgi"; http_uri;
metadata:ruleset community, service http; reference:bugtraq,2728;
reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon;
sid:818; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
mmstdod.cgi access"; flow:to_server,established; content:"/mmstdod.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2063; reference:cve,2001-0021; reference:nessus,10566;
classtype:attempted-recon; sid:819; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
anaconda directory traversal attempt"; flow:to_server,established;
content:"/apexec.pl"; http_uri; content:"template=../"; fast_pattern:only;
metadata:ruleset community, service http; reference:bugtraq,2338;
reference:bugtraq,2388; reference:cve,2000-0975; reference:cve,2001-0308;
reference:nessus,10536; classtype:web-application-attack; sid:820; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
imagemap.exe overflow attempt"; flow:to_server,established;
content:"/imagemap.exe?"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,739; reference:cve,1999-0951;
reference:nessus,10122; classtype:web-application-attack; sid:821; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cvsweb.cgi access"; flow:to_server,established; content:"/cvsweb.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1469; reference:cve,2000-0670; reference:nessus,10465;
classtype:attempted-recon; sid:823; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
php.cgi access"; flow:to_server,established; content:"/php.cgi"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,2250;
reference:bugtraq,712; reference:cve,1999-0058; reference:cve,1999-0238;
reference:nessus,10178; classtype:attempted-recon; sid:824; rev:27;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
glimpse access"; flow:to_server,established; content:"/glimpse"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,2026;
reference:cve,1999-0147; reference:nessus,10095; classtype:attempted-recon;
sid:825; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
htmlscript access"; flow:to_server,established; content:"/htmlscript";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2001; reference:cve,1999-0264; reference:nessus,10106;
classtype:attempted-recon; sid:826; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
info2www access"; flow:to_server,established; content:"/info2www";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1995; reference:cve,1999-0266; reference:nessus,10127;
classtype:attempted-recon; sid:827; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
maillist.pl access"; flow:to_server,established; content:"/maillist.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:attempted-recon; sid:828; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP nph-
test-cgi access"; flow:to_server,established; content:"/nph-test-cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,686; reference:cve,1999-0045; reference:nessus,10165;
classtype:attempted-recon; sid:829; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
perl.exe access"; flow:to_server,established; content:"/perl.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-0509; reference:nessus,10173;
reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon;
sid:832; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
rguest.exe access"; flow:to_server,established; content:"/rguest.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2024; reference:cve,1999-0287; classtype:attempted-recon;
sid:833; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
rwwwshell.pl access"; flow:to_server,established; content:"/rwwwshell.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:url,www.itsecurity.com/papers/p37.htm; classtype:attempted-recon;
sid:834; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
test-cgi access"; flow:to_server,established; content:"/test-cgi";
fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset
community, service http; reference:bugtraq,2003; reference:cve,1999-0070;
reference:nessus,10282; classtype:attempted-recon; sid:835; rev:26;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
textcounter.pl access"; flow:to_server,established; content:"/textcounter.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2265; reference:cve,1999-1479; reference:nessus,11451;
classtype:attempted-recon; sid:836; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
uploader.exe access"; flow:to_server,established; content:"/uploader.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1611; reference:cve,1999-0177; reference:cve,2000-0769;
reference:nessus,10291; classtype:attempted-recon; sid:837; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
webgais access"; flow:to_server,established; content:"/webgais"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,2058;
reference:cve,1999-0176; reference:nessus,10300; classtype:attempted-recon;
sid:838; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
finger access"; flow:to_server,established; content:"/finger"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:cve,1999-0612;
reference:nessus,10071; classtype:attempted-recon; sid:839; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
perlshop.cgi access"; flow:to_server,established; content:"/perlshop.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-1374; classtype:attempted-recon; sid:840; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
aglimpse access"; flow:to_server,established; content:"/aglimpse";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2026; reference:cve,1999-0147; reference:nessus,10095;
classtype:attempted-recon; sid:842; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
anform2 access"; flow:to_server,established; content:"/AnForm2"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,719;
reference:cve,1999-0066; classtype:attempted-recon; sid:843; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
args.bat access"; flow:to_server,established; content:"/args.bat";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-1180; reference:nessus,11465; classtype:attempted-recon;
sid:844; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AT-
admin.cgi access"; flow:to_server,established; content:"/AT-admin.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-1072; classtype:attempted-recon; sid:845; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
bnbform.cgi access"; flow:to_server,established; content:"/bnbform.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2147; reference:cve,1999-0937; classtype:attempted-recon;
sid:846; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
campas access"; flow:to_server,established; content:"/campas"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,1975;
reference:cve,1999-0146; reference:nessus,10035; classtype:attempted-recon;
sid:847; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
view-source directory traversal"; flow:to_server,established; content:"/view-
source"; fast_pattern; nocase; http_uri; content:"../"; http_raw_uri;
metadata:ruleset community, service http; reference:bugtraq,2251;
reference:bugtraq,8883; reference:cve,1999-0174; classtype:web-application-attack;
sid:848; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
view-source access"; flow:to_server,established; content:"/view-source";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174;
classtype:attempted-recon; sid:849; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
wais.pl access"; flow:to_server,established; content:"/wais.pl"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; classtype:attempted-recon;
sid:850; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
files.pl access"; flow:to_server,established; content:"/files.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-1081; classtype:attempted-recon; sid:851; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
wguest.exe access"; flow:to_server,established; content:"/wguest.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,1999-0467;
classtype:attempted-recon; sid:852; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wrap
access"; flow:to_server,established; content:"/wrap"; http_uri; metadata:ruleset
community, service http; reference:bugtraq,373; reference:cve,1999-0149;
reference:nessus,10317; classtype:attempted-recon; sid:853; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
classifieds.cgi access"; flow:to_server,established; content:"/classifieds.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2020; reference:cve,1999-0934; classtype:attempted-recon;
sid:854; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
environ.cgi access"; flow:to_server,established; content:"/environ.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:attempted-recon; sid:856; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
faxsurvey access"; flow:to_server,established; content:"/faxsurvey";
fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset
community, service http; reference:bugtraq,2056; reference:cve,1999-0262;
reference:nessus,10067; classtype:web-application-activity; sid:857; rev:26;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
filemail access"; flow:to_server,established; content:"/filemail.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-1154; classtype:attempted-recon; sid:858; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
man.sh access"; flow:to_server,established; content:"/man.sh"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,2276;
reference:cve,1999-1179; classtype:attempted-recon; sid:859; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
snork.bat access"; flow:to_server,established; content:"/snork.bat";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2023; reference:cve,1999-0233; classtype:attempted-recon;
sid:860; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP w3-
msql access"; flow:to_server,established; content:"/w3-msql/"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,591;
reference:bugtraq,898; reference:cve,1999-0276; reference:cve,1999-0753;
reference:cve,2000-0012; reference:nessus,10296; classtype:attempted-recon;
sid:861; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP csh
access"; flow:to_server,established; content:"/csh"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:cve,1999-0509;
reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon;
sid:862; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
day5datacopier.cgi access"; flow:to_server,established;
content:"/day5datacopier.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:cve,1999-1232; classtype:attempted-recon;
sid:863; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
day5datanotifier.cgi access"; flow:to_server,established;
content:"/day5datanotifier.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:cve,1999-1232; classtype:attempted-recon;
sid:864; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ksh
access"; flow:to_server,established; content:"/ksh"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:cve,1999-0509;
reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon;
sid:865; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
post-query access"; flow:to_server,established; content:"/post-query";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,6752; reference:cve,2001-0291; classtype:attempted-recon;
sid:866; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
visadmin.exe access"; flow:to_server,established; content:"/visadmin.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1808; reference:cve,1999-0970; reference:nessus,10295;
classtype:attempted-recon; sid:867; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rsh
access"; flow:to_server,established; content:"/rsh"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:cve,1999-0509;
reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon;
sid:868; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
dumpenv.pl access"; flow:to_server,established; content:"/dumpenv.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-1178; reference:nessus,10060; classtype:attempted-recon;
sid:869; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
snorkerz.cmd access"; flow:to_server,established; content:"/snorkerz.cmd";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:attempted-recon; sid:870; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
survey.cgi access"; flow:to_server,established; content:"/survey.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1817; reference:cve,1999-0936; classtype:attempted-recon;
sid:871; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP tcsh
access"; flow:to_server,established; content:"/tcsh"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:cve,1999-0509;
reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon;
sid:872; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP win-
c-sample.exe access"; flow:to_server,established; content:"/win-c-sample.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2078; reference:cve,1999-0178; reference:nessus,10008;
classtype:attempted-recon; sid:875; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rksh
access"; flow:to_server,established; content:"/rksh"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:cve,1999-0509;
reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon;
sid:877; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
w3tvars.pm access"; flow:to_server,established; content:"/w3tvars.pm";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:attempted-recon; sid:878; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
admin.pl access"; flow:to_server,established; content:"/admin.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3839; reference:cve,2002-1748;
reference:url,online.securityfocus.com/archive/1/249355; classtype:attempted-recon;
sid:879; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
LWGate access"; flow:to_server,established; content:"/LWGate"; fast_pattern:only;
http_uri; metadata:ruleset community, service http;
reference:url,www.netspace.org/~dwb/lwgate/lwgate-history.html;
reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon;
sid:880; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
archie access"; flow:to_server,established; content:"/archie"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; classtype:attempted-recon;
sid:881; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
calendar access"; flow:to_server,established; content:"/calendar";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:attempted-recon; sid:882; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
flexform access"; flow:to_server,established; content:"/flexform";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon;
sid:883; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bash
access"; flow:to_server,established; content:"/bash"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:cve,1999-0509;
reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:web-application-
activity; sid:885; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phf
access"; flow:to_server,established; content:"/phf"; fast_pattern:only; http_uri;
metadata:policy max-detect-ips drop, ruleset community, service http;
reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-activity;
sid:886; rev:28;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP www-
sql access"; flow:to_server,established; content:"/www-sql"; fast_pattern:only;
http_uri; metadata:ruleset community, service http;
reference:url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2;
classtype:attempted-recon; sid:887; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
wwwadmin.pl access"; flow:to_server,established; content:"/wwwadmin.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:attempted-recon; sid:888; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ppdscgi.exe access"; flow:to_server,established; content:"/ppdscgi.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,491; reference:nessus,10187;
reference:url,online.securityfocus.com/archive/1/16878; classtype:attempted-recon;
sid:889; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
sendform.cgi access"; flow:to_server,established; content:"/sendform.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,5286; reference:cve,2002-0710;
reference:url,www.scn.org/help/sendform.txt; classtype:attempted-recon; sid:890;
rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
upload.pl access"; flow:to_server,established; content:"/upload.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:attempted-recon; sid:891; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
AnyForm2 access"; flow:to_server,established; content:"/AnyForm2";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,719; reference:cve,1999-0066; reference:nessus,10277;
classtype:attempted-recon; sid:892; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-
hist.sh access"; flow:to_server,established; content:"/bb-hist.sh";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025;
classtype:attempted-recon; sid:894; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
redirect access"; flow:to_server,established; content:"/redirect";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1179; reference:cve,2000-0382; classtype:attempted-recon;
sid:895; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP way-
board access"; flow:to_server,established; content:"/way-board"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,2370;
reference:cve,2001-0214; reference:nessus,10610; classtype:web-application-
activity; sid:896; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
pals-cgi access"; flow:to_server,established; content:"/pals-cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2372; reference:cve,2001-0216; reference:cve,2001-0217;
reference:nessus,10611; classtype:attempted-recon; sid:897; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
commerce.cgi access"; flow:to_server,established; content:"/commerce.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2361; reference:cve,2001-0210; reference:nessus,10612;
classtype:attempted-recon; sid:898; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Amaya templates sendtemp.pl directory traversal attempt";
flow:to_server,established; content:"/sendtemp.pl"; fast_pattern:only; http_uri;
content:"templ="; nocase; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2504; reference:cve,2001-0272; reference:nessus,10614;
classtype:web-application-attack; sid:899; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
webspirs.cgi directory traversal attempt"; flow:to_server,established;
content:"/webspirs.cgi"; fast_pattern; nocase; http_uri; content:"../../";
http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2362;
reference:cve,2001-0211; reference:nessus,10616; classtype:web-application-attack;
sid:900; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
webspirs.cgi access"; flow:to_server,established; content:"/webspirs.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616;
classtype:attempted-recon; sid:901; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
tstisapi.dll access"; flow:to_server,established; content:"tstisapi.dll";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2381; reference:cve,2001-0302; classtype:attempted-recon;
sid:902; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion cfcache.map access"; flow:to_server,established; content:"/cfcache.map";
nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,917;
reference:cve,2000-0057; classtype:attempted-recon; sid:903; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion exampleapp application.cfm"; flow:to_server,established;
content:"/cfdocs/exampleapp/email/application.cfm"; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1021;
reference:cve,2000-0189; reference:cve,2001-0535; classtype:attempted-recon;
sid:904; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion application.cfm access"; flow:to_server,established;
content:"/cfdocs/exampleapp/publish/admin/application.cfm"; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1021;
reference:cve,2000-0189; reference:cve,2001-0535; classtype:attempted-recon;
sid:905; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion getfile.cfm access"; flow:to_server,established;
content:"/cfdocs/exampleapp/email/getfile.cfm"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,229; reference:cve,1999-0800;
reference:cve,2001-0535; classtype:attempted-recon; sid:906; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion addcontent.cfm access"; flow:to_server,established;
content:"/cfdocs/exampleapp/publish/admin/addcontent.cfm"; fast_pattern; nocase;
http_uri; metadata:ruleset community, service http; reference:cve,2001-0535;
classtype:attempted-recon; sid:907; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion administrator access"; flow:to_server,established;
content:"/cfide/administrator/index.cfm"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1314; reference:cve,2000-0538;
reference:nessus,10581; classtype:attempted-recon; sid:908; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion datasource username attempt"; flow:to_server,established;
content:"CF_SETDATASOURCEUSERNAME|28 29|"; fast_pattern:only; metadata:ruleset
community, service http; reference:bugtraq,550; reference:cve,1999-0760;
classtype:web-application-attack; sid:909; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion fileexists.cfm access"; flow:to_server,established;
content:"/cfdocs/snippets/fileexists.cfm"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,550; reference:cve,1999-0760;
classtype:attempted-recon; sid:910; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion exprcalc access"; flow:to_server,established;
content:"/cfdocs/expeval/exprcalc.cfm"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,115; reference:bugtraq,550;
reference:cve,1999-0455; reference:cve,1999-0760; classtype:attempted-recon;
sid:911; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion parks access"; flow:to_server,established;
content:"/cfdocs/examples/parks/detail.cfm"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,550; reference:cve,1999-0760;
classtype:attempted-recon; sid:912; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion cfappman access"; flow:to_server,established;
content:"/cfappman/index.cfm"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-
recon; sid:913; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion beaninfo access"; flow:to_server,established;
content:"/cfdocs/examples/cvbeans/beaninfo.cfm"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,550; reference:cve,1999-0760;
classtype:attempted-recon; sid:914; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion evaluate.cfm access"; flow:to_server,established;
content:"/cfdocs/snippets/evaluate.cfm"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,550; reference:cve,1999-0760;
classtype:attempted-recon; sid:915; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion getodbcdsn access"; flow:to_server,established;
content:"CFUSION_GETODBCDSN|28 29|"; fast_pattern:only; metadata:ruleset community,
service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-
application-attack; sid:916; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion db connections flush attempt"; flow:to_server,established;
content:"CFUSION_DBCONNECTIONS_FLUSH|28 29|"; fast_pattern:only; metadata:ruleset
community, service http; reference:bugtraq,550; reference:cve,1999-0760;
classtype:web-application-attack; sid:917; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion expeval access"; flow:to_server,established; content:"/cfdocs/expeval/";
nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550;
reference:cve,1999-0477; reference:cve,1999-0760; classtype:attempted-user;
sid:918; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion datasource passwordattempt"; flow:to_server,established;
content:"CF_SETDATASOURCEPASSWORD|28 29|"; fast_pattern:only; metadata:ruleset
community, service http; reference:bugtraq,550; reference:cve,1999-0760;
classtype:web-application-attack; sid:919; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion datasource attempt"; flow:to_server,established;
content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; fast_pattern:only; metadata:ruleset
community, service http; reference:bugtraq,550; reference:cve,1999-0760;
classtype:web-application-attack; sid:920; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion admin encrypt attempt"; flow:to_server,established;
content:"CFUSION_ENCRYPT|28 29|"; fast_pattern:only; metadata:ruleset community,
service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-
application-attack; sid:921; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion displayfile access"; flow:to_server,established;
content:"/cfdocs/expeval/displayopenedfile.cfm"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,550; reference:cve,1999-0760;
classtype:web-application-attack; sid:922; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion getodbcin attempt"; flow:to_server,established;
content:"CFUSION_GETODBCINI|28 29|"; fast_pattern:only; metadata:ruleset community,
service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-
application-attack; sid:923; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion admin decrypt attempt"; flow:to_server,established;
content:"CFUSION_DECRYPT|28 29|"; fast_pattern:only; metadata:ruleset community,
service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-
application-attack; sid:924; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion mainframeset access"; flow:to_server,established;
content:"/cfdocs/examples/mainframeset.cfm"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,550; reference:cve,1999-0760;
classtype:attempted-recon; sid:925; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion set odbc ini attempt"; flow:to_server,established;
content:"CFUSION_SETODBCINI|28 29|"; fast_pattern:only; metadata:ruleset community,
service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-
application-attack; sid:926; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion settings refresh attempt"; flow:to_server,established;
content:"CFUSION_SETTINGS_REFRESH|28 29|"; fast_pattern:only; metadata:ruleset
community, service http; reference:bugtraq,550; reference:cve,1999-0760;
classtype:web-application-attack; sid:927; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion exampleapp access"; flow:to_server,established;
content:"/cfdocs/exampleapp/"; nocase; http_uri; metadata:ruleset community,
service http; reference:cve,2001-0535; classtype:attempted-recon; sid:928; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion CFUSION_VERIFYMAIL access"; flow:to_server,established;
content:"CFUSION_VERIFYMAIL|28 29|"; fast_pattern:only; metadata:ruleset community,
service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-
user; sid:929; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion snippets attempt"; flow:to_server,established;
content:"/cfdocs/snippets/"; nocase; http_uri; metadata:ruleset community, service
http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon;
sid:930; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion cfmlsyntaxcheck.cfm access"; flow:to_server,established;
content:"/cfdocs/cfmlsyntaxcheck.cfm"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,550; reference:cve,1999-0760;
classtype:attempted-recon; sid:931; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion application.cfm access"; flow:to_server,established;
content:"/application.cfm"; nocase; http_uri; metadata:ruleset community, service
http; reference:bugtraq,550; reference:cve,1999-0760; reference:cve,2000-0189;
classtype:attempted-recon; sid:932; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion onrequestend.cfm access"; flow:to_server,established;
content:"/onrequestend.cfm"; nocase; http_uri; metadata:ruleset community, service
http; reference:bugtraq,550; reference:cve,1999-0760; reference:cve,2000-0189;
classtype:attempted-recon; sid:933; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion startstop DOS access"; flow:to_server,established;
content:"/cfide/administrator/startstop.html"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,247; reference:cve,1999-0756;
classtype:web-application-attack; sid:935; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion gettempdirectory.cfm access "; flow:to_server,established;
content:"/cfdocs/snippets/gettempdirectory.cfm"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,550; reference:cve,1999-0760;
classtype:attempted-recon; sid:936; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage _vti_rpc access"; flow:to_server,established;
content:"/_vti_rpc"; nocase; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585;
classtype:web-application-activity; sid:937; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage posting"; flow:to_server,established; content:"POST";
content:"/author.dll"; fast_pattern; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,2144; reference:cve,2001-0096;
reference:nessus,10585; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS00-100; classtype:web-application-activity; sid:939;
rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage shtml.dll access"; flow:to_server,established;
content:"/_vti_bin/shtml.dll"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,1174; reference:bugtraq,1594;
reference:bugtraq,1595; reference:cve,2000-0413; reference:cve,2000-0746;
reference:nessus,11395; reference:url,technet.microsoft.com/en-
us/security/bulletin/ms00-060; classtype:web-application-activity; sid:940;
rev:28;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage contents.htm access"; flow:to_server,established;
content:"/admcgi/contents.htm"; fast_pattern; nocase; http_uri; metadata:ruleset
community, service http; classtype:web-application-activity; sid:941; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage orders.htm access"; flow:to_server,established;
content:"/_private/orders.htm"; nocase; http_uri; metadata:ruleset community,
service http; classtype:web-application-activity; sid:942; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage fpsrvadm.exe access"; flow:to_server,established;
content:"/fpsrvadm.exe"; nocase; http_uri; metadata:ruleset community, service
http; classtype:web-application-activity; sid:943; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage fpremadm.exe access"; flow:to_server,established;
content:"/fpremadm.exe"; nocase; http_uri; metadata:ruleset community, service
http; classtype:web-application-activity; sid:944; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage fpadmin.htm access"; flow:to_server,established;
content:"/admisapi/fpadmin.htm"; nocase; http_uri; metadata:ruleset community,
service http; classtype:web-application-activity; sid:945; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage fpadmcgi.exe access"; flow:to_server,established;
content:"/scripts/Fpadmcgi.exe"; nocase; http_uri; metadata:ruleset community,
service http; classtype:web-application-activity; sid:946; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage orders.txt access"; flow:to_server,established;
content:"/_private/orders.txt"; nocase; http_uri; metadata:ruleset community,
service http; classtype:web-application-activity; sid:947; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage form_results access"; flow:to_server,established;
content:"/_private/form_results.txt"; nocase; http_uri; metadata:ruleset community,
service http; reference:cve,1999-1052; classtype:web-application-activity; sid:948;
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage registrations.htm access"; flow:to_server,established;
content:"/_private/registrations.htm"; nocase; http_uri; metadata:ruleset
community, service http; classtype:web-application-activity; sid:949; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage cfgwiz.exe access"; flow:to_server,established;
content:"/cfgwiz.exe"; nocase; http_uri; metadata:ruleset community, service http;
classtype:web-application-activity; sid:950; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage authors.pwd access"; flow:to_server,established;
content:"/authors.pwd"; nocase; http_uri; metadata:ruleset community, service http;
reference:bugtraq,989; reference:cve,1999-0386; reference:nessus,10078;
classtype:web-application-activity; sid:951; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage author.exe access"; flow:to_server,established;
content:"/_vti_bin/_vti_aut/author.exe"; nocase; http_uri; metadata:ruleset
community, service http; classtype:web-application-activity; sid:952; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage administrators.pwd access"; flow:to_server,established;
content:"/administrators.pwd"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,1205; classtype:web-application-activity; sid:953;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage form_results.htm access"; flow:to_server,established;
content:"/_private/form_results.htm"; nocase; http_uri; metadata:ruleset community,
service http; reference:cve,1999-1052; classtype:web-application-activity; sid:954;
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage access.cnf access"; flow:to_server,established;
content:"/_vti_pvt/access.cnf"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,4078; reference:cve,2002-1717;
reference:nessus,10575; classtype:web-application-activity; sid:955; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage register.txt access"; flow:to_server,established;
content:"/_private/register.txt"; nocase; http_uri; metadata:ruleset community,
service http; classtype:web-application-activity; sid:956; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage registrations.txt access"; flow:to_server,established;
content:"/_private/registrations.txt"; nocase; http_uri; metadata:ruleset
community, service http; classtype:web-application-activity; sid:957; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage service.cnf access"; flow:to_server,established;
content:"/_vti_pvt/service.cnf"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,4078; reference:cve,2002-1717;
reference:nessus,10575; classtype:web-application-activity; sid:958; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage service.pwd"; flow:to_server,established;
content:"/service.pwd"; nocase; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1205; classtype:web-application-activity; sid:959; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage service.stp access"; flow:to_server,established;
content:"/_vti_pvt/service.stp"; nocase; http_uri; metadata:ruleset community,
service http; classtype:web-application-activity; sid:960; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage services.cnf access"; flow:to_server,established;
content:"/_vti_pvt/services.cnf"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,4078; reference:cve,2002-1717;
reference:nessus,10575; classtype:web-application-activity; sid:961; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage shtml.exe access"; flow:to_server,established;
content:"/_vti_bin/shtml.exe"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,1174; reference:bugtraq,1608;
reference:bugtraq,5804; reference:cve,2000-0413; reference:cve,2000-0709;
reference:cve,2002-0692; reference:nessus,10405; reference:nessus,11311;
classtype:web-application-activity; sid:962; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage svcacl.cnf access"; flow:to_server,established;
content:"/_vti_pvt/svcacl.cnf"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,4078; reference:cve,2002-1717;
reference:nessus,10575; classtype:web-application-activity; sid:963; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage users.pwd access"; flow:to_server,established;
content:"/users.pwd"; nocase; http_uri; metadata:ruleset community, service http;
classtype:web-application-activity; sid:964; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage writeto.cnf access"; flow:to_server,established;
content:"/_vti_pvt/writeto.cnf"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,4078; reference:cve,2002-1717;
reference:nessus,10575; classtype:web-application-activity; sid:965; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage .... request"; flow:to_server,established; content:"..../";
http_uri; metadata:ruleset community, service http; reference:bugtraq,989;
reference:cve,1999-0386; reference:cve,2000-0153; reference:nessus,10142;
classtype:web-application-attack; sid:966; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage dvwssr.dll access"; flow:to_server,established;
content:"/dvwssr.dll"; nocase; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1108; reference:bugtraq,1109; reference:cve,2000-0260;
reference:nessus,10369; reference:url,technet.microsoft.com/en-
us/security/bulletin/ms00-025; classtype:web-application-activity; sid:967;
rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage register.htm access"; flow:to_server,established;
content:"/_private/register.htm"; nocase; http_uri; metadata:ruleset community,
service http; classtype:web-application-activity; sid:968; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS WebDAV
file lock attempt"; flow:to_server,established; content:"LOCK "; depth:5;
metadata:ruleset community, service http; reference:bugtraq,2736;
reference:nessus,10732; classtype:web-application-activity; sid:969; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
ISAPI .printer access"; flow:to_server,established; content:".printer"; nocase;
http_uri; metadata:policy max-detect-ips drop, ruleset community, service http;
reference:bugtraq,2674; reference:cve,2001-0241; reference:nessus,10661;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-023;
classtype:web-application-activity; sid:971; rev:28;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS *.idc
attempt"; flow:to_server,established; content:"/*.idc"; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1448;
reference:cve,1999-0874; reference:cve,2000-0661; classtype:web-application-attack;
sid:973; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
Microsoft Windows IIS directory traversal attempt"; flow:to_server,established;
content:"..|5C|.."; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset
community, service http; reference:bugtraq,2218; reference:cve,1999-0229;
classtype:web-application-attack; sid:974; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
Alternate Data streams ASP file access attempt"; flow:to_server,established;
content:".asp|3A 3A 24|DATA"; nocase; http_uri; metadata:ruleset community, service
http; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362;
reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q188806;
classtype:web-application-attack; sid:975; rev:26;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
.bat? access"; flow:to_server,established; content:".bat?"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,2023;
reference:bugtraq,4335; reference:cve,1999-0233; reference:cve,2002-0061;
reference:url,support.microsoft.com/support/kb/articles/Q148/1/88.asp;
reference:url,support.microsoft.com/support/kb/articles/Q155/0/56.asp;
classtype:web-application-activity; sid:976; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .cnf
access"; flow:to_server,established; content:".cnf"; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,4078;
reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-
activity; sid:977; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ASP
contents view"; flow:to_server,established; content:"%20";
content:"&CiRestriction=none"; nocase; content:"&CiHiliteType=Full";
fast_pattern:only; metadata:ruleset community, service http;
reference:bugtraq,1084; reference:cve,2000-0302; reference:nessus,10356;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-006;
classtype:web-application-attack; sid:978; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ASP
contents view"; flow:to_server,established; content:".htw?CiWebHitsFile";
fast_pattern; nocase; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1861; reference:cve,2000-0942;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-006;
classtype:web-application-attack; sid:979; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
CGImail.exe access"; flow:to_server,established; content:"/scripts/CGImail.exe";
nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1623;
reference:cve,2000-0726; reference:nessus,11721; classtype:web-application-
activity; sid:980; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS JET VBA
access"; flow:to_server,established; content:"/scripts/samples/ctguestb.idc";
nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,307;
reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-
activity; sid:984; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS JET VBA
access"; flow:to_server,established; content:"/scripts/samples/details.idc";
nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,286;
reference:cve,1999-0874; classtype:web-application-activity; sid:985; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS MSProxy
access"; flow:to_server,established; content:"/scripts/proxy/w3proxy.dll"; nocase;
http_uri; metadata:ruleset community, service http;
reference:url,support.microsoft.com/?kbid=331066; classtype:web-application-
activity; sid:986; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"FILE-IDENTIFY .htr
access file download request"; flow:to_server,established; content:".htr";
fast_pattern:only; http_uri; pcre:"/\x2ehtr([\?\x5c\x2f]|$)/smiU"; metadata:ruleset
community, service http; reference:bugtraq,1488; reference:cve,2000-0630;
reference:cve,2001-0004; reference:nessus,10680;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms01-004;
classtype:misc-activity; sid:987; rev:31;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"MALWARE-CNC
sensepost.exe command shell"; flow:to_server,established; content:"/sensepost.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,11003; classtype:web-application-activity; sid:989; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage _vti_inf.html access"; flow:to_server,established;
content:"/_vti_inf.html"; nocase; http_uri; metadata:ruleset community, service
http; reference:nessus,11455; classtype:web-application-activity; sid:990; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
achg.htr access"; flow:to_server,established; content:"/iisadmpwd/achg.htr";
nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2110;
reference:cve,1999-0407; classtype:web-application-activity; sid:991; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
adctest.asp access"; flow:to_server,established;
content:"/msadc/samples/adctest.asp"; nocase; http_uri; metadata:ruleset community,
service http; classtype:web-application-activity; sid:992; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
iisadmin access"; flow:to_server,established; content:"/iisadmin"; nocase;
http_uri; metadata:ruleset community, service http; reference:bugtraq,189;
reference:cve,1999-1538; reference:nessus,11032; classtype:web-application-attack;
sid:993; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
/scripts/iisadmin/default.htm access"; flow:to_server,established;
content:"/scripts/iisadmin/default.htm"; nocase; http_uri; metadata:ruleset
community, service http; classtype:web-application-attack; sid:994; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ism.dll
access"; flow:to_server,established; content:"/scripts/iisadmin/ism.dll?http/dir";
nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,189;
reference:cve,1999-1538; reference:cve,2000-0630; classtype:web-application-attack;
sid:995; rev:26;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
anot.htr access"; flow:to_server,established; content:"/iisadmpwd/anot"; nocase;
http_uri; metadata:ruleset community, service http; reference:bugtraq,2110;
reference:cve,1999-0407; classtype:web-application-activity; sid:996; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS asp-dot
attempt"; flow:to_server,established; content:".asp."; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1814;
reference:nessus,10363; classtype:web-application-attack; sid:997; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS asp-
srch attempt"; flow:to_server,established; content:"|23|filename=*.asp"; nocase;
http_uri; metadata:ruleset community, service http; classtype:web-application-
attack; sid:998; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS bdir
access"; flow:to_server,established; content:"/scripts/iisadmin/bdir.htr"; nocase;
http_uri; metadata:ruleset community, service http; reference:bugtraq,2280;
classtype:web-application-activity; sid:999; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
bdir.htr access"; flow:to_server,established; content:"/bdir.htr"; nocase;
http_uri; metadata:ruleset community, service http; reference:bugtraq,2280;
reference:nessus,10577; classtype:web-application-activity; sid:1000; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
carbo.dll access"; flow:to_server,established; content:"/carbo.dll"; http_uri;
content:"icatcommand="; nocase; metadata:ruleset community, service http;
reference:bugtraq,2126; reference:cve,1999-1069; classtype:attempted-recon;
sid:1001; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS cmd.exe
access"; flow:to_server,established; content:"cmd.exe"; nocase; http_uri;
metadata:ruleset community, service http; classtype:web-application-attack;
sid:1002; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS cmd?
access"; flow:to_server,established; content:".cmd?&"; fast_pattern:only;
metadata:ruleset community, service http; classtype:web-application-attack;
sid:1003; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
codebrowser Exair access"; flow:to_server,established;
content:"/iissamples/exair/howitworks/codebrws.asp"; nocase; http_uri;
metadata:ruleset community, service http; reference:cve,1999-0499;
reference:cve,1999-0815; classtype:web-application-activity; sid:1004; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
codebrowser SDK access"; flow:to_server,established;
content:"/iissamples/sdk/asp/docs/codebrws.asp"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,167; reference:cve,1999-0736;
classtype:web-application-activity; sid:1005; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
Form_JScript.asp access"; flow:to_server,established; content:"/Form_JScript.asp";
nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1594;
reference:bugtraq,1595; reference:cve,2000-0746; reference:cve,2000-1104;
reference:nessus,10572; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS00-028; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS00-060; classtype:web-application-attack; sid:1007; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS del
attempt"; flow:to_server,established; content:"&del+/s+c|3A 5C|*.*";
fast_pattern:only; metadata:ruleset community, service http; classtype:web-
application-attack; sid:1008; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
directory listing"; flow:to_server,established;
content:"/ServerVariables_Jscript.asp"; nocase; http_uri; metadata:ruleset
community, service http; reference:nessus,10573; classtype:web-application-attack;
sid:1009; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
encoding access"; flow:to_server,established; content:"%1u"; fast_pattern:only;
metadata:ruleset community, service http; reference:bugtraq,886;
reference:cve,2000-0024; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS99-061; classtype:web-application-activity; sid:1010;
rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS exec-
src access"; flow:to_server,established; content:"|23|filename=*.exe";
fast_pattern:only; metadata:ruleset community, service http; classtype:web-
application-activity; sid:1011; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS fpcount
attempt"; flow:to_server,established; content:"/fpcount.exe"; fast_pattern; nocase;
http_uri; content:"Digits="; nocase; metadata:ruleset community, service http;
reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-attack;
sid:1012; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS fpcount
access"; flow:to_server,established; content:"/fpcount.exe"; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,2252;
reference:cve,1999-1376; classtype:web-application-activity; sid:1013; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
getdrvs.exe access"; flow:to_server,established;
content:"/scripts/tools/getdrvs.exe"; nocase; http_uri; metadata:ruleset community,
service http; classtype:web-application-activity; sid:1015; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
global.asa access"; flow:to_server,established; content:"/global.asa"; nocase;
http_uri; metadata:ruleset community, service http; reference:cve,2000-0778;
reference:cve,2001-0004; reference:nessus,10491; reference:nessus,10991;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms01-004;
classtype:web-application-activity; sid:1016; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS idc-
srch attempt"; flow:to_server,established; content:"|23|filename=*.idc";
fast_pattern:only; metadata:ruleset community, service http; reference:cve,1999-
0874; classtype:web-application-attack; sid:1017; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
iisadmpwd attempt"; flow:to_server,established; content:"/iisadmpwd/aexp"; nocase;
http_uri; metadata:ruleset community, service http; reference:bugtraq,2110;
reference:cve,1999-0407; reference:nessus,10371; classtype:web-application-attack;
sid:1018; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
Malformed Hit-Highlighting Argument File Access Attempt";
flow:to_server,established; content:"CiWebHitsFile="; nocase; http_uri;
pcre:"/CiWebHitsFile=\/?([^\r\n\x3b\&]*\.\.\/)?/i"; content:"CiRestriction=none";
fast_pattern; nocase; http_uri; content:"ciHiliteType=Full"; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,950;
reference:cve,2000-0097; reference:url,technet.microsoft.com/en-
us/security/bulletin/ms00-006; reference:url,www.securityfocus.com/archive/1/43762;
classtype:web-application-attack; sid:1019; rev:30;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
isc$data attempt"; flow:to_server,established; content:".idc|3A 3A 24|data";
nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,307;
reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-attack;
sid:1020; rev:26;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ism.dll
attempt"; flow:to_server,established; content:" .htr"; nocase; http_uri;
pcre:"/\s{230,}\.htr/U"; metadata:ruleset community, service http;
reference:bugtraq,1193; reference:cve,2000-0457; reference:nessus,10680;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-031;
classtype:web-application-attack; sid:1021; rev:29;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS jet vba
access"; flow:to_server,established;
content:"/advworks/equipment/catalog_type.asp"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,286; reference:cve,1999-0874;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-030;
classtype:web-application-activity; sid:1022; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
msadcs.dll access"; flow:to_server,established; content:"/msadcs.dll"; nocase;
http_uri; metadata:ruleset community, service http; reference:bugtraq,529;
reference:cve,1999-1011; reference:nessus,10357;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-025;
classtype:web-application-activity; sid:1023; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
newdsn.exe access"; flow:to_server,established;
content:"/scripts/tools/newdsn.exe"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,1818; reference:cve,1999-0191;
reference:nessus,10360; classtype:web-application-activity; sid:1024; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS perl
access"; flow:to_server,established; content:"/scripts/perl"; nocase; http_uri;
metadata:ruleset community, service http; classtype:web-application-activity;
sid:1025; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS perl-
browse newline attempt"; flow:to_server,established; content:"|0A|.pl"; nocase;
http_uri; metadata:ruleset community, service http; reference:bugtraq,6833;
reference:cve,2003-1365; classtype:web-application-attack; sid:1026; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS perl-
browse space attempt"; flow:to_server,established; content:" .pl"; nocase;
http_uri; metadata:ruleset community, service http; reference:bugtraq,6833;
reference:cve,2003-1365; classtype:web-application-attack; sid:1027; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
query.asp access"; flow:to_server,established; content:"/issamples/query.asp";
nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service
http; reference:bugtraq,193; reference:cve,1999-0449; classtype:web-application-
activity; sid:1028; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
scripts-browse access"; flow:to_server,established; content:"/scripts/ ";
fast_pattern:only; metadata:ruleset community, service http;
reference:nessus,11032; classtype:web-application-attack; sid:1029; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
search97.vts access"; flow:to_server,established; content:"/search97.vts";
http_uri; metadata:ruleset community, service http; reference:bugtraq,162;
classtype:web-application-activity; sid:1030; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
/SiteServer/Publishing/viewcode.asp access"; flow:to_server,established;
content:"/SiteServer/Publishing/viewcode.asp"; nocase; http_uri; metadata:ruleset
community, service http; reference:nessus,10576; classtype:web-application-
activity; sid:1031; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
showcode access"; flow:to_server,established;
content:"/Sites/Knowledge/Membership/Inspired/ViewCode.asp"; nocase; http_uri;
metadata:ruleset community, service http; reference:cve,1999-0737;
reference:nessus,10576; reference:url,technet.microsoft.com/en-
us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1032;
rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
viewcode access"; flow:to_server,established;
content:"/Sites/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; nocase;
http_uri; metadata:ruleset community, service http; reference:cve,1999-0737;
reference:nessus,10576; reference:url,technet.microsoft.com/en-
us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1033;
rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
viewcode access"; flow:to_server,established;
content:"/Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp";
nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-
0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-
us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1034;
rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
viewcode access"; flow:to_server,established;
content:"/Sites/Samples/Knowledge/Push/ViewCode.asp"; nocase; http_uri;
metadata:ruleset community, service http; reference:cve,1999-0737;
reference:nessus,10576; reference:url,technet.microsoft.com/en-
us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1035;
rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
viewcode access"; flow:to_server,established;
content:"/Sites/Samples/Knowledge/Search/ViewCode.asp"; nocase; http_uri;
metadata:ruleset community, service http; reference:cve,1999-0737;
reference:nessus,10576; reference:url,technet.microsoft.com/en-
us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1036;
rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
showcode.asp access"; flow:to_server,established; content:"/showcode.asp"; nocase;
http_uri; metadata:ruleset community, service http; reference:bugtraq,167;
reference:cve,1999-0736; reference:nessus,10007;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-013;
classtype:web-application-activity; sid:1037; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS site
server config access"; flow:to_server,established;
content:"/adsamples/config/site.csc"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,256; reference:cve,1999-1520; classtype:web-
application-activity; sid:1038; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
srch.htm access"; flow:to_server,established; content:"/samples/isapi/srch.htm";
nocase; http_uri; metadata:ruleset community, service http; classtype:web-
application-activity; sid:1039; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS srchadm
access"; flow:to_server,established; content:"/srchadm"; nocase; http_uri;
metadata:ruleset community, service http; reference:nessus,11032; classtype:web-
application-activity; sid:1040; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
uploadn.asp access"; flow:to_server,established; content:"/scripts/uploadn.asp";
nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1811;
reference:cve,1999-0360; classtype:web-application-activity; sid:1041; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS view
source via translate header"; flow:to_server,established; content:"Translate|3A|
F"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community,
service http; reference:bugtraq,14764; reference:bugtraq,1578; reference:cve,2000-
0778; reference:nessus,10491; classtype:web-application-activity; sid:1042;
rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
viewcode.asp access"; flow:to_server,established; content:"/viewcode.asp"; nocase;
http_uri; metadata:ruleset community, service http; reference:cve,1999-0737;
reference:nessus,10576; classtype:web-application-activity; sid:1043; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS webhits
access"; flow:to_server,established; content:".htw"; http_uri; metadata:ruleset
community, service http; reference:bugtraq,950; reference:cve,2000-0097;
classtype:web-application-activity; sid:1044; rev:17;)
# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER-IIS
Unauthorized IP Access Attempt"; flow:to_client,established; content:"403";
content:"Forbidden|3A|"; metadata:ruleset community, service http; classtype:web-
application-attack; sid:1045; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
site/iisamples access"; flow:to_server,established; content:"/site/iisamples";
nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10370;
classtype:web-application-activity; sid:1046; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Netscape Enterprise DOS"; flow:to_server,established; content:"REVLOG / "; depth:9;
metadata:ruleset community, service http; reference:bugtraq,2294;
reference:cve,2001-0251; classtype:web-application-attack; sid:1047; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Netscape Enterprise directory listing attempt"; flow:to_server,established;
content:"INDEX "; depth:6; metadata:ruleset community, service http;
reference:bugtraq,2285; reference:cve,2001-0250; reference:nessus,10691;
classtype:web-application-attack; sid:1048; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
iPlanet GETPROPERTIES attempt"; flow:to_server,established;
content:"GETPROPERTIES"; depth:13; metadata:ruleset community, service http;
reference:bugtraq,2732; reference:cve,2001-0746; classtype:web-application-attack;
sid:1050; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"FILE-OTHER
technote main.cgi file directory traversal attempt"; flow:to_server,established;
content:"/technote/main.cgi"; fast_pattern; nocase; http_uri; content:"filename=";
nocase; content:"../../"; metadata:ruleset community, service http;
reference:bugtraq,2156; reference:cve,2001-0075; reference:nessus,10584;
classtype:web-application-attack; sid:1051; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
technote print.cgi directory traversal attempt"; flow:to_server,established;
content:"/technote/print.cgi"; fast_pattern; nocase; http_uri; content:"board=";
nocase; content:"../../"; http_raw_uri; content:"%00"; http_raw_uri;
metadata:ruleset community, service http; reference:bugtraq,2156;
reference:cve,2001-0075; reference:nessus,10584; classtype:web-application-attack;
sid:1052; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ads.cgi command execution attempt"; flow:to_server,established; content:"/ads.cgi";
fast_pattern; nocase; http_uri; content:"file="; nocase; content:"../../";
http_raw_uri; content:"|7C|"; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2103; reference:cve,2001-0025; reference:nessus,11464;
classtype:web-application-attack; sid:1053; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
weblogic/tomcat .jsp view source attempt"; flow:to_server,established;
content:".jsp"; nocase; http_uri; pcre:!"/^\w+\s+[^\n\s\?]*\.jsp/smi";
metadata:ruleset community, service http; reference:bugtraq,2527; classtype:web-
application-attack; sid:1054; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE
Apache Tomcat view source attempt"; flow:to_server,established; content:"%252ejsp";
http_uri; metadata:ruleset community, service http; reference:bugtraq,2527;
reference:cve,2001-0590; classtype:web-application-attack; sid:1056; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL ftp attempt";
flow:to_server,established; content:"ftp.exe"; fast_pattern:only; metadata:ruleset
community, service http; classtype:web-application-activity; sid:1057; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_enumdsn
attempt"; flow:to_server,established; content:"xp_enumdsn"; fast_pattern:only;
metadata:ruleset community, service http; classtype:web-application-attack;
sid:1058; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_filelist
attempt"; flow:to_server,established; content:"xp_filelist"; fast_pattern:only;
metadata:ruleset community, service http; classtype:web-application-attack;
sid:1059; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL
xp_availablemedia attempt"; flow:to_server,established;
content:"xp_availablemedia"; fast_pattern:only; metadata:ruleset community, service
http; classtype:web-application-attack; sid:1060; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_cmdshell
attempt"; flow:to_server,established; content:"xp_cmdshell"; fast_pattern:only;
metadata:ruleset community, service http; reference:bugtraq,5309; classtype:web-
application-attack; sid:1061; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
nc.exe attempt"; flow:to_server,established; content:"nc.exe"; fast_pattern:only;
metadata:ruleset community, service http; classtype:web-application-activity;
sid:1062; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wsh
attempt"; flow:to_server,established; content:"wsh.exe"; fast_pattern:only;
metadata:ruleset community, service http; classtype:web-application-activity;
sid:1064; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rcmd
attempt"; flow:to_server,established; content:"rcmd.exe"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; classtype:web-application-
activity; sid:1065; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
telnet attempt"; flow:to_server,established; content:"telnet.exe";
fast_pattern:only; metadata:ruleset community, service http; classtype:web-
application-activity; sid:1066; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP net
attempt"; flow:to_server,established; content:"net.exe"; fast_pattern:only;
metadata:ruleset community, service http; classtype:web-application-activity;
sid:1067; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP tftp
attempt"; flow:to_server,established; content:"tftp.exe"; fast_pattern:only;
metadata:ruleset community, service http; classtype:web-application-activity;
sid:1068; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_regread
attempt"; flow:to_server,established; content:"xp_regread"; fast_pattern:only;
metadata:ruleset community, service http; classtype:web-application-activity;
sid:1069; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
WebDAV search access"; flow:to_server,established; content:"SEARCH "; depth:8;
nocase; metadata:ruleset community, service http; reference:bugtraq,1756;
reference:cve,2000-0951; classtype:web-application-activity; sid:1070; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
.htpasswd access"; flow:to_server,established; content:".htpasswd";
fast_pattern:only; metadata:ruleset community, service http; classtype:web-
application-attack; sid:1071; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Lotus Domino directory traversal"; flow:to_server,established; content:".nsf/";
http_uri; content:"../"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,2173; reference:cve,2001-0009;
reference:nessus,12248; classtype:web-application-attack; sid:1072; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
webhits.exe access"; flow:to_server,established;
content:"/scripts/samples/search/webhits.exe"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,950;
reference:cve,2000-0097; classtype:web-application-activity; sid:1073; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
postinfo.asp access"; flow:to_server,established; content:"/scripts/postinfo.asp";
nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1811;
reference:cve,1999-0360; classtype:web-application-activity; sid:1075; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
repost.asp access"; flow:to_server,established; content:"/scripts/repost.asp";
nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10372;
classtype:web-application-activity; sid:1076; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL queryhit.htm
access"; flow:to_server,established; content:"/samples/search/queryhit.htm";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,10370; classtype:web-application-activity; sid:1077; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL counter.exe
access"; flow:to_server,established; content:"/counter.exe"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,267;
reference:cve,1999-1030; classtype:web-application-activity; sid:1078; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OS-WINDOWS
Microsoft Windows WebDAV propfind access"; flow:to_server,established;
content:"propfind"; nocase; pcre:"/<a\x3a\s*propfind.*?xmlns\x3a\s*a=[\x21\x22]?
DAV[\x21\x22]?/iR"; metadata:ruleset community, service http;
reference:bugtraq,1656; reference:cve,2000-0869; reference:cve,2003-0718;
reference:nessus,10505; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS04-030; classtype:web-application-activity; sid:1079;
rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
unify eWave ServletExec upload"; flow:to_server,established;
content:"/servlet/com.unify.servletexec.UploadServlet"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,1868;
reference:bugtraq,1876; reference:cve,2000-1024; reference:cve,2000-1025;
reference:nessus,10570; classtype:web-application-attack; sid:1080; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Netscape Servers suite DOS"; flow:to_server,established; content:"/dsgw/bin/search?
context="; fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1868; reference:cve,2000-1025; classtype:web-application-attack;
sid:1081; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
amazon 1-click cookie theft"; flow:to_server,established; content:"ref%3Cscript
%20language%3D%22Javascript"; fast_pattern:only; metadata:ruleset community,
service http; reference:bugtraq,1194; reference:cve,2000-0439; classtype:web-
application-attack; sid:1082; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
unify eWave ServletExec DOS"; flow:to_server,established;
content:"/servlet/ServletExec"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1868; reference:cve,2000-1025;
classtype:web-application-activity; sid:1083; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Allaire JRUN DOS attempt"; flow:to_server,established; content:"servlet/.......";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2337; reference:cve,2000-1049; classtype:web-application-attack;
sid:1084; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
strings overflow"; flow:to_server,established; content:"|BA|I|FE FF FF F7 D2 B9 BF
FF FF FF F7 D1|"; metadata:ruleset community, service http; reference:bugtraq,802;
classtype:web-application-attack; sid:1085; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
strings overflow"; flow:to_server,established; content:"?STRENGUR";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1786; reference:cve,2000-0967; classtype:web-application-attack;
sid:1086; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
eXtropia webstore directory traversal"; flow:to_server,established;
content:"/web_store.cgi"; http_uri; content:"page=../"; metadata:ruleset community,
service http; reference:bugtraq,1774; reference:cve,2000-1005;
reference:nessus,10532; classtype:web-application-attack; sid:1088; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
shopping cart directory traversal"; flow:to_server,established;
content:"/shop.cgi"; http_uri; content:"page=../"; metadata:ruleset community,
service http; reference:bugtraq,1777; reference:cve,2000-0921; classtype:web-
application-attack; sid:1089; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Allaire Pro Web Shell attempt"; flow:to_server,established;
content:"/authenticate.cgi?PASSWORD"; fast_pattern; nocase; http_uri;
content:"config.ini"; metadata:ruleset community, service http; classtype:web-
application-attack; sid:1090; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ICQ
Webfront HTTP DOS"; flow:to_server,established; content:"??????????";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1463; reference:cve,2000-1078; classtype:web-application-attack;
sid:1091; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Armada Style Master Index directory traversal"; flow:to_server,established;
content:"/search.cgi?"; nocase; http_uri; content:"keys"; distance:0; nocase;
http_uri; content:"catigory=../"; nocase; metadata:ruleset community, service http;
reference:bugtraq,1772; reference:cve,2000-0924; reference:nessus,10562;
reference:url,www.synnergy.net/downloads/advisories/SLA-2000-16.masterindex.txt;
classtype:web-application-attack; sid:1092; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cached_feed.cgi moreover shopping cart directory traversal";
flow:to_server,established; content:"/cached_feed.cgi"; http_uri; content:"../";
http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,1762;
reference:cve,2000-0906; classtype:web-application-attack; sid:1093; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Talentsoft Web+ Source Code view access"; flow:to_server,established;
content:"/webplus.exe?"; nocase; http_uri; content:"script=test.wml"; distance:0;
nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1722;
reference:url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html;
classtype:web-application-attack; sid:1095; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Talentsoft Web+ internal IP Address access"; flow:to_server,established;
content:"/webplus.exe?"; nocase; http_uri; content:"about"; distance:0; nocase;
http_uri; metadata:ruleset community, service http; reference:bugtraq,1720;
reference:url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html;
classtype:web-application-activity; sid:1096; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Talentsoft Web+ exploit attempt"; flow:to_server,established;
content:"/webplus.cgi?"; nocase; http_uri;
content:"Script=/webplus/webping/webping.wml"; distance:0; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1725; classtype:web-
application-attack; sid:1097; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
SmartWin CyberOffice Shopping Cart access"; flow:to_server,established;
content:"_private/shopping_cart.mdb"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1734; reference:cve,2000-0925;
classtype:web-application-attack; sid:1098; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cybercop scan"; flow:to_server,established; content:"/cybercop"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; classtype:web-application-
activity; sid:1099; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN
L3retriever HTTP Probe"; flow:to_server,established; content:"User-Agent|3A|
Java1.2.1|0D 0A|"; http_header; metadata:ruleset community, service http;
classtype:web-application-activity; sid:1100; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN
Webtrends HTTP probe"; flow:to_server,established; content:"User-Agent|3A|
Webtrends Security Analyzer|0D 0A|"; http_header; metadata:ruleset community,
service http; classtype:web-application-activity; sid:1101; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
nessus 1.X 404 probe"; flow:to_server,established;
content:"/nessus_is_probing_you_"; depth:32; http_uri; metadata:ruleset community,
service http; classtype:web-application-attack; sid:1102; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Netscape admin passwd"; flow:to_server,established; content:"/admin-
serv/config/admpw"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,1579; reference:nessus,10468; classtype:web-
application-attack; sid:1103; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
BigBrother access"; flow:to_server,established; content:"/bb-hostsvc.sh?"; nocase;
http_uri; content:"HOSTSVC"; distance:0; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1455; reference:cve,2000-0638;
reference:nessus,10460; classtype:attempted-recon; sid:1105; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Poll-it access"; flow:to_server,established;
content:"/pollit/Poll_It_SSI_v2.0.cgi"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1431;
reference:cve,2000-0590; reference:nessus,10459; classtype:web-application-
activity; sid:1106; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ftp.pl access"; flow:to_server,established; content:"/ftp.pl"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,1471;
reference:cve,2000-0674; reference:nessus,10467; classtype:web-application-
activity; sid:1107; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE
Apache Tomcat server snoop access"; flow:to_server,established;
content:"/jsp/snp/"; http_uri; content:".snp"; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1532; reference:cve,2000-0760;
reference:nessus,10478; classtype:attempted-recon; sid:1108; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ROXEN directory list attempt"; flow:to_server,established; content:"/%00";
http_uri; metadata:ruleset community, service http; reference:bugtraq,1510;
reference:cve,2000-0671; reference:nessus,10479; classtype:attempted-recon;
sid:1109; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
apache source.asp file access"; flow:to_server,established;
content:"/site/eg/source.asp"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1457; reference:cve,2000-0628;
reference:nessus,10480; classtype:attempted-recon; sid:1110; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE
Apache Tomcat server exploit access"; flow:to_server,established;
content:"/contextAdmin/contextAdmin.html"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1548; reference:cve,2000-0672;
reference:nessus,10477; classtype:attempted-recon; sid:1111; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ICQ
webserver DOS"; flow:to_server,established; content:".html/......";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-0474; reference:url,www.securiteam.com/exploits/2ZUQ1QAQOG.html;
classtype:attempted-dos; sid:1115; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Lotus DelDoc attempt"; flow:to_server,established; content:"?DeleteDocument";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:attempted-recon; sid:1116; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Lotus EditDoc attempt"; flow:to_server,established; content:"?EditDocument";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:url,www.securiteam.com/exploits/5NP080A1RE.html; classtype:attempted-
recon; sid:1117; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ls
20-l"; flow:to_server,established; content:"ls%20-l"; nocase; metadata:ruleset
community, service http; classtype:attempted-recon; sid:1118; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
mlog.phtml access"; flow:to_server,established; content:"/mlog.phtml";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346;
classtype:attempted-recon; sid:1119; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
mylog.phtml access"; flow:to_server,established; content:"/mylog.phtml";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346;
classtype:attempted-recon; sid:1120; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
/etc/passwd file access attempt"; flow:to_server,established;
content:"/etc/passwd"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; classtype:attempted-recon; sid:1122; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ?
PageServices access"; flow:to_server,established; content:"?PageServices";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1063; reference:bugtraq,7621; reference:cve,1999-0269;
classtype:attempted-recon; sid:1123; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Ecommerce check.txt access"; flow:to_server,established;
content:"/config/check.txt"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; classtype:attempted-recon; sid:1124; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
webcart access"; flow:to_server,established; content:"/webcart/";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-0610; reference:nessus,10298; classtype:attempted-recon;
sid:1125; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
AuthChangeUrl access"; flow:to_server,established; content:"_AuthChangeUrl?";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2110; reference:cve,1999-0407; classtype:attempted-recon;
sid:1126; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
convert.bas access"; flow:to_server,established; content:"/scripts/convert.bas";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2025; reference:cve,1999-0175; classtype:attempted-recon;
sid:1127; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cpshost.dll access"; flow:to_server,established; content:"/scripts/cpshost.dll";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1811; reference:bugtraq,4002; reference:cve,1999-0360;
classtype:attempted-recon; sid:1128; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
.htaccess access"; flow:to_server,established; content:".htaccess";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:attempted-recon; sid:1129; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
.wwwacl access"; flow:to_server,established; content:".wwwacl"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; classtype:attempted-recon;
sid:1130; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
.wwwacl access"; flow:to_server,established; content:".www_acl"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; classtype:attempted-recon;
sid:1131; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"SERVER-WEBAPP Netscape
Unixware overflow"; flow:to_server,established; content:"|EB|_|9A FF FF FF FF 07 FF
C3|^1|C0 89|F|9D|"; metadata:ruleset community; reference:bugtraq,908;
reference:cve,1999-0744; classtype:attempted-recon; sid:1132; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN
cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA";
depth:16; metadata:ruleset community, service http; classtype:attempted-recon;
sid:1133; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Phorum admin access"; flow:to_server,established; content:"/admin.php3";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2271; reference:cve,2000-1228; classtype:attempted-recon;
sid:1134; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cd.."; flow:to_server,established; content:"cd.."; nocase; metadata:ruleset
community, service http; classtype:attempted-recon; sid:1136; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Phorum authentication access"; flow:to_server,established;
content:"PHP_AUTH_USER=boogieman"; fast_pattern:only; metadata:ruleset community,
service http; reference:bugtraq,2274; reference:cve,2000-1230; classtype:attempted-
recon; sid:1137; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
whisker HEAD/./"; flow:to_server,established; content:"HEAD/./"; metadata:ruleset
community, service http;
reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html;
classtype:attempted-recon; sid:1139; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
guestbook.pl access"; flow:to_server,established; content:"/guestbook.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,776; reference:cve,1999-0237; reference:cve,1999-1053;
reference:nessus,10099; classtype:attempted-recon; sid:1140; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
handler access"; flow:to_server,established; content:"/handler"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,380;
reference:cve,1999-0148; reference:nessus,10100; classtype:web-application-
activity; sid:1141; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-
WEBAPP /.... access"; flow:to_server,established; content:"/...."; metadata:ruleset
community, service http; classtype:attempted-recon; sid:1142; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP root
access"; flow:to_server,established; content:"/~root"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; classtype:attempted-recon; sid:1145;
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Ecommerce import.txt access"; flow:to_server,established;
content:"/config/import.txt"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; classtype:attempted-recon; sid:1146; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cat_
access"; flow:to_server,established; content:"cat "; fast_pattern:only; http_uri;
metadata:policy max-detect-ips drop, ruleset community, service http;
reference:bugtraq,374; reference:cve,1999-0039; classtype:attempted-recon;
sid:1147; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Ecommerce import.txt access"; flow:to_server,established;
content:"/orders/import.txt"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; classtype:attempted-recon; sid:1148; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
count.cgi access"; flow:to_server,established; content:"/count.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,128; reference:cve,1999-0021; reference:nessus,10049;
classtype:web-application-activity; sid:1149; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Domino catalog.nsf access"; flow:to_server,established; content:"/catalog.nsf";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,10629; classtype:attempted-recon; sid:1150; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Domino domcfg.nsf access"; flow:to_server,established; content:"/domcfg.nsf";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,10629; classtype:attempted-recon; sid:1151; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Domino domlog.nsf access"; flow:to_server,established; content:"/domlog.nsf";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,10629; classtype:attempted-recon; sid:1152; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Domino log.nsf access"; flow:to_server,established; content:"/log.nsf";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,10629; classtype:attempted-recon; sid:1153; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Domino names.nsf access"; flow:to_server,established; content:"/names.nsf";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,10629; classtype:attempted-recon; sid:1154; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Ecommerce checks.txt access"; flow:to_server,established;
content:"/orders/checks.txt"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2281; classtype:attempted-recon;
sid:1155; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP apache
directory disclosure attempt"; flow:to_server,established; content:"////////";
fast_pattern:only; content:"////////"; http_raw_uri; metadata:ruleset community,
service http; reference:bugtraq,2503; reference:cve,2001-0925; classtype:attempted-
dos; sid:1156; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Netscape PublishingXpert access"; flow:to_server,established;
content:"/PSUser/PSCOErrPage.htm"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:cve,2000-1196; reference:nessus,10364;
classtype:web-application-activity; sid:1157; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
windmail.exe access"; flow:to_server,established; content:"/windmail.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1073; reference:cve,2000-0242; reference:nessus,10365;
classtype:attempted-recon; sid:1158; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
webplus access"; flow:to_server,established; content:"/webplus?script";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1174; reference:bugtraq,1720; reference:bugtraq,1722;
reference:bugtraq,1725; reference:cve,2000-1005; classtype:attempted-recon;
sid:1159; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Netscape dir index wp"; flow:to_server,established; content:"?wp-";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1063; reference:cve,2000-0236; reference:nessus,10352;
classtype:attempted-recon; sid:1160; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
piranha passwd.php3 access"; flow:to_server,established; content:"/passwd.php3";
http_uri; metadata:ruleset community, service http; reference:bugtraq,1149;
reference:cve,2000-0322; classtype:attempted-recon; sid:1161; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cart
32 AdminPwd access"; flow:to_server,established;
content:"/c32web.exe/ChangeAdminPassword"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1153;
reference:cve,2000-0429; classtype:attempted-recon; sid:1162; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
webdist.cgi access"; flow:to_server,established; content:"/webdist.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,374; reference:cve,1999-0039; reference:nessus,10299;
classtype:web-application-activity; sid:1163; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
shopping cart access"; flow:to_server,established; content:"/quikstore.cfg";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1983; reference:bugtraq,2049; reference:cve,1999-0607;
reference:cve,2000-1188; classtype:attempted-recon; sid:1164; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Novell Groupwise gwweb.exe access"; flow:to_server,established;
content:"/GWWEB.EXE"; nocase; metadata:ruleset community, service http;
reference:bugtraq,879; reference:cve,1999-1005; reference:cve,1999-1006;
reference:nessus,10877; classtype:attempted-recon; sid:1165; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ws_ftp.ini access"; flow:to_server,established; content:"/ws_ftp.ini";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,547; reference:cve,1999-1078; classtype:attempted-recon;
sid:1166; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
rpm_query access"; flow:to_server,established; content:"/rpm_query";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1036; reference:cve,2000-0192; reference:nessus,10340;
classtype:attempted-recon; sid:1167; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mall
log order access"; flow:to_server,established; content:"/mall_log_files/order.log";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2266; reference:cve,1999-0606; classtype:attempted-recon;
sid:1168; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
bigconf.cgi access"; flow:to_server,established; content:"/bigconf.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,778; reference:cve,1999-1550; reference:nessus,10027;
classtype:web-application-activity; sid:1172; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
architext_query.pl access"; flow:to_server,established;
content:"/ews/architext_query.pl"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2248; reference:cve,1999-0279;
reference:nessus,10064;
reference:url,www2.fedcirc.gov/alerts/advisories/1998/txt/fedcirc.98.03.txt;
classtype:attempted-recon; sid:1173; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
/cgi-bin/jj access"; flow:to_server,established; content:"/cgi-bin/jj";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2002; reference:cve,1999-0260; reference:nessus,10131;
classtype:web-application-activity; sid:1174; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
wwwboard.pl access"; flow:to_server,established; content:"/wwwboard.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1795; reference:bugtraq,649; reference:cve,1999-0930;
reference:cve,1999-0954; classtype:attempted-recon; sid:1175; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Netscape Enterprise Server directory view"; flow:to_server,established; content:"?
wp-verify-link"; fast_pattern:only; http_uri; metadata:ruleset community, service
http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon;
sid:1177; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Phorum read access"; flow:to_server,established; content:"/read.php3";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:attempted-recon; sid:1178; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Phorum violation access"; flow:to_server,established; content:"/violation.php3";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2272; reference:cve,2000-1234; classtype:attempted-recon;
sid:1179; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
get32.exe access"; flow:to_server,established; content:"/get32.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1485; reference:bugtraq,770; reference:cve,1999-0885;
reference:nessus,10011; classtype:attempted-recon; sid:1180; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Annex Terminal DOS attempt"; flow:to_server,established; content:"/ping?query=";
http_uri; metadata:ruleset community, service http; reference:cve,1999-1070;
reference:nessus,10017; classtype:attempted-dos; sid:1181; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Netscape Enterprise Server directory view"; flow:to_server,established; content:"?
wp-cs-dump"; fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1063; reference:cve,2000-0236; reference:nessus,10352;
classtype:attempted-recon; sid:1183; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Netscape Enterprise Server directory view"; flow:to_server,established; content:"?
wp-ver-info"; fast_pattern:only; http_uri; metadata:ruleset community, service
http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon;
sid:1184; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
bizdbsearch attempt"; flow:to_server,established; content:"/bizdb1-search.cgi";
fast_pattern; nocase; http_uri; content:"mail"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1104; reference:cve,2000-0287;
reference:nessus,10383; classtype:web-application-attack; sid:1185; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Netscape Enterprise Server directory view"; flow:to_server,established; content:"?
wp-ver-diff"; fast_pattern:only; http_uri; metadata:ruleset community, service
http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon;
sid:1186; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
SalesLogix Eviewer web command attempt"; flow:to_server,established;
content:"/slxweb.dll/admin?command="; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1078; reference:bugtraq,1089;
reference:cve,2000-0278; reference:cve,2000-0289; reference:nessus,10361;
classtype:web-application-attack; sid:1187; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Netscape Enterprise Server directory view"; flow:to_server,established; content:"?
wp-start-ver"; fast_pattern:only; http_uri; metadata:ruleset community, service
http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon;
sid:1188; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Netscape Enterprise Server directory view"; flow:to_server,established; content:"?
wp-stop-ver"; fast_pattern:only; http_uri; metadata:ruleset community, service
http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon;
sid:1189; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Netscape Enterprise Server directory view"; flow:to_server,established; content:"?
wp-uncheckout"; fast_pattern:only; http_uri; metadata:ruleset community, service
http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon;
sid:1190; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Netscape Enterprise Server directory view"; flow:to_server,established; content:"?
wp-html-rend"; fast_pattern:only; http_uri; metadata:ruleset community, service
http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon;
sid:1191; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Trend Micro OfficeScan access"; flow:to_server,established;
content:"/officescan/cgi/jdkRqNotify.exe"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1057;
classtype:attempted-recon; sid:1192; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
oracle web arbitrary command execution attempt"; flow:to_server,established;
content:"/ows-bin/"; nocase; http_uri; content:"?&"; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1053; reference:cve,2000-0169;
reference:nessus,10348; classtype:web-application-attack; sid:1193; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
sojourn.cgi File attempt"; flow:to_server,established; content:"/sojourn.cgi?";
nocase; http_uri; content:"cat="; distance:0; nocase; http_uri; content:"%00";
nocase; metadata:ruleset community, service http; reference:bugtraq,1052;
reference:cve,2000-0180; reference:nessus,10349; classtype:web-application-attack;
sid:1194; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
sojourn.cgi access"; flow:to_server,established; content:"/sojourn.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1052; reference:cve,2000-0180; reference:nessus,10349;
classtype:web-application-activity; sid:1195; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SGI
InfoSearch fname attempt"; flow:to_server,established; content:"/infosrch.cgi?";
fast_pattern; nocase; http_uri; content:"fname="; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1031;
reference:cve,2000-0207; reference:nessus,10128; classtype:web-application-attack;
sid:1196; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Phorum code access"; flow:to_server,established; content:"/code.php3";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:attempted-recon; sid:1197; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Netscape Enterprise Server directory view"; flow:to_server,established; content:"?
wp-usr-prop"; fast_pattern:only; http_uri; metadata:ruleset community, service
http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:web-application-
attack; sid:1198; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"SERVER-WEBAPP Compaq Insight
directory traversal"; flow:to_server,established; content:"../"; metadata:ruleset
community; reference:bugtraq,282; reference:cve,1999-0771; classtype:web-
application-attack; sid:1199; rev:17;)
# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-
COMPROMISE Invalid URL"; flow:to_client,established; file_data; content:"Invalid
URL"; nocase; metadata:ruleset community, service http;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-063;
classtype:attempted-recon; sid:1200; rev:17;)
# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-
COMPROMISE 403 Forbidden"; flow:to_client,established; content:"403";
http_stat_code; metadata:ruleset community, service http; classtype:attempted-
recon; sid:1201; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
search.vts access"; flow:to_server,established; content:"/search.vts"; http_uri;
metadata:ruleset community, service http; reference:bugtraq,162;
classtype:attempted-recon; sid:1202; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ax-
admin.cgi access"; flow:to_server,established; content:"/ax-admin.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:web-application-activity; sid:1204; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
axs.cgi access"; flow:to_server,established; content:"/axs.cgi"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; classtype:web-application-
activity; sid:1205; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cachemgr.cgi access"; flow:to_server,established; content:"/cachemgr.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2059; reference:cve,1999-0710; reference:nessus,10034;
classtype:web-application-activity; sid:1206; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
htgrep access"; flow:to_server,established; content:"/htgrep"; http_uri;
metadata:ruleset community, service http; reference:cve,2000-0832;
reference:nessus,10495; classtype:web-application-activity; sid:1207; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
responder.cgi access"; flow:to_server,established; content:"/responder.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3155; classtype:web-application-activity; sid:1208; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
.nsconfig access"; flow:to_server,established; content:"/.nsconfig"; http_uri;
metadata:ruleset community, service http; classtype:attempted-recon; sid:1209;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP web-
map.cgi access"; flow:to_server,established; content:"/web-map.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:web-application-activity; sid:1211; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Admin_files access"; flow:to_server,established; content:"/admin_files";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:attempted-recon; sid:1212; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
backup access"; flow:to_server,established; content:"/backup"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; classtype:attempted-recon;
sid:1213; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
intranet access"; flow:to_server,established; content:"/intranet/";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,11626; classtype:attempted-recon; sid:1214; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ministats admin access"; flow:to_server,established;
content:"/ministats/admin.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; classtype:web-application-activity; sid:1215; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
filemail access"; flow:to_server,established; content:"/filemail";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-1154; reference:cve,1999-1155;
reference:url,www.securityfocus.com/archive/1/11175; classtype:attempted-recon;
sid:1216; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
plusmail access"; flow:to_server,established; content:"/plusmail";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2653; reference:cve,2000-0074; reference:nessus,10181;
classtype:attempted-recon; sid:1217; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
adminlogin access"; flow:to_server,established; content:"/adminlogin";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1164; reference:bugtraq,1175; reference:cve,2000-0332;
reference:cve,2000-0426; reference:nessus,11748; classtype:attempted-recon;
sid:1218; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
dfire.cgi access"; flow:to_server,established; content:"/dfire.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,564; reference:cve,1999-0913; classtype:web-application-activity;
sid:1219; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ultraboard access"; flow:to_server,established; content:"/ultraboard";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1164; reference:bugtraq,1175; reference:cve,2000-0332;
reference:cve,2000-0426; reference:nessus,11748; classtype:attempted-recon;
sid:1220; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Muscat Empower cgi access"; flow:to_server,established; content:"/empower?DB";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2374; reference:cve,2001-0224; reference:nessus,10609;
classtype:web-application-activity; sid:1221; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
pals-cgi arbitrary file access attempt"; flow:to_server,established;
content:"/pals-cgi"; fast_pattern; nocase; http_uri; content:"documentName=";
http_uri; metadata:ruleset community, service http; reference:bugtraq,2372;
reference:cve,2001-0217; reference:nessus,10611; classtype:web-application-attack;
sid:1222; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ROADS search.pl attempt"; flow:to_server,established; content:"/ROADS/cgi-
bin/search.pl"; http_uri; content:"form="; nocase; metadata:ruleset community,
service http; reference:bugtraq,2371; reference:cve,2001-0215;
reference:nessus,10627; classtype:attempted-recon; sid:1224; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie
detected"; flow:established; content:"MIT-MAGIC-COOKIE-1"; fast_pattern:only;
metadata:ruleset community; classtype:attempted-user; sid:1225; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flow:established;
content:"l|00 0B 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy
max-detect-ips drop, ruleset community; classtype:unknown; sid:1226; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD ...";
flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0;
pcre:"/^CWD\s[^\n]*?\.\.\./smi"; metadata:ruleset community, service ftp;
reference:bugtraq,9237; classtype:bad-unknown; sid:1229; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
VirusWall FtpSave access"; flow:to_server,established; content:"/FtpSave.dll";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733;
classtype:attempted-recon; sid:1230; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
VirusWall catinfo access"; flow:to_server,established; content:"/catinfo";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2579; reference:bugtraq,2808; reference:cve,2001-0432;
reference:nessus,10650; classtype:attempted-recon; sid:1231; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1812 (msg:"SERVER-WEBAPP VirusWall
catinfo access"; flow:to_server,established; content:"/catinfo"; nocase;
metadata:ruleset community; reference:bugtraq,2579; reference:bugtraq,2808;
reference:cve,2001-0432; reference:nessus,10650; classtype:attempted-recon;
sid:1232; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
VirusWall FtpSaveCSP access"; flow:to_server,established;
content:"/FtpSaveCSP.dll"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,2808; reference:cve,2001-0432;
reference:nessus,10733; classtype:attempted-recon; sid:1234; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
VirusWall FtpSaveCVP access"; flow:to_server,established;
content:"/FtpSaveCVP.dll"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,2808; reference:cve,2001-0432;
reference:nessus,10733; classtype:attempted-recon; sid:1235; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS RFParalyze
Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep";
metadata:ruleset community; reference:bugtraq,1163; reference:cve,2000-0347;
reference:nessus,10392; classtype:attempted-recon; sid:1239; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2224 (msg:"SERVER-OTHER MDBMS overflow";
flow:to_server,established; content:"|01|1|DB CD 80 E8|[|FF FF FF|";
fast_pattern:only; metadata:ruleset community; reference:bugtraq,1252;
reference:cve,2000-0446; reference:nessus,10422; classtype:attempted-admin;
sid:1240; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
SWEditServlet directory traversal attempt"; flow:to_server,established;
content:"/SWEditServlet"; http_uri; content:"template=../../../"; metadata:ruleset
community, service http; reference:bugtraq,2868; reference:cve,2001-0555;
classtype:attempted-user; sid:1241; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
ISAPI .ida access"; flow:to_server,established; content:".ida"; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1065;
reference:cve,2000-0071; classtype:web-application-activity; sid:1242; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
ISAPI .ida attempt"; flow:to_server,established; content:".ida?"; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1065;
reference:cve,2000-0071; reference:cve,2001-0500; classtype:web-application-attack;
sid:1243; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
ISAPI .idq attempt"; flow:to_server,established; content:".idq?"; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1065;
reference:bugtraq,968; reference:cve,2000-0071; reference:cve,2000-0126;
reference:cve,2001-0500; reference:nessus,10115; classtype:web-application-attack;
sid:1244; rev:28;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
ISAPI .idq access"; flow:to_server,established; content:".idq"; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1065;
reference:cve,2000-0071; classtype:web-application-activity; sid:1245; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage rad fp30reg.dll access"; flow:to_server,established;
content:"/fp30reg.dll"; nocase; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2906; reference:cve,2001-0341; reference:cve,2003-0822;
reference:nessus,10699; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS01-035; classtype:web-application-activity; sid:1248;
rev:30;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage rad fp4areg.dll access"; flow:to_server,established;
content:"/fp4areg.dll"; nocase; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2906; reference:cve,2001-0341; reference:nessus,10699;
classtype:web-application-activity; sid:1249; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OS-OTHER Cisco IOS
HTTP configuration attempt"; flow:to_server,established; content:"/level/";
http_uri; pcre:"/\x2flevel\x2f\d+\x2f(exec|configure)/iU"; metadata:ruleset
community, service http; reference:bugtraq,2936; reference:cve,2001-0537;
reference:nessus,10700; classtype:web-application-attack; sid:1250; rev:21;)
# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET bsd
telnet exploit response"; flow:to_client,established; content:"|0D 0A|[Yes]|0D 0A
FF FE 08 FF FD|&"; fast_pattern:only; rawbytes; metadata:ruleset community, service
telnet; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709;
classtype:attempted-admin; sid:1252; rev:25;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET bsd
exploit client finishing"; flow:to_server,established; dsize:>200; content:"|FF F6
FF F6 FF FB 08 FF F6|"; depth:50; offset:200; rawbytes; metadata:ruleset community,
service telnet; reference:bugtraq,3064; reference:cve,2001-0554;
reference:nessus,10709; classtype:successful-admin; sid:1253; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
PHPLIB remote command attempt"; flow:to_server,established;
content:"_PHPLIB[libdir]"; fast_pattern:only; metadata:ruleset community, service
http; reference:bugtraq,3079; reference:cve,2001-1370; reference:nessus,14910;
classtype:attempted-user; sid:1254; rev:16;)
# alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
PHPLIB remote command attempt"; flow:to_server,established;
content:"/db_mysql.inc"; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3079; reference:cve,2001-1370; classtype:attempted-user;
sid:1255; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS CodeRed
v2 root.exe access"; flow:to_server,established; content:"/root.exe"; nocase;
http_uri; metadata:ruleset community, service http;
reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-
attack; sid:1256; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 135:139 (msg:"SERVER-OTHER Winnuke
attack"; flow:stateless; flags:U+; metadata:ruleset community;
reference:bugtraq,2010; reference:cve,1999-0153; classtype:attempted-dos; sid:1257;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
SWEditServlet access"; flow:to_server,established; content:"/SWEditServlet";
http_uri; metadata:ruleset community, service http; reference:bugtraq,2868;
classtype:attempted-recon; sid:1259; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"SERVER-OTHER AIX pdnsd
overflow"; flow:to_server,established; isdataat:1000; content:"|7F FF FB|x|7F FF
FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE
02|"; metadata:ruleset community; reference:bugtraq,3237; reference:bugtraq,590;
reference:cve,1999-0745; classtype:attempted-user; sid:1261; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap admind
request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86
F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset
community, service sunrpc; classtype:rpc-portmap-decode; sid:1262; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap amountd
request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87
03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset
community, service sunrpc; reference:bugtraq,205; reference:bugtraq,235;
reference:bugtraq,450; reference:bugtraq,614; reference:cve,1999-0088;
reference:cve,1999-0210; reference:cve,1999-0493; reference:cve,1999-0704;
classtype:rpc-portmap-decode; sid:1263; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap bootparam
request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86
BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset
community, service sunrpc; classtype:rpc-portmap-decode; sid:1264; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap cmsd
request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86
E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset
community, service sunrpc; classtype:rpc-portmap-decode; sid:1265; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap nisd
request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87
CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset
community, service sunrpc; classtype:rpc-portmap-decode; sid:1267; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap pcnfsd
request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|";
within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community,
service sunrpc; reference:bugtraq,205; reference:bugtraq,4816; reference:cve,1999-
0078; reference:cve,1999-0353; reference:cve,2002-0910; classtype:rpc-portmap-
decode; sid:1268; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rexd
request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86
B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset
community, service sunrpc; classtype:rpc-portmap-decode; sid:1269; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rstatd
request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86
A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset
community, service sunrpc; classtype:rpc-portmap-decode; sid:1270; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rusers
request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86
A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset
community, service sunrpc; reference:cve,1999-0626; classtype:rpc-portmap-decode;
sid:1271; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap sadmind
request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87
88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset
community, service sunrpc; classtype:rpc-portmap-decode; sid:1272; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap
selection_svc request TCP"; flow:to_server,established; content:"|00 01 86 A0|";
depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86
AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset
community, service sunrpc; reference:bugtraq,205; reference:cve,1999-0209;
classtype:rpc-portmap-decode; sid:1273; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ttdbserv
request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86
F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset
community, service sunrpc; reference:bugtraq,122; reference:bugtraq,3382;
reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075;
reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html;
classtype:rpc-portmap-decode; sid:1274; rev:26;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap yppasswd
request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86
A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset
community, service sunrpc; classtype:rpc-portmap-decode; sid:1275; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ypserv
request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86
A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset
community, service sunrpc; reference:bugtraq,5914; reference:bugtraq,6016;
reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232;
classtype:rpc-portmap-decode; sid:1276; rev:21;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ypupdated
request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12;
content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00
00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community,
service sunrpc; reference:bugtraq,1749; reference:bugtraq,28383;
reference:cve,1999-0208; classtype:rpc-portmap-decode; sid:1277; rev:22;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap snmpXdmi
request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12;
content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00
00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community,
service sunrpc; reference:bugtraq,2417; reference:cve,2001-0236;
reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html;
classtype:rpc-portmap-decode; sid:1279; rev:28;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap listing
UDP 111"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00
00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1280;
rev:17;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"PROTOCOL-RPC portmap listing
UDP 32771"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|
00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community; classtype:rpc-portmap-decode; sid:1281; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
Microsoft Office Outlook web dos"; flow:to_server,established;
content:"/exchange/LogonFrm.asp?"; fast_pattern; nocase; http_uri;
content:"mailbox="; nocase; content:"%%%"; metadata:ruleset community, service
http; reference:bugtraq,3223; classtype:web-application-attack; sid:1283; rev:21;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER
readme.eml download attempt"; flow:to_server,established; content:"/readme.eml";
nocase; http_uri; metadata:ruleset community, service http;
reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user;
sid:1284; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS msdac
access"; flow:to_server,established; content:"/msdac/"; nocase; http_uri;
metadata:ruleset community, service http; reference:nessus,11032; classtype:web-
application-activity; sid:1285; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
_mem_bin access"; flow:to_server,established; content:"/_mem_bin/"; nocase;
http_uri; metadata:ruleset community, service http; reference:nessus,11032;
classtype:web-application-activity; sid:1286; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER
Microsoft Frontpage /_vti_bin/ access"; flow:to_server,established;
content:"/_vti_bin/"; fast_pattern:only; metadata:ruleset community, service http;
reference:nessus,11032; classtype:web-application-activity; sid:1288; rev:16;)
# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET Admin.dll"; flow:to_server;
content:"|00 01|"; depth:2; content:"admin.dll"; offset:2; nocase; metadata:ruleset
community; reference:url,www.cert.org/advisories/CA-2001-26.html;
classtype:successful-admin; sid:1289; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER readme.eml
autoload attempt"; flow:to_client,established; file_data; content:"window.open|28
22|readme.eml|22|"; nocase; metadata:ruleset community, service http;
reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user;
sid:1290; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
sml3com access"; flow:to_server,established; content:"/graphics/sml3com"; http_uri;
metadata:ruleset community, service http; reference:bugtraq,2721;
reference:cve,2001-0740; classtype:web-application-activity; sid:1291; rev:15;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE directory
listing"; flow:established; content:"Volume Serial Number"; metadata:ruleset
community; classtype:bad-unknown; sid:1292; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"INDICATOR-COMPROMISE nimda
RICHED20.DLL"; flow:to_server,established; content:"R|00|I|00|C|00|H|00|E|00|D|00|
2|00|0|00|.|00|D|00|L|00|L"; nocase; metadata:ruleset community;
reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown;
sid:1295; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
admin.php file upload attempt"; flow:to_server,established; content:"/admin.php";
fast_pattern; nocase; http_uri; content:"file_name="; http_uri; metadata:ruleset
community, service http; reference:bugtraq,3361; reference:cve,2001-1032;
classtype:attempted-admin; sid:1300; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
admin.php access"; flow:to_server,established; content:"/admin.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3361; reference:bugtraq,7532; reference:bugtraq,9270;
reference:cve,2001-1032; classtype:attempted-recon; sid:1301; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
console.exe access"; flow:to_server,established; content:"/cgi-bin/console.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3375; reference:cve,2001-1252; classtype:attempted-recon;
sid:1302; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cs.exe access"; flow:to_server,established; content:"/cgi-bin/cs.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3375; reference:cve,2001-1252; classtype:attempted-recon;
sid:1303; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
txt2html.cgi access"; flow:to_server,established; content:"/txt2html.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:web-application-activity; sid:1304; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
txt2html.cgi directory traversal attempt"; flow:to_server,established;
content:"/txt2html.cgi"; fast_pattern:only; http_uri; content:"/../../../../";
http_raw_uri; metadata:ruleset community, service http; classtype:web-application-
attack; sid:1305; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
store.cgi access"; flow:to_server,established; content:"/store.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2385; reference:cve,2001-0305; reference:nessus,10639;
classtype:web-application-activity; sid:1307; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
sendmessage.cgi access"; flow:to_server,established; content:"/sendmessage.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3673; reference:cve,2001-1100; classtype:attempted-recon;
sid:1308; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP zsh
access"; flow:to_server,established; content:"/zsh"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:cve,1999-0509;
reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon;
sid:1309; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"SERVER-OTHER rwhoisd format
string attempt"; flow:to_server,established; content:"-soa %p"; metadata:ruleset
community; reference:bugtraq,3474; reference:cve,2001-0838; reference:nessus,10790;
classtype:misc-attack; sid:1323; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh
CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh";
metadata:ruleset community; reference:bugtraq,2347; reference:cve,2001-0144;
reference:cve,2001-0572; classtype:shellcode-detect; sid:1324; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh
CRC32 overflow filler"; flow:to_server,established; content:"|00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-
ips drop, ruleset community; reference:bugtraq,2347; reference:cve,2001-0144;
reference:cve,2001-0572; classtype:shellcode-detect; sid:1325; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh
CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90|"; fast_pattern:only; metadata:ruleset community;
reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572;
classtype:shellcode-detect; sid:1326; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh
CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|";
depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; metadata:ruleset
community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-
0572; reference:nessus,10607; classtype:shellcode-detect; sid:1327; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
.htgroup access"; flow:to_server,established; content:".htgroup";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:web-application-activity; sid:1374; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
sadmind worm access"; flow:to_server,established; content:"GET x HTTP/1.0";
depth:15; metadata:ruleset community, service http;
reference:url,www.cert.org/advisories/CA-2001-11.html; classtype:attempted-recon;
sid:1375; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP jrun
directory browse attempt"; flow:to_server,established; content:"/?.jsp"; http_uri;
metadata:ruleset community, service http; reference:bugtraq,3592;
reference:cve,2001-1510; classtype:web-application-attack; sid:1376; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP wu-ftp bad file
completion attempt"; flow:to_server,established; content:"~"; content:"[";
distance:0; metadata:ruleset community, service ftp; reference:bugtraq,3581;
reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886;
reference:nessus,10821; classtype:misc-attack; sid:1377; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP wu-ftp bad file
completion attempt"; flow:to_server,established; content:"~"; content:"{";
distance:0; metadata:ruleset community, service ftp; reference:bugtraq,3581;
reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886;
reference:nessus,10821; classtype:misc-attack; sid:1378; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP STAT overflow
attempt"; flow:to_server,established; content:"STAT"; nocase;
isdataat:190,relative; pcre:"/^STAT(?!\n)\s[^\n]{190}/mi"; metadata:ruleset
community, service ftp; reference:bugtraq,3507; reference:bugtraq,8542;
reference:cve,2001-0325; reference:cve,2001-1021; reference:cve,2003-0772;
reference:cve,2011-0762; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt;
classtype:attempted-admin; sid:1379; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
Form_VBScript.asp access"; flow:to_server,established;
content:"/Form_VBScript.asp"; nocase; http_uri; metadata:ruleset community, service
http; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0746;
reference:cve,2000-1104; reference:nessus,10572;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-060;
classtype:web-application-attack; sid:1380; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Trend Micro OfficeScan attempt"; flow:to_server,established;
content:"/officescan/cgi/jdkRqNotify.exe?"; nocase; http_uri; content:"domain=";
nocase; http_uri; content:"event="; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1057; classtype:attempted-recon;
sid:1381; rev:13;)
# alert tcp any any -> any 6666:7000 (msg:"SERVER-OTHER CHAT IRC Ettercap parse
overflow attempt"; flow:to_server,established; content:"PRIVMSG";
fast_pattern:only; content:"nickserv"; nocase; content:"IDENTIFY"; nocase;
isdataat:100,relative; pcre:"/^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi";
metadata:ruleset community; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt;
classtype:misc-attack; sid:1382; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"OS-WINDOWS Microsoft Windows
UPnP malformed advertisement"; flow:to_server,no_stream; content:"NOTIFY * ";
fast_pattern:only; content:"LOCATION|3A|"; nocase; detection_filter:track by_dst,
count 10, seconds 1; metadata:policy max-detect-ips drop, ruleset community;
reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877;
reference:nessus,10829; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS01-059; classtype:misc-attack; sid:1384; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mod-
plsql administration access"; flow:to_server,established; content:"/admin_/";
http_uri; metadata:ruleset community, service http; reference:bugtraq,3726;
reference:bugtraq,3727; reference:cve,2001-1216; reference:cve,2001-1217;
reference:nessus,10849; classtype:web-application-activity; sid:1385; rev:18;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL raiserror
possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|
00|e|00|r|00|r|00|o|00|r|00|"; offset:32; nocase; metadata:ruleset community;
reference:bugtraq,3733; reference:cve,2001-0542;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-060;
classtype:attempted-user; sid:1386; rev:15;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL raiserror possible
buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|
00|r|00|o|00|r|00|"; fast_pattern:only; metadata:ruleset community;
reference:bugtraq,3733; reference:cve,2001-0542; reference:nessus,11217;
classtype:attempted-user; sid:1387; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows
UPnP Location overflow attempt"; content:"Location"; fast_pattern:only;
pcre:"/^Location\s*\x3a\s*\w+\x3a\/\/([^\n]*\x3a)?[^\n]{128}/smi"; metadata:ruleset
community; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2007-
2386; reference:nessus,10829; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS01-059; classtype:misc-attack; sid:1388; rev:22;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 inc ebx
NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; metadata:policy max-detect-ips drop,
ruleset community; classtype:shellcode-detect; sid:1390; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
lastlines.cgi access"; flow:to_server,established; content:"/lastlines.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3754; reference:bugtraq,3755; reference:cve,2001-1205;
reference:cve,2001-1206; classtype:attempted-recon; sid:1392; rev:22;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 inc ecx
NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; metadata:ruleset community;
classtype:shellcode-detect; sid:1394; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
zml.cgi attempt"; flow:to_server,established; content:"/zml.cgi"; http_uri;
content:"file=../"; metadata:ruleset community, service http;
reference:bugtraq,3759; reference:cve,2001-1209; reference:nessus,10830;
classtype:web-application-activity; sid:1395; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
zml.cgi access"; flow:to_server,established; content:"/zml.cgi"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,3759;
reference:cve,2001-1209; reference:nessus,10830; classtype:web-application-
activity; sid:1396; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
wayboard attempt"; flow:to_server,established; content:"/way-board/way-board.cgi";
http_uri; content:"db="; http_uri; content:"../.."; http_raw_uri; metadata:ruleset
community, service http; reference:bugtraq,2370; reference:cve,2001-0214;
reference:nessus,10610; classtype:web-application-attack; sid:1397; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"SERVER-OTHER CDE dtspcd
exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10;
content:!"000"; depth:3; offset:11; metadata:ruleset community;
reference:bugtraq,3517; reference:cve,2001-0803; reference:nessus,10833;
reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack;
sid:1398; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PHP-
Nuke remote file include attempt"; flow:to_server,established;
content:"/index.php"; fast_pattern; nocase; http_uri; content:"file="; http_uri;
pcre:"/file=(https?|ftps?|php)/Ui"; metadata:ruleset community, service http;
reference:bugtraq,3889; reference:cve,2002-0206; classtype:web-application-attack;
sid:1399; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
/scripts/samples/ access"; flow:to_server,established; content:"/scripts/samples/";
nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10370;
classtype:web-application-attack; sid:1400; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
/msadc/samples/ access"; flow:to_server,established; content:"/msadc/samples/";
nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,167;
reference:cve,1999-0736; reference:nessus,1007; classtype:web-application-attack;
sid:1401; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
iissamples access"; flow:to_server,established; content:"/iissamples/"; nocase;
http_uri; metadata:ruleset community, service http; reference:nessus,11032;
classtype:web-application-attack; sid:1402; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AHG
search.cgi access"; flow:to_server,established; content:"/publisher/search.cgi";
fast_pattern; nocase; http_uri; content:"template="; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,3985;
reference:cve,2002-2113; classtype:web-application-activity; sid:1405; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
agora.cgi access"; flow:to_server,established; content:"/store/agora.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3702; reference:bugtraq,3976; reference:cve,2001-1199;
reference:cve,2002-0215; reference:nessus,10836; classtype:web-application-
activity; sid:1406; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
smssend.php access"; flow:to_server,established; content:"/smssend.php"; http_uri;
metadata:ruleset community, service http; reference:bugtraq,3982;
reference:cve,2002-0220; classtype:web-application-activity; sid:1407; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"SERVER-OTHER MSDTC attempt";
flow:to_server,established; dsize:>1023; metadata:ruleset community;
reference:bugtraq,4006; reference:cve,2002-0224; reference:nessus,10939;
classtype:attempted-dos; sid:1408; rev:16;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"PROTOCOL-SNMP community
string buffer overflow attempt"; flow:to_server; content:"|02 01 00 04 82 01 00|";
offset:4; metadata:ruleset community, service snmp; reference:bugtraq,4088;
reference:bugtraq,4089; reference:cve,2002-0012; reference:cve,2002-0013;
reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack;
sid:1409; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
dcboard.cgi access"; flow:to_server,established; content:"/dcboard.cgi"; http_uri;
metadata:ruleset community, service http; reference:bugtraq,2728;
reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon;
sid:1410; rev:16;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP public access
udp"; flow:to_server; content:"|06|public"; metadata:ruleset community, service
snmp; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089;
reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013;
classtype:attempted-recon; sid:1411; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP public access
tcp"; flow:to_server,established; content:"public"; metadata:ruleset community,
service snmp; reference:bugtraq,2112; reference:bugtraq,4088;
reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517;
reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon;
sid:1412; rev:20;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP private access
udp"; flow:to_server; content:"private"; metadata:ruleset community, service snmp;
reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132;
reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013;
classtype:attempted-recon; sid:1413; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP private access
tcp"; flow:to_server,established; content:"private"; metadata:ruleset community,
service snmp; reference:bugtraq,4088; reference:bugtraq,4089;
reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013;
classtype:attempted-recon; sid:1414; rev:18;)
# alert udp any any -> 255.255.255.255 161 (msg:"PROTOCOL-SNMP Broadcast request";
flow:to_server; metadata:ruleset community, service snmp; reference:bugtraq,4088;
reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012;
reference:cve,2002-0013; classtype:attempted-recon; sid:1415; rev:17;)
# alert udp any any -> 255.255.255.255 162 (msg:"PROTOCOL-SNMP broadcast trap";
flow:to_server; metadata:ruleset community, service snmp; reference:bugtraq,4088;
reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012;
reference:cve,2002-0013; classtype:attempted-recon; sid:1416; rev:17;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP request udp";
flow:to_server; metadata:ruleset community, service snmp; reference:bugtraq,4088;
reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012;
reference:cve,2002-0013; classtype:attempted-recon; sid:1417; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP request tcp";
flow:stateless; metadata:ruleset community, service snmp; reference:bugtraq,4088;
reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012;
reference:cve,2002-0013; classtype:attempted-recon; sid:1418; rev:18;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP trap udp";
flow:to_server; metadata:ruleset community, service snmp; reference:bugtraq,4088;
reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012;
reference:cve,2002-0013; classtype:attempted-recon; sid:1419; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP trap tcp";
flow:stateless; metadata:ruleset community, service snmp; reference:bugtraq,4088;
reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012;
reference:cve,2002-0013; classtype:attempted-recon; sid:1420; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"PROTOCOL-SNMP AgentX/tcp
request"; flow:stateless; metadata:ruleset community, service snmp;
reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132;
reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon;
sid:1421; rev:18;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"PROTOCOL-SNMP community
string buffer overflow attempt with evasion"; flow:to_server; content:" |04 82 01
00|"; depth:5; offset:7; metadata:ruleset community, service snmp;
reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,2002-0012;
reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html;
classtype:misc-attack; sid:1422; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
content-disposition memchr overflow"; flow:to_server,established; content:"Content-
Disposition|3A|"; nocase; http_header; content:"name=|22 CC CC CC CC CC|";
fast_pattern:only; metadata:ruleset community, service http;
reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867;
classtype:web-application-attack; sid:1423; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
content-disposition file upload attempt"; flow:to_server,established;
content:"Content-Disposition|3A|"; nocase; http_header; content:"form-data|3B|";
fast_pattern:only; metadata:ruleset community, service http;
reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867;
classtype:web-application-attack; sid:1425; rev:22;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP PROTOS test-
suite-req-app attempt"; content:"0&|02 01 00 04 06|public|A0 19 02 01 00 02 01 00
02 01 00|0|0E|0|0C 06 08|+|06 01 02 01 01 05 00 05 00|"; fast_pattern:only;
metadata:ruleset community, service snmp;
reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html;
classtype:misc-attack; sid:1426; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP PROTOS test-
suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|06|";
fast_pattern:only; metadata:ruleset community, service snmp;
reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html;
classtype:misc-attack; sid:1427; rev:12;)
# alert tcp $HOME_NET any -> 64.245.58.0/23 any (msg:"POLICY-MULTIMEDIA audio
galaxy keepalive"; flow:established; content:"E_|00 03 05|"; depth:5;
metadata:ruleset community; classtype:misc-activity; sid:1428; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P GNUTella client
request"; flow:to_server,established; content:"GNUTELLA"; depth:8; metadata:ruleset
community; classtype:policy-violation; sid:1432; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
.history access"; flow:to_server,established; content:"/.history"; http_uri;
metadata:ruleset community, service http; classtype:web-application-attack;
sid:1433; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
.bash_history access"; flow:to_server,established; content:"/.bash_history";
http_uri; metadata:ruleset community, service http; reference:bugtraq,337;
reference:cve,1999-0408; classtype:web-application-attack; sid:1434; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named authors
attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase;
content:"|04|bind|00|"; offset:12; nocase; metadata:ruleset community, service dns;
reference:nessus,10728; classtype:attempted-recon; sid:1435; rev:15;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-MULTIMEDIA
Apple Quicktime User Agent access"; flow:to_server,established; content:"User-
Agent|3A| Quicktime"; fast_pattern:only; metadata:ruleset community, service http;
classtype:policy-violation; sid:1436; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY
Microsoft Windows Media download detected"; flow:to_client,established;
content:"Content-Type|3A|"; nocase; http_header; pcre:"/^Content-Type\x3a\s*(?
=[av])(video\/x\-ms\-(w[vm]x|asf)|a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-
wm[zd]))/smiH"; metadata:ruleset community, service ftp-data, service http, service
imap, service pop3; classtype:misc-activity; sid:1437; rev:27;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-MULTIMEDIA
Shoutcast playlist redirection"; flow:to_client,established; content:"Content-type|
3A|"; nocase; http_header; content:"audio/x-scpls"; within:50; fast_pattern;
nocase; http_header; metadata:ruleset community, service http; classtype:policy-
violation; sid:1439; rev:17;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-MULTIMEDIA
Icecast playlist redirection"; flow:to_client,established; content:"Content-type|
3A|"; nocase; http_header; content:"audio/x-mpegurl"; within:50; fast_pattern;
nocase; http_header; metadata:ruleset community, service http; classtype:policy-
violation; sid:1440; rev:17;)
# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET nc.exe"; flow:to_server;
content:"|00 01|"; depth:2; content:"nc.exe"; offset:2; nocase; metadata:ruleset
community; classtype:successful-admin; sid:1441; rev:10;)
# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET shadow"; flow:to_server;
content:"|00 01|"; depth:2; content:"shadow"; offset:2; nocase; metadata:ruleset
community; classtype:successful-admin; sid:1442; rev:10;)
# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET passwd"; flow:to_server;
content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; metadata:ruleset
community; classtype:successful-admin; sid:1443; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Get";
flow:to_server; content:"|00 01|"; depth:2; metadata:ruleset community;
classtype:bad-unknown; sid:1444; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP
file_id.diz access possible warez site"; flow:to_server,established;
content:"RETR"; nocase; content:"file_id.diz"; distance:1; nocase; metadata:ruleset
community, service ftp; classtype:suspicious-filename-detect; sid:1445; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL vrfy root";
flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1;
nocase; pcre:"/^vrfy\s+root/smi"; metadata:ruleset community, service smtp;
classtype:attempted-recon; sid:1446; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"POLICY-OTHER Microsoft
Windows Terminal server RDP attempt"; flow:to_server,established; content:"|03 00
00 0B 06 E0 00 00 00 00 00|"; depth:11; metadata:ruleset community, service rdp;
reference:bugtraq,3099; reference:cve,2001-0540; reference:cve,2001-0663;
reference:nessus,10940; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS01-040; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS01-052; classtype:protocol-command-decode; sid:1447;
rev:20;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"POLICY-OTHER Microsoft
Windows Terminal server request attempt"; flow:to_server,established; content:"|03
00 00|"; depth:3; content:"|E0 00 00 00 00 00|"; depth:6; offset:5;
metadata:ruleset community, service rdp; reference:bugtraq,3099;
reference:cve,2001-0540; reference:cve,2001-0663; reference:nessus,10940;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-040;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-052;
classtype:protocol-command-decode; sid:1448; rev:20;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Vintra
Mailserver expn *@"; flow:to_server,established; content:"expn"; fast_pattern:only;
content:"*@"; pcre:"/^expn\s+\*@/smi"; metadata:ruleset community, service smtp;
reference:cve,1999-1200; classtype:misc-attack; sid:1450; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP NPH-
maillist access"; flow:to_server,established; content:"/nph-maillist.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2563; reference:cve,2001-0400; reference:nessus,10164;
classtype:attempted-recon; sid:1451; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
args.cmd access"; flow:to_server,established; content:"/args.cmd";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-1180; reference:nessus,11465; classtype:attempted-recon;
sid:1452; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AT-
generated.cgi access"; flow:to_server,established; content:"/AT-generated.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-1072; classtype:attempted-recon; sid:1453; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
wwwwais access"; flow:to_server,established; content:"/wwwwais"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:cve,2001-0223;
reference:nessus,10597; classtype:attempted-recon; sid:1454; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
calendar.pl access"; flow:to_server,established; content:"calendar"; nocase;
http_uri; pcre:"/calendar(|[-_]admin)\.pl/Ui"; metadata:ruleset community, service
http; reference:bugtraq,1215; reference:cve,2000-0432; classtype:attempted-recon;
sid:1455; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
calender_admin.pl access"; flow:to_server,established;
content:"/calender_admin.pl"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:cve,2000-0432; reference:nessus,10506;
classtype:attempted-recon; sid:1456; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
user_update_admin.pl access"; flow:to_server,established;
content:"/user_update_admin.pl"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1486; reference:cve,2000-0627;
classtype:attempted-recon; sid:1457; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
user_update_passwd.pl access"; flow:to_server,established;
content:"/user_update_passwd.pl"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1486; reference:cve,2000-0627;
classtype:attempted-recon; sid:1458; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-
histlog.sh access"; flow:to_server,established; content:"/bb-histlog.sh";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025;
classtype:attempted-recon; sid:1459; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-
histsvc.sh access"; flow:to_server,established; content:"/bb-histsvc.sh";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon;
sid:1460; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-
rep.sh access"; flow:to_server,established; content:"/bb-rep.sh";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon;
sid:1461; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-
replog.sh access"; flow:to_server,established; content:"/bb-replog.sh";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon;
sid:1462; rev:17;)
# alert tcp $HOME_NET any <> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC
message"; flow:established; dsize:<140; content:"PRIVMSG "; metadata:ruleset
community; classtype:policy-violation; sid:1463; rev:15;)
# alert tcp $HOME_NET 8002 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE oracle
one hour install"; flow:to_client,established; content:"Oracle Applications One-
Hour Install"; metadata:ruleset community; reference:nessus,10737; classtype:bad-
unknown; sid:1464; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
auktion.cgi access"; flow:to_server,established; content:"/auktion.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2367; reference:cve,2001-0212; reference:nessus,10638;
classtype:web-application-activity; sid:1465; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cgiforum.pl access"; flow:to_server,established; content:"/cgiforum.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1963; reference:cve,2000-1171; reference:nessus,10552;
classtype:web-application-activity; sid:1466; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
directorypro.cgi access"; flow:to_server,established; content:"/directorypro.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2793; reference:cve,2001-0780; reference:nessus,10679;
classtype:web-application-activity; sid:1467; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Web
Shopper shopper.cgi attempt"; flow:to_server,established; content:"/shopper.cgi";
fast_pattern; nocase; http_uri; content:"newpage=../"; nocase; metadata:ruleset
community, service http; reference:bugtraq,1776; reference:cve,2000-0922;
reference:nessus,10533; classtype:web-application-attack; sid:1468; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Web
Shopper shopper.cgi access"; flow:to_server,established; content:"/shopper.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1776; reference:cve,2000-0922; classtype:attempted-recon;
sid:1469; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
listrec.pl access"; flow:to_server,established; content:"/listrec.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3328; reference:cve,2001-0997; reference:nessus,10769;
classtype:attempted-recon; sid:1470; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
mailnews.cgi access"; flow:to_server,established; content:"/mailnews.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2391; reference:cve,2001-0271; reference:nessus,10641;
classtype:attempted-recon; sid:1471; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
book.cgi access"; flow:to_server,established; content:"/book.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3178; reference:cve,2001-1114; reference:nessus,10721;
classtype:web-application-activity; sid:1472; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
newsdesk.cgi access"; flow:to_server,established; content:"/newsdesk.cgi";
fast_pattern:only; http_uri; content:"../"; http_raw_uri; metadata:ruleset
community, service http; reference:bugtraq,2172; reference:cve,2001-0232;
reference:nessus,10586; classtype:attempted-recon; sid:1473; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cal_make.pl access"; flow:to_server,established; content:"/cal_make.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2663; reference:cve,2001-0463; reference:nessus,10664;
classtype:web-application-activity; sid:1474; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
mailit.pl access"; flow:to_server,established; content:"/mailit.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,10417; classtype:attempted-recon; sid:1475; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
sdbsearch.cgi access"; flow:to_server,established; content:"/sdbsearch.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1658; reference:cve,2001-1130; reference:nessus,10503;
reference:nessus,10720; classtype:attempted-recon; sid:1476; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Simple Web Counter URI Parameter Buffer Overflow attempt";
flow:to_server,established; content:"/swc"; nocase; http_uri; content:"ctr=";
distance:0; nocase; http_uri; urilen:>500; metadata:ruleset community, service
http; reference:bugtraq,6581; reference:nessus,10493; classtype:attempted-user;
sid:1478; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ttawebtop.cgi arbitrary file attempt"; flow:to_server,established;
content:"/ttawebtop.cgi"; nocase; content:"pg=../"; fast_pattern:only;
metadata:ruleset community, service http; reference:bugtraq,2890;
reference:cve,2001-0805; reference:nessus,10696; classtype:web-application-attack;
sid:1479; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ttawebtop.cgi access"; flow:to_server,established; content:"/ttawebtop.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2890; reference:cve,2001-0805; reference:nessus,10696;
classtype:attempted-recon; sid:1480; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
upload.cgi access"; flow:to_server,established; content:"/upload.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,10290; classtype:attempted-recon; sid:1481; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
view_source access"; flow:to_server,established; content:"/view_source";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2251; reference:cve,1999-0174; reference:nessus,10294;
classtype:attempted-recon; sid:1482; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ustorekeeper.pl access"; flow:to_server,established; content:"/ustorekeeper.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,2001-0466; reference:nessus,10645; classtype:web-application-
activity; sid:1483; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
mkilog.exe access"; flow:to_server,established; content:"/mkilog.exe"; nocase;
http_uri; metadata:ruleset community, service http; reference:nessus,10359;
classtype:web-application-activity; sid:1485; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
ctss.idc access"; flow:to_server,established; content:"/ctss.idc"; nocase;
http_uri; metadata:ruleset community, service http; reference:nessus,10359;
classtype:web-application-activity; sid:1486; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
/iisadmpwd/aexp2.htr access"; flow:to_server,established;
content:"/iisadmpwd/aexp2.htr"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,2110; reference:bugtraq,4236; reference:cve,1999-
0407; reference:cve,2002-0421; reference:nessus,10371; classtype:web-application-
activity; sid:1487; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
store.cgi directory traversal attempt"; flow:to_server,established;
content:"/store.cgi"; fast_pattern; nocase; http_uri; content:"../"; http_raw_uri;
metadata:ruleset community, service http; reference:bugtraq,2385;
reference:cve,2001-0305; reference:nessus,10639; classtype:web-application-attack;
sid:1488; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
nobody access"; flow:to_server,established; content:"/~nobody"; http_uri;
metadata:ruleset community, service http; reference:nessus,10484; classtype:web-
application-attack; sid:1489; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Phorum /support/common.php attempt"; flow:to_server,established;
content:"/support/common.php"; http_uri; content:"ForumLang=../"; metadata:ruleset
community, service http; reference:bugtraq,1997; classtype:web-application-attack;
sid:1490; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Phorum /support/common.php access"; flow:to_server,established;
content:"/support/common.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1997; reference:bugtraq,9361;
reference:cve,2004-0034; classtype:web-application-attack; sid:1491; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP RBS
ISP /newuser directory traversal attempt"; flow:to_server,established;
content:"/newuser?Image=../.."; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1704; reference:cve,2000-1036; reference:nessus,10521;
classtype:web-application-attack; sid:1492; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP RBS
ISP /newuser access"; flow:to_server,established; content:"/newuser"; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1704;
reference:cve,2000-1036; reference:nessus,10521; classtype:web-application-
activity; sid:1493; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SIX
webboard generate.cgi attempt"; flow:to_server,established;
content:"/generate.cgi"; http_uri; content:"content=../"; metadata:ruleset
community, service http; reference:bugtraq,3175; reference:cve,2001-1115;
reference:nessus,10725; classtype:web-application-attack; sid:1494; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SIX
webboard generate.cgi access"; flow:to_server,established; content:"/generate.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3175; reference:cve,2001-1115; reference:nessus,10725;
classtype:web-application-activity; sid:1495; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
spin_client.cgi access"; flow:to_server,established; content:"/spin_client.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,10393; classtype:web-application-activity; sid:1496; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"SERVER-WEBAPP SiteScope
Service access"; flow:to_server,established;
content:"/SiteScope/cgi/go.exe/SiteScope"; metadata:ruleset community;
reference:nessus,10778; classtype:web-application-activity; sid:1499; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ExAir access"; flow:to_server,established; content:"/exair/search/";
fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset
community, service http; reference:bugtraq,193; reference:cve,1999-0449;
reference:nessus,10002; reference:nessus,10003; reference:nessus,10004;
classtype:web-application-activity; sid:1500; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
a1stats a1disp3.cgi directory traversal attempt"; flow:to_server,established;
content:"/a1disp3.cgi?"; fast_pattern:only; http_uri; content:"/../../";
http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2705;
reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-attack;
sid:1501; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
a1stats a1disp3.cgi access"; flow:to_server,established; content:"/a1disp3.cgi";
http_uri; metadata:ruleset community, service http; reference:bugtraq,2705;
reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-
activity; sid:1502; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
admentor admin.asp access"; flow:to_server,established;
content:"/admentor/admin/admin.asp"; http_uri; metadata:ruleset community, service
http; reference:bugtraq,4152; reference:cve,2002-0308; reference:nessus,10880;
reference:url,www.securiteam.com/windowsntfocus/5DP0N1F6AW.html; classtype:web-
application-activity; sid:1503; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"POLICY-OTHER AFS access";
flow:to_server; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00
00 0D 05 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:ruleset community;
reference:nessus,10441; classtype:misc-activity; sid:1504; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
alchemy http server PRN arbitrary command execution attempt";
flow:to_server,established; content:"/PRN/"; fast_pattern; http_uri;
content:"../../"; http_raw_uri; metadata:ruleset community, service http;
reference:bugtraq,3599; reference:cve,2001-0871; reference:nessus,10818;
classtype:web-application-activity; sid:1505; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
alchemy http server NUL arbitrary command execution attempt";
flow:to_server,established; content:"/NUL/"; fast_pattern; http_uri;
content:"../../"; http_raw_uri; metadata:ruleset community, service http;
reference:bugtraq,3599; reference:cve,2001-0871; reference:nessus,10818;
classtype:web-application-activity; sid:1506; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
alibaba.pl arbitrary command execution attempt"; flow:to_server,established;
content:"/alibaba.pl|7C|"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,770; reference:cve,1999-0885;
reference:nessus,10013; classtype:web-application-attack; sid:1507; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
alibaba.pl access"; flow:to_server,established; content:"/alibaba.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10013;
classtype:web-application-activity; sid:1508; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
AltaVista Intranet Search directory traversal attempt"; flow:to_server,established;
content:"/query?mss=.."; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,896; reference:cve,2000-0039;
reference:nessus,10015; classtype:web-application-attack; sid:1509; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
test.bat arbitrary command execution attempt"; flow:to_server,established;
content:"/test.bat|7C|"; http_uri; metadata:ruleset community, service http;
reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016;
classtype:web-application-attack; sid:1510; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
test.bat access"; flow:to_server,established; content:"/test.bat";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016;
classtype:web-application-activity; sid:1511; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
input.bat arbitrary command execution attempt"; flow:to_server,established;
content:"/input.bat|7C|"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,762; reference:cve,1999-0947;
reference:nessus,10016; classtype:web-application-attack; sid:1512; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
input.bat access"; flow:to_server,established; content:"/input.bat";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016;
classtype:web-application-activity; sid:1513; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
input2.bat arbitrary command execution attempt"; flow:to_server,established;
content:"/input2.bat|7C|"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,762; reference:cve,1999-0947;
reference:nessus,10016; classtype:web-application-attack; sid:1514; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
input2.bat access"; flow:to_server,established; content:"/input2.bat";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016;
classtype:web-application-activity; sid:1515; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
envout.bat arbitrary command execution attempt"; flow:to_server,established;
content:"/envout.bat|7C|"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,762; reference:cve,1999-0947;
reference:nessus,10016; classtype:web-application-attack; sid:1516; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
envout.bat access"; flow:to_server,established; content:"/envout.bat";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016;
classtype:web-application-activity; sid:1517; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"SERVER-WEBAPP nstelemetry.adp
access"; flow:to_server,established; content:"/nstelemetry.adp"; metadata:ruleset
community; reference:nessus,10753; classtype:web-application-activity; sid:1518;
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
apache ?M=D directory list attempt"; flow:to_server,established; content:"/?M=D";
http_uri; metadata:ruleset community, service http; reference:bugtraq,3009;
reference:cve,2001-0731; reference:nessus,10704; classtype:web-application-
activity; sid:1519; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
server-info access"; flow:to_server,established; content:"/server-info"; http_uri;
metadata:ruleset community, service http;
reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-
activity; sid:1520; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
server-status access"; flow:to_server,established; content:"/server-status";
http_uri; metadata:ruleset community, service http;
reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-
activity; sid:1521; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ans.pl attempt"; flow:to_server,established; content:"/ans.pl?"; nocase; http_uri;
content:"p=../../"; distance:0; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,4147; reference:bugtraq,4149; reference:cve,2002-
0306; reference:cve,2002-0307; reference:nessus,10875; classtype:web-application-
attack; sid:1522; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ans.pl access"; flow:to_server,established; content:"/ans.pl"; http_uri;
metadata:ruleset community, service http; reference:bugtraq,4147;
reference:bugtraq,4149; reference:cve,2002-0306; reference:cve,2002-0307;
reference:nessus,10875; classtype:web-application-activity; sid:1523; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Axis
Storpoint CD attempt"; flow:to_server,established;
content:"/cd/../config/html/cnf_gi.htm"; metadata:ruleset community, service http;
reference:bugtraq,1025; reference:cve,2000-0191; reference:nessus,10023;
classtype:web-application-attack; sid:1524; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Axis
Storpoint CD access"; flow:to_server,established;
content:"/config/html/cnf_gi.htm"; http_uri; metadata:ruleset community, service
http; reference:bugtraq,1025; reference:cve,2000-0191; reference:nessus,10023;
classtype:web-application-activity; sid:1525; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
basilix sendmail.inc access"; flow:to_server,established;
content:"/inc/sendmail.inc"; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2198; reference:cve,2001-1044; reference:nessus,10601;
classtype:web-application-activity; sid:1526; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
basilix mysql.class access"; flow:to_server,established;
content:"/class/mysql.class"; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2198; reference:cve,2001-1044; reference:nessus,10601;
classtype:web-application-activity; sid:1527; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
BBoard access"; flow:to_server,established;
content:"/servlet/sunexamples.BBoardServlet"; http_uri; metadata:ruleset community,
service http; reference:bugtraq,1459; reference:cve,2000-0629;
reference:nessus,10507; classtype:web-application-activity; sid:1528; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE overflow
attempt"; flow:to_server,established; content:"SITE"; nocase;
isdataat:100,relative; pcre:"/^SITE(?!\n)\s[^\n]{100}/smi"; metadata:ruleset
community, service ftp; reference:cve,1999-0838; reference:cve,2001-0755;
reference:cve,2001-0770; classtype:attempted-admin; sid:1529; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-
hist.sh attempt"; flow:to_server,established; content:"/bb-hist.sh?"; nocase;
http_uri; content:"HISTFILE=../.."; distance:0; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,142; reference:cve,1999-1462;
reference:nessus,10025; classtype:web-application-attack; sid:1531; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-
hostscv.sh attempt"; flow:to_server,established; content:"/bb-hostsvc.sh?";
fast_pattern:only; http_uri; content:"HOSTSVC"; nocase; http_uri; content:"../..";
distance:0; http_raw_uri; metadata:ruleset community, service http;
reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460;
classtype:web-application-attack; sid:1532; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-
hostscv.sh access"; flow:to_server,established; content:"/bb-hostsvc.sh";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460;
classtype:web-application-activity; sid:1533; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
agora.cgi attempt"; flow:to_server,established; content:"/store/agora.cgi?";
nocase; http_uri; content:"cart_id=<SCRIPT>"; distance:0; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,3702;
reference:bugtraq,3976; reference:cve,2001-1199; reference:cve,2002-0215;
reference:nessus,10836; classtype:web-application-attack; sid:1534; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
bizdbsearch access"; flow:to_server,established; content:"/bizdb1-search.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1104; reference:cve,2000-0287; reference:nessus,10383;
classtype:web-application-activity; sid:1535; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
calendar_admin.pl arbitrary command execution attempt"; flow:to_server,established;
content:"/calendar_admin.pl?"; nocase; http_uri; content:"config=|7C|"; distance:0;
nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1215;
reference:cve,2000-0432; reference:nessus,10506; classtype:web-application-attack;
sid:1536; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
calendar_admin.pl access"; flow:to_server,established;
content:"/calendar_admin.pl"; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1215; reference:cve,2000-0432; reference:nessus,10506;
classtype:web-application-activity; sid:1537; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP AUTHINFO USER
overflow attempt"; flow:to_server,established; content:"AUTHINFO"; nocase;
content:"USER"; distance:0; nocase; isdataat:200,relative;
pcre:"/^AUTHINFO\s+USER\s[^\n]{200}/smi"; metadata:ruleset community;
reference:bugtraq,1156; reference:cve,2000-0341; reference:nessus,10388;
classtype:attempted-admin; sid:1538; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
/cgi-bin/ls access"; flow:to_server,established; content:"/cgi-bin/ls";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,936; reference:cve,2000-0079; reference:nessus,10037;
classtype:web-application-activity; sid:1539; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion ?Mode=debug attempt"; flow:to_server,established; content:"Mode=debug";
nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-
0760; reference:nessus,10797; classtype:web-application-activity; sid:1540;
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER version query";
flow:to_server,established; content:"version"; metadata:ruleset community;
classtype:attempted-recon; sid:1541; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cgimail access"; flow:to_server,established; content:"/cgimail"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,1623;
reference:cve,2000-0726; reference:nessus,11721; classtype:web-application-
activity; sid:1542; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cgiwrap access"; flow:to_server,established; content:"/cgiwrap"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,1238;
reference:bugtraq,3084; reference:bugtraq,777; reference:cve,1999-1530;
reference:cve,2000-0431; reference:cve,2001-0987; reference:nessus,10041;
classtype:web-application-activity; sid:1543; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Cisco Catalyst command execution attempt"; flow:to_server,established;
content:"/exec/show/config/cr"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1846; reference:cve,2000-0945;
reference:nessus,10545; classtype:web-application-activity; sid:1544; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Cisco
denial of service attempt"; flow:to_server,established; dsize:1; content:"|13|";
metadata:ruleset community, service http; classtype:web-application-attack;
sid:1545; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Cisco HTTP double-percent DOS attempt"; flow:to_server,established; content:"/%%";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1154; reference:cve,2000-0380; reference:nessus,10387;
classtype:web-application-attack; sid:1546; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
csSearch.cgi arbitrary command execution attempt"; flow:to_server,established;
content:"/csSearch.cgi"; http_uri; content:"setup="; content:"`"; content:"`";
distance:1; metadata:ruleset community, service http; reference:bugtraq,4368;
reference:cve,2002-0495; reference:nessus,10924; classtype:web-application-attack;
sid:1547; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
csSearch.cgi access"; flow:to_server,established; content:"/csSearch.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,4368; reference:cve,2002-0495; reference:nessus,10924;
classtype:web-application-activity; sid:1548; rev:17;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL HELO overflow
attempt"; flow:to_server,established; content:"HELO"; nocase;
isdataat:500,relative; pcre:"/^HELO\s[^\n]{500}/smi"; metadata:ruleset community,
service smtp; reference:bugtraq,7726; reference:bugtraq,895; reference:cve,2000-
0042; reference:nessus,10324; reference:nessus,11674; classtype:attempted-admin;
sid:1549; rev:27;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL ETRN overflow
attempt"; flow:to_server,established; content:"ETRN"; nocase;
isdataat:500,relative; pcre:"/^ETRN\s[^\n]{500}/smi"; metadata:ruleset community,
service smtp; reference:bugtraq,1297; reference:bugtraq,7515; reference:cve,2000-
0490; reference:nessus,10438; classtype:attempted-admin; sid:1550; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
/CVS/Entries access"; flow:to_server,established; content:"/CVS/Entries"; http_uri;
metadata:ruleset community, service http; reference:nessus,10922;
reference:nessus,11032; classtype:web-application-activity; sid:1551; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cvsweb version access"; flow:to_server,established; content:"/cvsweb/version";
http_uri; metadata:ruleset community, service http; reference:cve,2000-0670;
reference:nessus,10465; classtype:web-application-activity; sid:1552; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
dbman db.cgi access"; flow:to_server,established; content:"/dbman/db.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1178; reference:cve,2000-0381; reference:nessus,10403;
classtype:web-application-activity; sid:1554; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
DCShop access"; flow:to_server,established; content:"/dcshop"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,2889;
reference:cve,2001-0821; classtype:web-application-activity; sid:1555; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
DCShop orders.txt access"; flow:to_server,established;
content:"/orders/orders.txt"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2889; reference:cve,2001-0821;
classtype:web-application-activity; sid:1556; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
DCShop auth_user_file.txt access"; flow:to_server,established;
content:"/auth_data/auth_user_file.txt"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,2889;
reference:cve,2001-0821; classtype:web-application-activity; sid:1557; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Delegate whois
overflow attempt"; flow:to_server,established; content:"whois|3A|//"; nocase;
metadata:ruleset community; reference:cve,2000-0165; reference:nessus,10054;
classtype:web-application-activity; sid:1558; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
/doc/packages access"; flow:to_server,established; content:"/doc/packages";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1707; reference:cve,2000-1016; reference:nessus,10518;
reference:nessus,11032; classtype:web-application-activity; sid:1559; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
/doc/ access"; flow:to_server,established; content:"/doc/"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,318;
reference:cve,1999-0678; classtype:web-application-activity; sid:1560; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE CHOWN
overflow attempt"; flow:to_server,established; content:"SITE"; nocase;
content:"CHOWN"; distance:0; nocase; isdataat:100,relative;
pcre:"/^SITE\s+CHOWN\s[^\n]{100}/smi"; metadata:ruleset community, service ftp;
reference:bugtraq,2120; reference:cve,2001-0065; reference:nessus,10579;
classtype:attempted-admin; sid:1562; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
login.htm attempt"; flow:to_server,established; content:"/login.htm?"; nocase;
http_uri; content:"password="; distance:0; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,665; reference:cve,1999-1533;
classtype:web-application-activity; sid:1563; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
login.htm access"; flow:to_server,established; content:"/login.htm";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,665; reference:cve,1999-1533; classtype:web-application-activity;
sid:1564; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
eshop.pl arbitrary command execution attempt"; flow:to_server,established;
content:"/eshop.pl?"; nocase; http_uri; content:"seite=|3B|"; distance:0; nocase;
http_uri; metadata:ruleset community, service http; reference:bugtraq,3340;
reference:cve,2001-1014; classtype:web-application-attack; sid:1565; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
eshop.pl access"; flow:to_server,established; content:"/eshop.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3340; reference:cve,2001-1014; classtype:web-application-
activity; sid:1566; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
/exchange/root.asp attempt"; flow:to_server,established;
content:"/exchange/root.asp?"; nocase; http_uri; content:"acs=anon"; distance:0;
nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,3301;
reference:cve,2001-0660; reference:nessus,10755; reference:nessus,10781;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-047;
classtype:web-application-attack; sid:1567; rev:26;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
/exchange/root.asp access"; flow:to_server,established;
content:"/exchange/root.asp"; nocase; http_uri; metadata:ruleset community, service
http; reference:bugtraq,3301; reference:cve,2001-0660; reference:nessus,10755;
reference:nessus,10781; classtype:web-application-activity; sid:1568; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
loadpage.cgi directory traversal attempt"; flow:to_server,established;
content:"/loadpage.cgi"; http_uri; content:"file=../"; fast_pattern:only;
metadata:ruleset community, service http; reference:bugtraq,2109;
reference:cve,2000-1092; reference:nessus,10065; classtype:web-application-attack;
sid:1569; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
loadpage.cgi access"; flow:to_server,established; content:"/loadpage.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2109; reference:cve,2000-1092; reference:nessus,10065;
classtype:web-application-activity; sid:1570; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
dcforum.cgi directory traversal attempt"; flow:to_server,established;
content:"/dcforum.cgi"; http_uri; content:"forum=../.."; metadata:ruleset
community, service http; reference:bugtraq,2611; reference:cve,2001-0436;
reference:cve,2001-0437; reference:nessus,10583; classtype:web-application-attack;
sid:1571; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
commerce.cgi arbitrary file access attempt"; flow:to_server,established;
content:"/commerce.cgi"; http_uri; content:"page="; http_uri; content:"/../";
http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2361;
reference:cve,2001-0210; reference:nessus,10612; classtype:attempted-recon;
sid:1572; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cgiforum.pl attempt"; flow:to_server,established; content:"/cgiforum.pl?"; nocase;
http_uri; content:"thesection=../.."; distance:0; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1963;
reference:cve,2000-1171; reference:nessus,10552; classtype:web-application-attack;
sid:1573; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
directorypro.cgi attempt"; flow:to_server,established; content:"/directorypro.cgi";
http_uri; content:"show="; content:"../.."; distance:1; metadata:ruleset community,
service http; reference:bugtraq,2793; reference:cve,2001-0780;
reference:nessus,10679; classtype:web-application-attack; sid:1574; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Domino mab.nsf access"; flow:to_server,established; content:"/mab.nsf";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,4022; reference:cve,2001-1567; reference:nessus,10953;
classtype:attempted-recon; sid:1575; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Domino cersvr.nsf access"; flow:to_server,established; content:"/cersvr.nsf";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,10629; classtype:attempted-recon; sid:1576; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Domino setup.nsf access"; flow:to_server,established; content:"/setup.nsf";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,10629; classtype:attempted-recon; sid:1577; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Domino statrep.nsf access"; flow:to_server,established; content:"/statrep.nsf";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,10629; classtype:attempted-recon; sid:1578; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Domino webadmin.nsf access"; flow:to_server,established; content:"/webadmin.nsf";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,9900; reference:bugtraq,9901; reference:cve,2004-2310;
reference:cve,2004-2311; reference:cve,2004-2369; reference:nessus,10629;
classtype:attempted-recon; sid:1579; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Domino events4.nsf access"; flow:to_server,established; content:"/events4.nsf";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,10629; classtype:attempted-recon; sid:1580; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Domino ntsync4.nsf access"; flow:to_server,established; content:"/ntsync4.nsf";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,10629; classtype:attempted-recon; sid:1581; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Domino collect4.nsf access"; flow:to_server,established; content:"/collect4.nsf";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,10629; classtype:attempted-recon; sid:1582; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Domino mailw46.nsf access"; flow:to_server,established; content:"/mailw46.nsf";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,10629; classtype:attempted-recon; sid:1583; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Domino bookmark.nsf access"; flow:to_server,established; content:"/bookmark.nsf";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,10629; classtype:attempted-recon; sid:1584; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Domino agentrunner.nsf access"; flow:to_server,established;
content:"/agentrunner.nsf"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:nessus,10629; classtype:attempted-recon;
sid:1585; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Domino mail.box access"; flow:to_server,established; content:"/mail.box";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,881; reference:cve,2000-0021; reference:cve,2000-0022;
reference:cve,2000-0023; reference:nessus,10629; classtype:attempted-recon;
sid:1586; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cgitest.exe access"; flow:to_server,established; content:"/cgitest.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1313; reference:bugtraq,3885; reference:cve,2000-0521;
reference:cve,2002-0128; reference:nessus,10040; reference:nessus,10623;
reference:nessus,11131; classtype:web-application-activity; sid:1587; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
SalesLogix Eviewer access"; flow:to_server,established; content:"/slxweb.dll";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1078; reference:bugtraq,1089; reference:cve,2000-0278;
reference:cve,2000-0289; classtype:web-application-activity; sid:1588; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
musicat empower attempt"; flow:to_server,established; content:"/empower?DB=";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2374; reference:cve,2001-0224; reference:nessus,10609;
classtype:web-application-attack; sid:1589; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
faqmanager.cgi arbitrary file access attempt"; flow:to_server,established;
content:"/faqmanager.cgi?"; nocase; http_uri; content:"toc="; distance:0; nocase;
http_uri; content:"|00|"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,3810; reference:cve,2002-2033;
reference:nessus,10837; classtype:web-application-attack; sid:1590; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
faqmanager.cgi access"; flow:to_server,established; content:"/faqmanager.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3810; reference:cve,2002-2033; reference:nessus,10837;
classtype:web-application-activity; sid:1591; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
/fcgi-bin/echo.exe access"; flow:to_server,established; content:"/fcgi-
bin/echo.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service
http; reference:nessus,10838; classtype:web-application-activity; sid:1592;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
FormHandler.cgi external site redirection attempt"; flow:to_server,established;
content:"/FormHandler.cgi"; fast_pattern:only; http_uri; content:"redirect=http";
metadata:ruleset community, service http; reference:bugtraq,798;
reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075;
classtype:web-application-attack; sid:1593; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
FormHandler.cgi access"; flow:to_server,established; content:"/FormHandler.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050;
reference:nessus,10075; classtype:web-application-activity; sid:1594; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
htimage.exe access"; flow:to_server,established; content:"/htimage.exe"; nocase;
http_uri; metadata:ruleset community, service http; reference:bugtraq,1117;
reference:bugtraq,964; reference:cve,2000-0122; reference:cve,2000-0256;
reference:nessus,10376; classtype:web-application-activity; sid:1595; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
guestbook.cgi access"; flow:to_server,established; content:"/guestbook.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-0237; reference:nessus,10098; classtype:web-application-
activity; sid:1597; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Home
Free search.cgi directory traversal attempt"; flow:to_server,established;
content:"/search.cgi"; http_uri; content:"letter=../"; fast_pattern:only;
metadata:ruleset community, service http; reference:bugtraq,921;
reference:cve,2000-0054; reference:nessus,10101; classtype:web-application-attack;
sid:1598; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
search.cgi access"; flow:to_server,established; content:"/search.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,921; reference:cve,2000-0054; classtype:web-application-activity;
sid:1599; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
htsearch arbitrary configuration file attempt"; flow:to_server,established;
content:"/htsearch?-c"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,3410; reference:cve,2001-0834; classtype:web-
application-attack; sid:1600; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
htsearch arbitrary file read attempt"; flow:to_server,established;
content:"/htsearch?exclude=`"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1026; reference:cve,2000-0208;
reference:nessus,10105; classtype:web-application-attack; sid:1601; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
htsearch access"; flow:to_server,established; content:"/htsearch";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1026; reference:cve,2000-0208; reference:nessus,10105;
classtype:web-application-activity; sid:1602; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
DELETE attempt"; flow:to_server,established; content:"DELETE "; depth:7; nocase;
metadata:ruleset community, service http; reference:nessus,10498; classtype:web-
application-activity; sid:1603; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4080 (msg:"SERVER-WEBAPP iChat directory
traversal attempt"; flow:to_server,established; content:"/../../"; metadata:ruleset
community; reference:cve,1999-0897; classtype:web-application-activity; sid:1604;
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6004 (msg:"SERVER-OTHER iParty DOS
attempt"; flow:to_server,established; content:"|FF FF FF FF FF FF|";
metadata:ruleset community; reference:bugtraq,6844; reference:cve,1999-1566;
reference:nessus,10111; classtype:misc-attack; sid:1605; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP icat
access"; flow:to_server,established; content:"/icat"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:cve,1999-1069; classtype:web-
application-activity; sid:1606; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
HyperSeek hsx.cgi access"; flow:to_server,established; content:"/hsx.cgi";
http_uri; metadata:ruleset community, service http; reference:bugtraq,2314;
reference:cve,2001-0253; reference:nessus,10602; classtype:web-application-
activity; sid:1607; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
htmlscript attempt"; flow:to_server,established; content:"/htmlscript?../..";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2001; reference:cve,1999-0264; reference:nessus,10106;
classtype:web-application-attack; sid:1608; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
formmail arbitrary command execution attempt"; flow:to_server,established;
content:"/formmail"; fast_pattern; nocase; http_uri; content:"%0a"; nocase;
metadata:ruleset community, service http; reference:bugtraq,1187;
reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411;
reference:nessus,10076; reference:nessus,10782; classtype:web-application-attack;
sid:1610; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
eXtropia webstore access"; flow:to_server,established; content:"/web_store.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1774; reference:cve,2000-1005; reference:nessus,10532;
classtype:web-application-activity; sid:1611; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ftp.pl attempt"; flow:to_server,established; content:"/ftp.pl?"; nocase; http_uri;
content:"dir=../.."; distance:0; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,1471; reference:cve,2000-0674;
reference:nessus,10467; classtype:web-application-attack; sid:1612; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
handler attempt"; flow:to_server,established; content:"/handler"; http_uri;
content:"|7C|"; fast_pattern:only; http_uri; metadata:ruleset community, service
http; reference:bugtraq,380; reference:cve,1999-0148; reference:nessus,10100;
classtype:web-application-attack; sid:1613; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Novell Groupwise gwweb.exe attempt"; flow:to_server,established;
content:"/GWWEB.EXE?"; nocase; http_uri; content:"HELP="; distance:0; nocase;
http_uri; metadata:ruleset community, service http; reference:bugtraq,879;
reference:cve,1999-1005; reference:cve,1999-1006; reference:nessus,10877;
classtype:attempted-recon; sid:1614; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
htgrep attempt"; flow:to_server,established; content:"/htgrep"; http_uri;
content:"hdr=/"; metadata:ruleset community, service http; reference:cve,2000-0832;
reference:nessus,10495; classtype:web-application-attack; sid:1615; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named version
attempt"; flow:to_server; content:"|07|version"; offset:12; nocase; content:"|04|
bind|00|"; offset:12; nocase; metadata:ruleset community, service dns;
reference:nessus,10028; classtype:attempted-recon; sid:1616; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Bugzilla doeditvotes.cgi access"; flow:to_server,established;
content:"/doeditvotes.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,3800; reference:cve,2002-0011;
classtype:web-application-activity; sid:1617; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .asp
chunked Transfer-Encoding"; flow:to_server,established; content:".asp"; nocase;
http_uri; content:"Transfer-Encoding|3A|"; nocase; http_header; content:"chunked";
nocase; http_header; metadata:ruleset community, service http;
reference:bugtraq,4474; reference:bugtraq,4485; reference:cve,2002-0071;
reference:cve,2002-0079; reference:nessus,10932; classtype:web-application-attack;
sid:1618; rev:26;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CMD overflow
attempt"; flow:to_server,established; content:"CMD"; nocase; isdataat:200,relative;
pcre:"/^CMD(?!\n)\s[^\n]{200}/smi"; metadata:ruleset community, service ftp;
classtype:attempted-admin; sid:1621; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RNFR ././
attempt"; flow:to_server,established; content:"RNFR "; fast_pattern:only; content:"
././"; metadata:ruleset community, service ftp; reference:cve,1999-0081;
classtype:misc-attack; sid:1622; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP invalid MODE";
flow:to_server,established; content:"MODE"; fast_pattern:only; pcre:"/^MODE\s+
[^ABSC]{1}/msi"; metadata:ruleset community, service ftp;
reference:url,www.faqs.org/rfcs/rfc959.html; classtype:protocol-command-decode;
sid:1623; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PWD overflow
attempt"; flow:to_server,established; content:"PWD"; nocase; isdataat:190,relative;
pcre:"/^PWD\s.{190}/smi"; metadata:ruleset community, service ftp;
classtype:protocol-command-decode; sid:1624; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SYST overflow
attempt"; flow:to_server,established; content:"SYST"; nocase;
isdataat:100,relative; pcre:"/^SYST(?!\n)\s[^\n]{100}/smi"; metadata:ruleset
community, service ftp; reference:url,www.faqs.org/rfcs/rfc959.html;
classtype:protocol-command-decode; sid:1625; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
/StoreCSVS/InstantOrder.asmx request"; flow:to_server,established;
content:"/StoreCSVS/InstantOrder.asmx"; nocase; http_uri; metadata:ruleset
community, service http; classtype:web-application-activity; sid:1626; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
FormHandler.cgi directory traversal attempt attempt"; flow:to_server,established;
content:"/FormHandler.cgi"; nocase; http_uri; content:"reply_message_attach=";
fast_pattern:only; content:"/../"; metadata:ruleset community, service http;
reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050;
reference:nessus,10075; classtype:web-application-attack; sid:1628; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP PASS overflow
attempt"; flow:to_server,established; content:"PASS"; nocase; isdataat:50,relative;
pcre:"/^PASS\s[^\n]{50}/smi"; metadata:policy max-detect-ips drop, ruleset
community, service pop3; reference:bugtraq,21645; reference:bugtraq,791;
reference:cve,1999-1511; reference:cve,2006-6605; reference:nessus,10325;
classtype:attempted-admin; sid:1634; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP APOP overflow
attempt"; flow:to_server,established; content:"APOP"; nocase;
isdataat:256,relative; pcre:"/^APOP\s[^\n]{256}/smi"; metadata:ruleset community,
service pop3; reference:bugtraq,1652; reference:cve,2000-0840; reference:cve,2000-
0841; reference:nessus,10559; classtype:attempted-admin; sid:1635; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32000 (msg:"SERVER-OTHER Xtramail
Username overflow attempt"; flow:to_server,established; content:"Username|3A|";
nocase; isdataat:100,relative; pcre:"/^Username\:[^\n]{100}/smi"; metadata:ruleset
community; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10323;
classtype:attempted-admin; sid:1636; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP yabb
access"; flow:to_server,established; content:"/YaBB"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1668;
reference:cve,2000-0853; reference:nessus,10512; classtype:attempted-recon;
sid:1637; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"INDICATOR-SCAN SSH Version map
attempt"; flow:to_server,established; content:"Version_Mapper"; fast_pattern:only;
metadata:ruleset community; classtype:network-scan; sid:1638; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC DCC
file transfer request"; flow:to_server,established; content:"PRIVMSG "; nocase;
content:" |3A|.DCC SEND"; distance:0; fast_pattern; nocase; metadata:ruleset
community; classtype:policy-violation; sid:1639; rev:13;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC DCC
chat request"; flow:to_server,established; content:"PRIVMSG "; nocase; content:" |
3A|.DCC CHAT chat"; distance:0; fast_pattern; nocase; metadata:ruleset community;
classtype:policy-violation; sid:1640; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6789:6790 (msg:"SERVER-OTHER DB2 dos
attempt"; flow:to_server,established; dsize:1; metadata:ruleset community;
reference:bugtraq,3010; reference:cve,2001-1143; reference:nessus,10871;
classtype:denial-of-service; sid:1641; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
document.d2w access"; flow:to_server,established; content:"/document.d2w";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2017; reference:cve,2000-1110; classtype:web-application-
activity; sid:1642; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
db2www access"; flow:to_server,established; content:"/db2www"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:cve,2000-0677;
classtype:web-application-activity; sid:1643; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
test-cgi attempt"; flow:to_server,established; content:"/test-cgi/*?*";
fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset
community, service http; reference:bugtraq,2003; reference:cve,1999-0070;
reference:nessus,10282; classtype:web-application-attack; sid:1644; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
testcgi access"; flow:to_server,established; content:"/testcgi"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,7214;
reference:cve,2003-1531; reference:nessus,11610; classtype:web-application-
activity; sid:1645; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
test.cgi access"; flow:to_server,established; content:"/test.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:web-application-activity; sid:1646; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
perl.exe command attempt"; flow:to_server,established; content:"/perl.exe?";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-0509; reference:nessus,10173;
reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon;
sid:1648; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP perl
command attempt"; flow:to_server,established; content:"/perl?"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:cve,1999-0509;
reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html;
classtype:attempted-recon; sid:1649; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
tst.bat access"; flow:to_server,established; content:"/tst.bat"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,770;
reference:cve,1999-0885; reference:nessus,10014; classtype:web-application-
activity; sid:1650; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
environ.pl access"; flow:to_server,established; content:"/environ.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:web-application-activity; sid:1651; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
campas attempt"; flow:to_server,established; content:"/campas?|0A|";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1975; reference:cve,1999-0146; reference:nessus,10035;
classtype:web-application-attack; sid:1652; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cart32.exe access"; flow:to_server,established; content:"/cart32.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1153; reference:nessus,10389; classtype:web-application-activity;
sid:1654; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
pfdispaly.cgi arbitrary command execution attempt"; flow:to_server,established;
content:"/pfdispaly.cgi?"; nocase; http_uri; content:"'"; distance:0; nocase;
http_uri; metadata:ruleset community, service http; reference:cve,1999-0270;
reference:nessus,10174; classtype:web-application-attack; sid:1655; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
pfdispaly.cgi access"; flow:to_server,established; content:"/pfdispaly.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,64; reference:cve,1999-0270; reference:nessus,10174;
classtype:web-application-activity; sid:1656; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
pagelog.cgi directory traversal attempt"; flow:to_server,established;
content:"/pagelog.cgi"; nocase; http_uri; content:"name=../"; fast_pattern:only;
metadata:ruleset community, service http; reference:bugtraq,1864;
reference:cve,2000-0940; reference:nessus,10591; classtype:web-application-
activity; sid:1657; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
pagelog.cgi access"; flow:to_server,established; content:"/pagelog.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1864; reference:cve,2000-0940; reference:nessus,10591;
classtype:web-application-activity; sid:1658; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe
Coldfusion sendmail.cfm access"; flow:to_server,established;
content:"/sendmail.cfm"; nocase; http_uri; metadata:ruleset community, service
http; reference:cve,1999-0760; reference:cve,2001-0535; classtype:attempted-recon;
sid:1659; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
trace.axd access"; flow:to_server,established; content:"/trace.axd"; nocase;
http_uri; metadata:ruleset community, service http; reference:nessus,10993;
classtype:web-application-activity; sid:1660; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
cmd32.exe access"; flow:to_server,established; content:"cmd32.exe"; nocase;
http_uri; metadata:ruleset community, service http; classtype:web-application-
attack; sid:1661; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
/~ftp access"; flow:to_server,established; content:"/~ftp"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; classtype:attempted-recon;
sid:1662; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP *
%20.pl access"; flow:to_server,established; content:" .pl"; fast_pattern:only;
http_uri; pcre:"/\/[^\r\n]*\x20.pl/Ui"; metadata:ruleset community, service http;
reference:nessus,11007; reference:url,rtfm.vn.ua/inet/sec/cgi-bugs.htm;
reference:url,www.securityfocus.com/archive/1/149482; classtype:web-application-
attack; sid:1663; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
mkplog.exe access"; flow:to_server,established; content:"/mkplog.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:web-application-activity; sid:1664; rev:13;)
# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-
COMPROMISE index of /cgi-bin/ response"; flow:to_client,established; file_data;
content:"Index of /cgi-bin/"; nocase; metadata:ruleset community, service http;
reference:nessus,10039; classtype:bad-unknown; sid:1666; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cross site scripting HTML Image tag set to javascript attempt";
flow:to_server,established; content:"img src=javascript"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,4858;
reference:cve,2002-0902; classtype:web-application-attack; sid:1667; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
/cgi-bin/ access"; flow:to_server,established; content:"/cgi-bin/"; http_uri;
content:"/cgi-bin/ HTTP"; fast_pattern:only; metadata:ruleset community, service
http; classtype:web-application-attack; sid:1668; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
/cgi-dos/ access"; flow:to_server,established; content:"/cgi-dos/"; http_uri;
content:"/cgi-dos/ HTTP"; fast_pattern:only; metadata:ruleset community, service
http; classtype:web-application-attack; sid:1669; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
/home/ftp access"; flow:to_server,established; content:"/home/ftp";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,11032; classtype:web-application-activity; sid:1670; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
/home/www access"; flow:to_server,established; content:"/home/www";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,11032; classtype:web-application-activity; sid:1671; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD ~ attempt";
flow:to_server,established; content:"CWD"; fast_pattern:only; pcre:"/^CWD\s+~/smi";
metadata:policy max-detect-ips drop, ruleset community, service ftp;
reference:bugtraq,2601; reference:bugtraq,9215; reference:cve,2001-0421;
classtype:denial-of-service; sid:1672; rev:22;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
EXECUTE_SYSTEM attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM";
nocase; metadata:ruleset community; classtype:system-call-detect; sid:1673; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
connect_data remote version detection attempt"; flow:to_server,established;
content:"connect_data|28|command=version|29|"; nocase; metadata:ruleset community;
classtype:protocol-command-decode; sid:1674; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
misparsed login response"; flow:to_client,established; content:"description=|28|";
nocase; content:!"connect_data=|28|sid="; nocase; content:!"address=|28|
protocol=tcp"; nocase; metadata:ruleset community; classtype:suspicious-login;
sid:1675; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
select union attempt"; flow:to_server,established; content:"select "; nocase;
content:" union "; nocase; metadata:ruleset community; classtype:protocol-command-
decode; sid:1676; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
select like '%' attempt"; flow:to_server,established; content:" where "; nocase;
content:" like '%'"; nocase; metadata:ruleset community; classtype:protocol-
command-decode; sid:1677; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
select like '%' attempt backslash escaped"; flow:to_server,established; content:"
where "; nocase; content:" like |22|%|22|"; nocase; metadata:ruleset community;
classtype:protocol-command-decode; sid:1678; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
describe attempt"; flow:to_server,established; content:"describe "; nocase;
metadata:ruleset community; classtype:protocol-command-decode; sid:1679; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
all_constraints access"; flow:to_server,established; content:"all_constraints";
nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1680;
rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
all_views access"; flow:to_server,established; content:"all_views"; nocase;
metadata:ruleset community; classtype:protocol-command-decode; sid:1681; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
all_source access"; flow:to_server,established; content:"all_source"; nocase;
metadata:ruleset community; classtype:protocol-command-decode; sid:1682; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
all_tables access"; flow:to_server,established; content:"all_tables"; nocase;
metadata:ruleset community; classtype:protocol-command-decode; sid:1683; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
all_tab_columns access"; flow:to_server,established; content:"all_tab_columns";
nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1684;
rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
all_tab_privs access"; flow:to_server,established; content:"all_tab_privs"; nocase;
metadata:ruleset community; classtype:protocol-command-decode; sid:1685; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dba_tablespace access"; flow:to_server,established; content:"dba_tablespace";
nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1686;
rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dba_tables access"; flow:to_server,established; content:"dba_tables"; nocase;
metadata:ruleset community; classtype:protocol-command-decode; sid:1687; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
user_tablespace access"; flow:to_server,established; content:"user_tablespace";
nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1688;
rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.all_users access"; flow:to_server,established; content:"sys.all_users"; nocase;
metadata:ruleset community; classtype:protocol-command-decode; sid:1689; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
grant attempt"; flow:to_server,established; content:"grant "; nocase; content:" to
"; nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1690;
rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
ALTER USER attempt"; flow:to_server,established; content:"alter user"; nocase;
content:" identified by "; nocase; metadata:ruleset community; classtype:protocol-
command-decode; sid:1691; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
drop table attempt"; flow:to_server,established; content:"drop table"; nocase;
metadata:ruleset community; classtype:protocol-command-decode; sid:1692; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
create table attempt"; flow:to_server,established; content:"create table"; nocase;
metadata:ruleset community; classtype:protocol-command-decode; sid:1693; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
alter table attempt"; flow:to_server,established; content:"alter table"; nocase;
metadata:ruleset community; classtype:protocol-command-decode; sid:1694; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
truncate table attempt"; flow:to_server,established; content:"truncate table";
nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1695;
rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
create database attempt"; flow:to_server,established; content:"create database";
nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1696;
rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
alter database attempt"; flow:to_server,established; content:"alter database";
nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1697;
rev:7;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
imagemap.exe access"; flow:to_server,established; content:"/imagemap.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,739; reference:cve,1999-0951; reference:nessus,10122;
classtype:web-application-activity; sid:1700; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
calendar-admin.pl access"; flow:to_server,established; content:"/calendar-
admin.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1215; reference:cve,2000-0432; reference:nessus,10506;
classtype:web-application-activity; sid:1701; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Amaya templates sendtemp.pl access"; flow:to_server,established;
content:"/sendtemp.pl"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,2504; reference:cve,2001-0272; classtype:web-
application-activity; sid:1702; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
auktion.cgi directory traversal attempt"; flow:to_server,established;
content:"/auktion.cgi"; fast_pattern; nocase; http_uri; content:"menue=../../";
nocase; metadata:ruleset community, service http; reference:bugtraq,2367;
reference:cve,2001-0212; reference:nessus,10638; classtype:web-application-attack;
sid:1703; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cal_make.pl directory traversal attempt"; flow:to_server,established;
content:"/cal_make.pl"; nocase; http_uri; content:"p0=../../"; fast_pattern:only;
metadata:ruleset community, service http; reference:bugtraq,2663;
reference:cve,2001-0463; reference:nessus,10664; classtype:web-application-attack;
sid:1704; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
echo.bat arbitrary command execution attempt"; flow:to_server,established;
content:"/echo.bat"; http_uri; content:"&"; metadata:ruleset community, service
http; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246;
classtype:web-application-attack; sid:1705; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
echo.bat access"; flow:to_server,established; content:"/echo.bat";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246;
classtype:web-application-activity; sid:1706; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
hello.bat arbitrary command execution attempt"; flow:to_server,established;
content:"/hello.bat"; http_uri; content:"&"; metadata:ruleset community, service
http; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246;
classtype:web-application-attack; sid:1707; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
hello.bat access"; flow:to_server,established; content:"/hello.bat";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246;
classtype:web-application-activity; sid:1708; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ad.cgi access"; flow:to_server,established; content:"/ad.cgi"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,2103;
reference:cve,2001-0025; reference:nessus,11464; classtype:web-application-
activity; sid:1709; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
bbs_forum.cgi access"; flow:to_server,established; content:"/bbs_forum.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2177; reference:cve,2001-0123;
reference:url,www.cgisecurity.com/advisory/3.1.txt; classtype:web-application-
activity; sid:1710; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
bsguest.cgi access"; flow:to_server,established; content:"/bsguest.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2159; reference:cve,2001-0099; classtype:web-application-
activity; sid:1711; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
bslist.cgi access"; flow:to_server,established; content:"/bslist.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2160; reference:cve,2001-0100; classtype:web-application-
activity; sid:1712; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cgforum.cgi access"; flow:to_server,established; content:"/cgforum.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1951; reference:cve,2000-1132; classtype:web-application-
activity; sid:1713; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
newdesk access"; flow:to_server,established; content:"/newdesk"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; classtype:web-application-
activity; sid:1714; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
register.cgi access"; flow:to_server,established; content:"/register.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2157; reference:cve,2001-0076; classtype:web-application-
activity; sid:1715; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
gbook.cgi access"; flow:to_server,established; content:"/gbook.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1940; reference:cve,2000-1131; classtype:web-application-
activity; sid:1716; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
simplestguest.cgi access"; flow:to_server,established;
content:"/simplestguest.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2106; reference:cve,2001-0022;
classtype:web-application-activity; sid:1717; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
statsconfig.pl access"; flow:to_server,established; content:"/statsconfig.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2211; reference:cve,2001-0113; classtype:web-application-
activity; sid:1718; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
talkback.cgi directory traversal attempt"; flow:to_server,established;
content:"/talkbalk.cgi"; nocase; http_uri; content:"article=../../";
fast_pattern:only; metadata:ruleset community, service http;
reference:bugtraq,2547; reference:cve,2001-0420; classtype:web-application-attack;
sid:1719; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
talkback.cgi access"; flow:to_server,established; content:"/talkbalk.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2547; reference:cve,2001-0420; classtype:web-application-
activity; sid:1720; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
adcycle access"; flow:to_server,established; content:"/adcycle"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,3741;
reference:cve,2001-1226; classtype:web-application-activity; sid:1721; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
MachineInfo access"; flow:to_server,established; content:"/MachineInfo";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-1067; classtype:web-application-activity; sid:1722; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
emumail.cgi NULL attempt"; flow:to_server,established; content:"/emumail.cgi";
http_uri; content:"type="; nocase; content:"%00"; metadata:ruleset community,
service http; reference:bugtraq,5824; reference:cve,2002-1526; classtype:web-
application-activity; sid:1723; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
emumail.cgi access"; flow:to_server,established; content:"/emumail.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,5824; reference:cve,2002-1526; classtype:web-application-
activity; sid:1724; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS +.htr
code fragment attempt"; flow:to_server,established; content:" .htr"; nocase;
http_uri; metadata:ruleset community, service http; reference:bugtraq,1488;
reference:cve,2000-0630; reference:cve,2001-0004; reference:nessus,10680;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-044;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms01-004 ;
classtype:web-application-attack; sid:1725; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
doctodep.btr access"; flow:to_server,established; content:"doctodep.btr"; http_uri;
metadata:ruleset community, service http; classtype:web-application-activity;
sid:1726; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SGI
InfoSearch fname access"; flow:to_server,established; content:"/infosrch.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1031; reference:cve,2000-0207; classtype:web-application-
activity; sid:1727; rev:20;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC
channel join"; flow:to_server,established; dsize:<140; content:"JOIN "; pcre:"/(&|
#|\+|!)/R"; metadata:ruleset community; classtype:policy-violation; sid:1729;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ustorekeeper.pl directory traversal attempt"; flow:to_server,established;
content:"/ustorekeeper.pl"; nocase; http_uri; content:"file=../../";
fast_pattern:only; metadata:ruleset community, service http;
reference:bugtraq,2536; reference:cve,2001-0466; reference:nessus,10645;
classtype:web-application-attack; sid:1730; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
a1stats access"; flow:to_server,established; content:"/a1stats/"; http_uri;
metadata:ruleset community, service http; reference:bugtraq,2705;
reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-
activity; sid:1731; rev:14;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rwalld
request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12;
content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00
00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc;
reference:bugtraq,205; reference:cve,1999-0181; classtype:rpc-portmap-decode;
sid:1732; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rwalld
request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86
A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset
community, service sunrpc; reference:bugtraq,205; reference:cve,1999-0181;
classtype:rpc-portmap-decode; sid:1733; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP USER overflow
attempt"; flow:to_server,established; content:"USER"; nocase;
isdataat:100,relative; pcre:"/^USER(?!\n)\s[^\n]{100}/smi"; metadata:policy max-
detect-ips drop, ruleset community, service ftp; reference:bugtraq,10078;
reference:bugtraq,10720; reference:bugtraq,1227; reference:bugtraq,1504;
reference:bugtraq,15352; reference:bugtraq,1690; reference:bugtraq,22044;
reference:bugtraq,22045; reference:bugtraq,4638; reference:bugtraq,49750;
reference:bugtraq,7307; reference:bugtraq,8376; reference:cve,1999-1510;
reference:cve,1999-1514; reference:cve,1999-1519; reference:cve,1999-1539;
reference:cve,2000-0479; reference:cve,2000-0656; reference:cve,2000-0761;
reference:cve,2000-0943; reference:cve,2000-1194; reference:cve,2001-0256;
reference:cve,2001-0794; reference:cve,2001-0826; reference:cve,2002-0126;
reference:cve,2002-1522; reference:cve,2003-0271; reference:cve,2004-0286;
reference:cve,2004-0695; reference:cve,2005-3683; classtype:attempted-admin;
sid:1734; rev:50;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Mozilla
Netscape XMLHttpRequest local file read attempt"; flow:to_client,established;
file_data; content:"new XMLHttpRequest|28|"; content:"file|3A|//"; nocase;
metadata:ruleset community, service http; reference:bugtraq,4628;
reference:cve,2002-0354; classtype:web-application-attack; sid:1735; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
squirrel mail spell-check arbitrary command attempt"; flow:to_server,established;
content:"/squirrelspell/modules/check_me.mod.php"; fast_pattern; nocase; http_uri;
content:"SQSPELL_APP["; nocase; metadata:ruleset community, service http;
reference:bugtraq,3952; classtype:web-application-attack; sid:1736; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
squirrel mail theme arbitrary command attempt"; flow:to_server,established;
content:"/left_main.php"; nocase; http_uri; content:"cmdd="; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,4385;
reference:cve,2002-0516; classtype:web-application-attack; sid:1737; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
global.inc access"; flow:to_server,established; content:"/global.inc";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,4612; reference:cve,2002-0614; classtype:web-application-attack;
sid:1738; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
DNSTools administrator authentication bypass attempt"; flow:to_server,established;
content:"/dnstools.php"; nocase; http_uri; content:"user_logged_in=true"; nocase;
http_uri; content:"user_dnstools_administrator=true"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,4617;
reference:cve,2002-0613; classtype:web-application-attack; sid:1739; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
DNSTools authentication bypass attempt"; flow:to_server,established;
content:"/dnstools.php"; fast_pattern; nocase; http_uri;
content:"user_logged_in=true"; http_uri; metadata:ruleset community, service http;
reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack;
sid:1740; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
DNSTools access"; flow:to_server,established; content:"/dnstools.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-
activity; sid:1741; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Blahz-DNS dostuff.php modify user attempt"; flow:to_server,established;
content:"/dostuff.php?"; nocase; http_uri; content:"action=modify_user";
distance:0; nocase; http_uri; metadata:ruleset community, service http;
reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-attack;
sid:1742; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Blahz-DNS dostuff.php access"; flow:to_server,established; content:"/dostuff.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-
activity; sid:1743; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
SecureSite authentication bypass attempt"; flow:to_server,established;
content:"secure_site, ok"; nocase; metadata:ruleset community, service http;
reference:bugtraq,4621; classtype:web-application-attack; sid:1744; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Messagerie supp_membre.php access"; flow:to_server,established;
content:"/supp_membre.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,4635; classtype:web-application-
activity; sid:1745; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap cachefsd
request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12;
content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00
00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc;
reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084;
reference:nessus,10951; classtype:rpc-portmap-decode; sid:1746; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap cachefsd
request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87
8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset
community, service sunrpc; reference:bugtraq,4674; reference:cve,2002-0033;
reference:cve,2002-0084; reference:nessus,10951; classtype:rpc-portmap-decode;
sid:1747; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
users.xml access"; flow:to_server,established; content:"/users.xml"; nocase;
http_uri; metadata:ruleset community, service http; classtype:web-application-
activity; sid:1750; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"SERVER-OTHER cachefsd
buffer overflow attempt"; flow:to_server,established; isdataat:720; content:"|00 01
87 86 00 00 00 01 00 00 00 05|"; fast_pattern:only; metadata:ruleset community;
reference:bugtraq,4631; reference:cve,2002-0084; reference:nessus,10951;
classtype:misc-attack; sid:1751; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
as_web.exe access"; flow:to_server,established; content:"/as_web.exe"; nocase;
http_uri; metadata:ruleset community, service http; reference:bugtraq,4670;
reference:cve,2002-1727; reference:cve,2002-1728; classtype:web-application-
activity; sid:1753; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
as_web4.exe access"; flow:to_server,established; content:"/as_web4.exe"; nocase;
http_uri; metadata:ruleset community, service http; reference:bugtraq,4670;
reference:cve,2002-1727; reference:cve,2002-1728; classtype:web-application-
activity; sid:1754; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP partial body
buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase;
content:"BODY["; distance:0; nocase; isdataat:1024,relative; pcre:"/\sPARTIAL.*?
BODY\[[^\]]{1024}/smi"; metadata:ruleset community, service imap;
reference:bugtraq,4713; reference:cve,2002-0379; reference:nessus,10966;
classtype:misc-attack; sid:1755; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS NewsPro
administration authentication attempt"; flow:to_server,established;
content:"logged,true"; metadata:ruleset community, service http;
reference:bugtraq,4672; reference:cve,2002-1734; classtype:web-application-
activity; sid:1756; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP b2
arbitrary command execution attempt"; flow:to_server,established; content:"/b2/b2-
include/"; http_uri; content:"b2inc"; content:"http|3A|//"; metadata:ruleset
community, service http; reference:bugtraq,4673; reference:cve,2002-0734;
reference:cve,2002-1466; reference:nessus,11667; classtype:web-application-attack;
sid:1757; rev:14;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 445 (msg:"SQL xp_cmdshell program
execution 445"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|
s|00|h|00|e|00|l|00|l|00|"; fast_pattern:only; metadata:ruleset community;
reference:bugtraq,5309; classtype:attempted-user; sid:1759; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phf
arbitrary command execution attempt"; flow:to_server,established; content:"/phf";
fast_pattern; nocase; http_uri; content:"QALIAS"; nocase; content:"%0a"; nocase;
metadata:policy max-detect-ips drop, ruleset community, service http;
reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-attack;
sid:1762; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Nortel Contivity cgiproc DOS attempt"; flow:to_server,established;
content:"/cgiproc?Nocfile="; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,938; reference:cve,2000-0063;
reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-attack;
sid:1763; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Nortel Contivity cgiproc DOS attempt"; flow:to_server,established;
content:"/cgiproc?|24|"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-
0064; reference:nessus,10160; classtype:web-application-attack; sid:1764; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Nortel Contivity cgiproc access"; flow:to_server,established; content:"/cgiproc";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064;
reference:nessus,10160; classtype:web-application-activity; sid:1765; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
search.dll directory listing attempt"; flow:to_server,established;
content:"/search.dll"; http_uri; content:"query=%00"; metadata:ruleset community,
service http; reference:bugtraq,1684; reference:cve,2000-0835;
reference:nessus,10514; classtype:web-application-attack; sid:1766; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
search.dll access"; flow:to_server,established; content:"/search.dll"; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1684;
reference:cve,2000-0835; reference:nessus,10514; classtype:web-application-
activity; sid:1767; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
.DS_Store access"; flow:to_server,established; content:"/.DS_Store"; http_uri;
metadata:ruleset community, service http;
reference:url,www.macintouch.com/mosxreaderreports46.html; classtype:web-
application-activity; sid:1769; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
.FBCIndex access"; flow:to_server,established; content:"/.FBCIndex"; http_uri;
metadata:ruleset community, service http;
reference:url,www.securiteam.com/securitynews/5LP0O005FS.html; classtype:web-
application-activity; sid:1770; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"POLICY-OTHER IPSec PGPNet
connection attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 00 00 00 00 00
00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00
00|P|01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04
00 05 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 24 02 01 00 00 80 01 00 05 80 02
00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 10|";
fast_pattern:only; metadata:ruleset community; classtype:protocol-command-decode;
sid:1771; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
pbserver access"; flow:to_server,established; content:"/pbserver/pbserver.dll";
nocase; http_uri; metadata:ruleset community, service http; reference:cve,2000-
1089; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-094;
classtype:web-application-activity; sid:1772; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
php.exe access"; flow:to_server,established; content:"/php.exe"; fast_pattern:only;
http_uri; metadata:ruleset community, service http;
reference:url,www.securitytracker.com/alerts/2002/Jan/1003104.html; classtype:web-
application-activity; sid:1773; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
bb_smilies.php access"; flow:to_server,established; content:"/bb_smilies.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:url,www.securiteam.com/securitynews/Serious_security_hole_in_PHP-
Nuke__bb_smilies_.html; classtype:web-application-activity; sid:1774; rev:15;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL root login
attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|
00|"; fast_pattern:only; metadata:ruleset community, service mysql;
classtype:protocol-command-decode; sid:1775; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL show
databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show
databases"; fast_pattern:only; metadata:ruleset community, service mysql;
classtype:protocol-command-decode; sid:1776; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP EXPLOIT STAT
asterisk dos attempt"; flow:to_server,established; content:"STAT";
fast_pattern:only; pcre:"/^STAT\s+[^\n]*\x2a/smi"; metadata:ruleset community,
service ftp; reference:bugtraq,4482; reference:cve,2002-0073;
reference:nessus,10934; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS02-018; classtype:attempted-dos; sid:1777; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP EXPLOIT STAT ? dos
attempt"; flow:to_server,established; content:"STAT"; fast_pattern:only;
pcre:"/^STAT\s+[^\n]*\x3f/smi"; metadata:ruleset community, service ftp;
reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-018;
classtype:attempted-dos; sid:1778; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
csPassword.cgi access"; flow:to_server,established; content:"/csPassword.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,4885; reference:bugtraq,4886; reference:bugtraq,4887;
reference:bugtraq,4889; reference:cve,2002-0917; reference:cve,2002-0918;
classtype:web-application-activity; sid:1787; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
csPassword password.cgi.tmp access"; flow:to_server,established;
content:"/password.cgi.tmp"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,4889; reference:cve,2002-0920;
classtype:web-application-activity; sid:1788; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC dns
request"; flow:to_server,established; content:"USERHOST "; metadata:ruleset
community; classtype:policy-violation; sid:1789; rev:12;)
# alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"POLICY-SOCIAL IRC dns
response"; flow:to_client,established; content:"|3A|"; content:" 302 ";
content:"=+"; fast_pattern:only; metadata:ruleset community; classtype:policy-
violation; sid:1790; rev:11;)
# alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"PROTOCOL-NNTP return code
buffer overflow attempt"; flow:to_client,established; content:"200";
isdataat:256,relative; pcre:"/^200\s[^\n]{256}/smi"; metadata:ruleset community;
reference:bugtraq,4900; reference:cve,2002-0909; classtype:protocol-command-decode;
sid:1792; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .asa
HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/";
nocase; content:".asa"; fast_pattern; nocase; http_uri; content:"|3A|"; content:"|
0A|"; content:"|00|"; metadata:ruleset community, service http;
reference:bugtraq,4476; reference:cve,2002-0150; reference:nessus,10936;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-018;
classtype:web-application-attack; sid:1802; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .cer
HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/";
nocase; content:".cer"; fast_pattern; nocase; http_uri; content:"|3A|"; content:"|
0A|"; content:"|00|"; metadata:ruleset community, service http;
reference:bugtraq,4476; reference:cve,2002-0150; reference:nessus,10936;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-018;
classtype:web-application-attack; sid:1803; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .cdx
HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/";
nocase; content:".cdx"; fast_pattern; nocase; http_uri; content:"|3A|"; content:"|
0A|"; content:"|00|"; metadata:ruleset community, service http;
reference:bugtraq,4476; reference:cve,2002-0150; reference:nessus,10936;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-018;
classtype:web-application-attack; sid:1804; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Oracle Reports CGI access"; flow:to_server,established; content:"/rwcgi60";
fast_pattern:only; http_uri; content:"setauth="; metadata:ruleset community,
service http; reference:bugtraq,4848; reference:cve,2002-0947; classtype:web-
application-activity; sid:1805; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .htr
chunked Transfer-Encoding"; flow:to_server,established; content:".htr"; nocase;
http_uri; content:"Transfer-Encoding|3A|"; nocase; http_header; content:"chunked";
nocase; http_header; metadata:ruleset community, service http;
reference:bugtraq,4855; reference:bugtraq,5003; reference:cve,2002-0364;
reference:nessus,11028; classtype:web-application-attack; sid:1806; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"POLICY-OTHER
Chunked-Encoding transfer attempt"; flow:to_server,established; content:"Transfer-
Encoding: chunked|0D 0A 0D 0A 0D 0A|"; nocase; isdataat:!0,relative,rawbytes;
metadata:ruleset community, service http; reference:bugtraq,4474;
reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071;
reference:cve,2002-0079; reference:cve,2002-0392; reference:nessus,10932;
classtype:policy-violation; sid:1807; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
apache chunked encoding memory corruption exploit attempt";
flow:to_server,established; content:"|C0|PR|89 E1|PQRP|B8 3B 00 00 00 CD 80|";
fast_pattern:only; http_header; metadata:ruleset community, service http;
reference:bugtraq,5033; reference:cve,2002-0392; classtype:web-application-
activity; sid:1808; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE
Apache Chunked-Encoding worm attempt"; flow:to_server,established; content:"X-
CCCCCCC|3A 20|"; fast_pattern:only; http_header; metadata:ruleset community,
service http; reference:bugtraq,4474; reference:bugtraq,4485;
reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079;
reference:cve,2002-0392; reference:nessus,10932; classtype:web-application-attack;
sid:1809; rev:19;)
# alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"SERVER-OTHER successful gobbles
ssh exploit GOBBLE"; flow:to_client,established; content:"*GOBBLE*";
metadata:ruleset community; reference:bugtraq,5093; reference:cve,2002-0390;
reference:cve,2002-0640; classtype:successful-admin; sid:1810; rev:19;)
# alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"SERVER-OTHER successful gobbles
ssh exploit uname"; flow:to_client,established; content:"uname"; metadata:ruleset
community; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-
0640; reference:nessus,11031; classtype:misc-attack; sid:1811; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SERVER-OTHER gobbles SSH
exploit attempt"; flow:to_server,established; content:"GOBBLES"; metadata:ruleset
community; reference:bugtraq,5093; reference:cve,2002-0639; reference:nessus,11031;
classtype:misc-attack; sid:1812; rev:13;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP digital island
bandwidth query"; content:"mailto|3A|[email protected]"; depth:22; metadata:ruleset
community; classtype:misc-activity; sid:1813; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
CISCO VoIP DOS ATTEMPT"; flow:to_server,established;
content:"/StreamingStatistics"; http_uri; metadata:ruleset community, service http;
reference:bugtraq,4794; reference:cve,2002-0882; reference:nessus,11013;
classtype:misc-attack; sid:1814; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
directory.php arbitrary command attempt"; flow:to_server,established;
content:"/directory.php"; http_uri; content:"dir="; content:"|3B|";
metadata:ruleset community, service http; reference:bugtraq,4278;
reference:cve,2002-0434; reference:nessus,11017; classtype:misc-attack; sid:1815;
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
directory.php access"; flow:to_server,established; content:"/directory.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,4278; reference:cve,2002-0434; classtype:misc-attack; sid:1816;
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS MS Site
Server default login attempt"; flow:to_server,established;
content:"/SiteServer/Admin/knowledge/persmbr/"; nocase; http_uri;
pcre:"/^Authorization\x3A\s*Basic\s+TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE=/smi";
metadata:ruleset community, service http; reference:nessus,11018; classtype:web-
application-attack; sid:1817; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS MS Site
Server admin attempt"; flow:to_server,established; content:"/Site
Server/Admin/knowledge/persmbr/"; nocase; http_uri; metadata:ruleset community,
service http; reference:nessus,11018; classtype:web-application-attack; sid:1818;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2533 (msg:"SERVER-OTHER Alcatel PABX
4400 connection attempt"; flow:to_server,established; content:"|00 01|C"; depth:3;
metadata:ruleset community; reference:nessus,11019; classtype:misc-activity;
sid:1819; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP IBM
Net.Commerce orderdspc.d2w access"; flow:to_server,established;
content:"/ncommerce3/ExecMacro/orderdspc.d2w"; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2350; reference:cve,2001-0319;
reference:nessus,11020; classtype:web-application-activity; sid:1820; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER LPD dvips remote
command execution attempt"; flow:to_server,established; content:"psfile=|22|`";
metadata:ruleset community; reference:bugtraq,3241; reference:cve,2001-1002;
reference:nessus,11023; classtype:system-call-detect; sid:1821; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
AlienForm alienform.cgi directory traversal attempt"; flow:to_server,established;
content:"/alienform.cgi"; http_uri; content:".|7C|./.|7C|."; metadata:ruleset
community, service http; reference:bugtraq,4983; reference:cve,2002-0934;
reference:nessus,11027; classtype:web-application-attack; sid:1822; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
AlienForm af.cgi directory traversal attempt"; flow:to_server,established;
content:"/af.cgi"; http_uri; content:".|7C|./.|7C|."; metadata:ruleset community,
service http; reference:bugtraq,4983; reference:cve,2002-0934;
reference:nessus,11027; classtype:web-application-attack; sid:1823; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
AlienForm alienform.cgi access"; flow:to_server,established;
content:"/alienform.cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,4983; reference:cve,2002-0934;
reference:nessus,11027; classtype:web-application-activity; sid:1824; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
AlienForm af.cgi access"; flow:to_server,established; content:"/af.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027;
classtype:web-application-activity; sid:1825; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WEB-
INF access"; flow:to_server,established; content:"/WEB-INF"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,1830;
reference:bugtraq,5119; reference:cve,2000-1050; reference:cve,2001-0179;
reference:nessus,11037; classtype:web-application-activity; sid:1826; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE
Apache Tomcat servlet mapping cross site scripting attempt";
flow:to_server,established; content:"/servlet/"; http_uri; content:"/org.apache.";
http_uri; metadata:ruleset community, service http; reference:bugtraq,5193;
reference:cve,2002-0682; reference:nessus,11041; classtype:web-application-attack;
sid:1827; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP iPlanet
Search directory traversal attempt"; flow:to_server,established; content:"/search";
nocase; http_uri; content:"NS-query-pat="; fast_pattern:only; http_uri;
content:"../"; http_uri; metadata:ruleset community, service http;
reference:bugtraq,5191; reference:cve,2002-1042; reference:nessus,11043;
classtype:web-application-attack; sid:1828; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE
Apache Tomcat TroubleShooter servlet access"; flow:to_server,established;
content:"/examples/servlet/TroubleShooter"; http_uri; metadata:ruleset community,
service http; reference:bugtraq,4575; reference:cve,2002-2006;
reference:nessus,11046; classtype:web-application-activity; sid:1829; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE
Apache Tomcat SnoopServlet servlet access"; flow:to_server,established;
content:"/examples/servlet/SnoopServlet"; http_uri; metadata:ruleset community,
service http; reference:bugtraq,4575; reference:cve,2002-2006;
reference:nessus,11046; classtype:web-application-activity; sid:1830; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
jigsaw dos attempt"; flow:to_server,established; content:"/servlet/con"; http_uri;
pcre:"/\x2Fcon\b/Ui"; metadata:ruleset community, service http;
reference:bugtraq,5258; reference:cve,2002-1052; reference:nessus,11047;
classtype:web-application-attack; sid:1831; rev:12;)
# alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"POLICY-SOCIAL ICQ forced user
addition"; flow:established,to_client; content:"Content-Type|3A| application/x-
icq"; fast_pattern:only; content:"[ICQ User]"; metadata:ruleset community;
reference:bugtraq,3226; reference:cve,2001-1305; classtype:policy-violation;
sid:1832; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PHP-
Wiki cross site scripting attempt"; flow:to_server,established;
content:"/modules.php?"; http_uri; content:"name=Wiki"; fast_pattern; nocase;
http_uri; content:"<script"; nocase; http_uri; metadata:ruleset community, service
http; reference:bugtraq,5254; reference:cve,2002-1070; classtype:web-application-
attack; sid:1834; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Macromedia SiteSpring cross site scripting attempt"; flow:to_server,established;
content:"/error/500error.jsp"; nocase; http_uri; content:"et="; http_uri;
content:"<script"; fast_pattern:only; http_uri; metadata:ruleset community, service
http; reference:bugtraq,5249; reference:cve,2002-1027; classtype:web-application-
attack; sid:1835; rev:14;)
# alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"SERVER-OTHER SSH server banner
overflow"; flow:to_client,established; content:"SSH-"; nocase;
isdataat:200,relative; pcre:"/^SSH-\s?[^\n]{200}/ism"; metadata:ruleset community;
reference:bugtraq,5287; reference:cve,2002-1059; reference:nessus,15822;
classtype:misc-attack; sid:1838; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
mailman cross site scripting attempt"; flow:to_server,established;
content:"/mailman/"; nocase; http_uri; content:"?"; http_uri; content:"info=";
http_uri; content:"<script"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,5298; reference:cve,2002-0855;
reference:nessus,14984; classtype:web-application-attack; sid:1839; rev:14;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle
Javascript document.domain attempt"; flow:to_client,established; file_data;
content:"document.domain|28|"; nocase; metadata:ruleset community, service http;
reference:bugtraq,5346; reference:cve,2002-0815; classtype:attempted-user;
sid:1840; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX
Mozilla 1.0 Javascript arbitrary cookie access attempt";
flow:to_client,established; file_data; content:"javascript|3A|//";
fast_pattern:only; content:"document.cookie"; nocase; metadata:ruleset community,
service http; reference:bugtraq,5293; reference:cve,2002-2314; classtype:attempted-
user; sid:1841; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP login buffer
overflow attempt"; flow:established,to_server; content:"LOGIN"; nocase;
isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/i"; metadata:policy max-detect-
ips drop, ruleset community, service imap; reference:bugtraq,13727;
reference:bugtraq,21110; reference:bugtraq,502; reference:cve,1999-0005;
reference:cve,1999-1557; reference:cve,2004-1011; reference:cve,2005-1255;
reference:cve,2006-5961; reference:cve,2007-1373; reference:cve,2007-2795;
reference:cve,2007-3925; reference:nessus,10123; reference:nessus,10125;
classtype:attempted-user; sid:1842; rev:34;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 33270 (msg:"MALWARE-BACKDOOR trinity
connection attempt"; flow:to_server,established; content:"!@|23|"; depth:3;
metadata:ruleset community; reference:cve,2000-0138; reference:nessus,10501;
classtype:attempted-admin; sid:1843; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP authenticate
overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase;
isdataat:100,relative; pcre:"/\sAUTHENTICATE\s[^\n]{100}/smi"; metadata:ruleset
community, service imap; reference:bugtraq,12995; reference:bugtraq,130;
reference:cve,1999-0005; reference:cve,1999-0042; reference:nessus,10292;
classtype:misc-attack; sid:1844; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP list literal
overflow attempt"; flow:established,to_server; content:"LIST"; fast_pattern:only;
pcre:"/\sLIST\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative;
metadata:ruleset community, service imap; reference:bugtraq,1110;
reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1845;
rev:24;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"POLICY-MULTIMEDIA
vncviewer Java applet download attempt"; flow:to_server,established;
content:"/vncviewer.jar"; metadata:ruleset community; reference:nessus,10758;
classtype:misc-activity; sid:1846; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
webalizer access"; flow:to_server,established; content:"/webalizer/";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3473; reference:cve,2001-0835; reference:nessus,10816;
classtype:web-application-activity; sid:1847; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
webcart-lite access"; flow:to_server,established; content:"/webcart-lite/";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-0610; reference:nessus,10298; classtype:web-application-
activity; sid:1848; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
webfind.exe access"; flow:to_server,established; content:"/webfind.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1487; reference:cve,2000-0622; reference:nessus,10475;
classtype:web-application-activity; sid:1849; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP way-
board.cgi access"; flow:to_server,established; content:"/way-board.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,10610; classtype:web-application-activity; sid:1850; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
active.log access"; flow:to_server,established; content:"/active.log";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1497; reference:cve,2000-0642; reference:nessus,10470;
classtype:web-application-activity; sid:1851; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
robots.txt access"; flow:to_server,established; content:"/robots.txt";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,10302; classtype:web-application-activity; sid:1852; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 35555 (msg:"MALWARE-BACKDOOR win-trin00
connection attempt"; flow:to_server; content:"png []..Ks l44"; depth:14;
metadata:ruleset community; reference:cve,2000-0138; reference:nessus,10307;
classtype:attempted-admin; sid:1853; rev:12;)
# alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht
handler->agent niggahbitch"; icmp_id:9015; itype:0; content:"niggahbitch";
metadata:ruleset community; reference:cve,2000-0138;
reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis;
classtype:attempted-dos; sid:1854; rev:13;)
# alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht
agent->handler skillz"; icmp_id:6666; itype:0; content:"skillz"; metadata:ruleset
community; reference:cve,2000-0138;
reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis;
classtype:attempted-dos; sid:1855; rev:13;)
# alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht
handler->agent ficken"; icmp_id:6667; itype:0; content:"ficken"; metadata:ruleset
community; reference:cve,2000-0138;
reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis;
classtype:attempted-dos; sid:1856; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
robot.txt access"; flow:to_server,established; content:"/robot.txt";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,10302; classtype:web-application-activity; sid:1857; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
CISCO PIX Firewall Manager directory traversal attempt";
flow:to_server,established; content:"/pixfir~1/how_to_login.html"; http_uri;
metadata:ruleset community, service http; reference:bugtraq,691;
reference:cve,1999-0158; reference:nessus,10819; classtype:misc-attack; sid:1858;
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-WEBAPP Oracle
JavaServer default password login attempt"; flow:to_server,established;
content:"/servlet/admin"; content:"ae9f86d6beaa3f9ecb9a5b7e072a4138";
metadata:ruleset community; reference:nessus,10995; classtype:default-login-
attempt; sid:1859; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Linksys router
default password login attempt"; flow:to_server,established;
content:"Authorization|3A|"; nocase; http_header;
pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s+OmFkbWlu/smiH"; metadata:ruleset
community, service http; reference:nessus,10999; classtype:default-login-attempt;
sid:1860; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Linksys router
default username and password login attempt"; flow:to_server,established;
content:"YWRtaW46YWRtaW4"; pcre:"/^Authorization\x3a\s*Basic\s+(?-
i)YWRtaW46YWRtaW4[=\s]/smi"; metadata:ruleset community; reference:nessus,10999;
classtype:default-login-attempt; sid:1861; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
mrtg.cgi directory traversal attempt"; flow:to_server,established;
content:"/mrtg.cgi"; http_uri; content:"cfg=/../"; metadata:ruleset community,
service http; reference:bugtraq,4017; reference:cve,2002-0232;
reference:nessus,11001; classtype:web-application-attack; sid:1862; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE NEWER
attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER";
distance:1; nocase; pcre:"/^SITE\s+NEWER/smi"; metadata:ruleset community, service
ftp; reference:cve,1999-0880; reference:nessus,10319; classtype:attempted-dos;
sid:1864; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
webdist.cgi arbitrary command attempt"; flow:to_server,established;
content:"/webdist.cgi"; nocase; http_uri; content:"distloc=|3B|";
fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,374;
reference:cve,1999-0039; reference:nessus,10299; classtype:web-application-attack;
sid:1865; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP USER overflow
attempt"; flow:to_server,established; content:"USER"; isdataat:50,relative;
pcre:"/^USER\s[^\n]{50}/smi"; metadata:policy max-detect-ips drop, ruleset
community, service pop3; reference:bugtraq,11256; reference:bugtraq,19651;
reference:bugtraq,789; reference:cve,1999-0494; reference:cve,2002-1781;
reference:cve,2006-2502; reference:cve,2006-4364; reference:nessus,10311;
reference:url,www.delegate.org/mail-lists/delegate-en/1475; classtype:attempted-
admin; sid:1866; rev:25;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"X11 xdmcp info query";
flow:to_server; content:"|00 01 00 02 00 01 00|"; fast_pattern:only;
metadata:ruleset community; reference:nessus,10891; classtype:attempted-recon;
sid:1867; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Interactive
Story story.pl arbitrary file read attempt"; flow:to_server,established;
content:"/story.pl"; http_uri; content:"next=../"; metadata:ruleset community,
service http; reference:bugtraq,3028; reference:cve,2001-0804;
reference:nessus,10817; classtype:default-login-attempt; sid:1868; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Interactive
Story story.pl access"; flow:to_server,established; content:"/story.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817;
classtype:default-login-attempt; sid:1869; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
siteUserMod.cgi access"; flow:to_server,established;
content:"/.cobalt/siteUserMod/siteUserMod.cgi"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,951;
reference:cve,2000-0117; reference:nessus,10253; classtype:web-application-
activity; sid:1870; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Oracle XSQLConfig.xml access"; flow:to_server,established;
content:"/XSQLConfig.xml"; http_uri; metadata:ruleset community, service http;
reference:bugtraq,4290; reference:cve,2002-0568; reference:nessus,10855;
classtype:web-application-activity; sid:1871; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Oracle Dynamic Monitoring Services dms access"; flow:to_server,established;
content:"/dms0"; http_uri; metadata:ruleset community, service http;
reference:nessus,10848; classtype:web-application-activity; sid:1872; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
globals.jsa access"; flow:to_server,established; content:"/globals.jsa"; http_uri;
metadata:ruleset community, service http; reference:bugtraq,4034;
reference:cve,2002-0562; reference:nessus,10850; classtype:web-application-
activity; sid:1873; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Oracle Java Process Manager access"; flow:to_server,established;
content:"/oprocmgr-status"; http_uri; metadata:ruleset community, service http;
reference:nessus,10851; classtype:web-application-activity; sid:1874; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cgicso access"; flow:to_server,established; content:"/cgicso"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,6141;
reference:cve,2002-1652; reference:nessus,10779; reference:nessus,10780;
classtype:web-application-activity; sid:1875; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP nph-
publish.cgi access"; flow:to_server,established; content:"/nph-publish.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-1177; reference:nessus,10164; classtype:web-application-
activity; sid:1876; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
printenv access"; flow:to_server,established; content:"/printenv";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10188;
reference:nessus,10503; classtype:web-application-activity; sid:1877; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
sdbsearch.cgi access"; flow:to_server,established; content:"/sdbsearch.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10503;
classtype:web-application-activity; sid:1878; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
book.cgi arbitrary command execution attempt"; flow:to_server,established;
content:"/book.cgi"; fast_pattern:only; http_uri; content:"current=|7C|"; nocase;
metadata:ruleset community, service http; reference:bugtraq,3178;
reference:cve,2001-1114; reference:nessus,10721; classtype:web-application-attack;
sid:1879; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
oracle web application server access"; flow:to_server,established; content:"/ows-
bin/"; fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348;
classtype:web-application-activity; sid:1880; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bad
HTTP 1.1 request - potential worm attack"; flow:to_server,established; content:"GET
/ HTTP/1.1|0D 0A 0D 0A|"; depth:18; metadata:ruleset community, service http;
reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.ht
ml; classtype:web-application-activity; sid:1881; rev:13;)
# alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE id check
returned userid"; content:"uid="; nocase; content:" gid="; distance:0;
pcre:"/uid=\d{1,5}\S+\s+gid=\d{1,5}/smi"; metadata:policy max-detect-ips drop,
ruleset community; classtype:bad-unknown; sid:1882; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL Worm
traffic"; flow:to_server,established; content:"TERM=xterm"; fast_pattern:only;
metadata:ruleset community, service ssl; reference:url,www.cert.org/advisories/CA-
2002-27.html; classtype:web-application-attack; sid:1887; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE CPWD overflow
attempt"; flow:established,to_server; content:"SITE"; nocase; content:"CPWD";
distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CPWD\s[^\n]{100}/smi";
metadata:ruleset community, service ftp; reference:bugtraq,5427;
reference:cve,2002-0826; classtype:misc-attack; sid:1888; rev:14;)
# alert udp $EXTERNAL_NET 2002 -> $HOME_NET 2002 (msg:"MALWARE-CNC slapper worm
admin traffic"; content:"|00 00|E|00 00|E|00 00|@|00|"; depth:10; metadata:ruleset
community; reference:url,isc.incidents.org/analysis.html?id=167;
reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:trojan-activity;
sid:1889; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC status GHBN
format string attack"; flow:to_server; content:"|00 01 86 B8|"; depth:4; offset:12;
content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|";
depth:4; offset:4; metadata:ruleset community; reference:bugtraq,1480;
reference:cve,2000-0666; reference:nessus,10544; classtype:misc-attack; sid:1890;
rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC status GHBN
format string attack"; flow:to_server,established; content:"|00 01 86 B8|";
depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x";
within:256; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community;
reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544;
classtype:misc-attack; sid:1891; rev:17;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP null community
string attempt"; content:"|04 01 00|"; depth:15; offset:5; metadata:ruleset
community, service snmp; reference:bugtraq,2112; reference:bugtraq,8974;
reference:cve,1999-0517; classtype:misc-attack; sid:1892; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP missing
community string attempt"; content:"0"; depth:1; content:"|02|"; within:6;
content:"|04 00|"; within:8; pcre:"/^\x30(\x84....|\x82..|
[^\x80-\xFF])\x02(\x84\x00\x00\x00\x01.|\x82\x00\x01.|\x01.)\x04\x00/";
metadata:ruleset community, service snmp; reference:bugtraq,2112;
reference:cve,1999-0517; classtype:misc-attack; sid:1893; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"INDICATOR-SHELLCODE kadmind
buffer overflow attempt"; flow:to_server,established; content:"|00 C0 05 08 00 C0
05 08 00 C0 05 08 00 C0 05 08|"; fast_pattern:only; metadata:ruleset community;
reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226;
reference:cve,2002-1235; reference:nessus,15015;
reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1894;
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"INDICATOR-SHELLCODE kadmind
buffer overflow attempt"; flow:to_server,established; content:"|00 C0 05 08 00 C0
05 08 00 C0 05 08 00 C0 05 08|"; fast_pattern:only; metadata:ruleset community;
reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226;
reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073;
classtype:shellcode-detect; sid:1895; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"INDICATOR-SHELLCODE kadmind
buffer overflow attempt"; flow:to_server,established; content:"|FF FF|KADM0.0A|00
00 FB 03|"; metadata:ruleset community; reference:bugtraq,5731;
reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235;
reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1896;
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"INDICATOR-SHELLCODE kadmind
buffer overflow attempt"; flow:to_server,established; content:"|FF FF|KADM0.0A|00
00 FB 03|"; metadata:ruleset community; reference:bugtraq,5731;
reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235;
reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1897;
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"INDICATOR-SHELLCODE kadmind
buffer overflow attempt"; flow:to_server,established; content:"/shh//bi";
metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024;
reference:cve,2002-1226; reference:cve,2002-1235;
reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1898;
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"INDICATOR-SHELLCODE kadmind
buffer overflow attempt"; flow:to_server,established; content:"/shh//bi";
metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024;
reference:cve,2002-1226; reference:cve,2002-1235;
reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1899;
rev:12;)
# alert tcp $HOME_NET 749 -> $EXTERNAL_NET any (msg:"SERVER-OTHER successful
kadmind buffer overflow attempt"; flow:to_client,established; content:"*GOBBLE*";
depth:8; metadata:ruleset community; reference:bugtraq,5731;
reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235;
reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1900;
rev:15;)
# alert tcp $HOME_NET 751 -> $EXTERNAL_NET any (msg:"SERVER-OTHER successful
kadmind buffer overflow attempt"; flow:to_client,established; content:"*GOBBLE*";
depth:8; metadata:ruleset community; reference:bugtraq,5731;
reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235;
reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1901;
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP lsub literal
overflow attempt"; flow:to_server,established; content:"LSUB"; fast_pattern:only;
pcre:"/\sLSUB\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative;
metadata:ruleset community, service imap; reference:bugtraq,1110;
reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1902;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP rename overflow
attempt"; flow:established,to_server; content:"RENAME"; nocase;
isdataat:100,relative; pcre:"/\sRENAME\s[^\n]{100}/smi"; metadata:ruleset
community, service imap; reference:bugtraq,1110; reference:cve,2000-0284;
reference:nessus,10374; classtype:misc-attack; sid:1903; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP find overflow
attempt"; flow:established,to_server; content:"FIND"; nocase;
isdataat:100,relative; pcre:"/^\sFIND\s[^\n]{100}/smi"; metadata:ruleset community,
service imap; reference:bugtraq,1110; reference:cve,2000-0284;
reference:nessus,10374; classtype:misc-attack; sid:1904; rev:16;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD UDP
amqproc_mount plog overflow attempt"; flow:to_server; content:"|00 04 93 F3|";
depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community; reference:bugtraq,614; reference:cve,1999-0704;
classtype:misc-attack; sid:1905; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD TCP
amqproc_mount plog overflow attempt"; flow:to_server,established; content:"|00 04
93 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:8;
metadata:ruleset community; reference:bugtraq,614; reference:cve,1999-0704;
classtype:misc-attack; sid:1906; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD UDP
CMSD_CREATE buffer overflow attempt"; flow:to_server; content:"|00 01 86 E4|";
depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community, service sunrpc; reference:bugtraq,36615;
reference:bugtraq,524; reference:cve,1999-0696; reference:cve,2009-3699;
classtype:attempted-admin; sid:1907; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD TCP
CMSD_CREATE buffer overflow attempt"; flow:to_server,established; content:"|00 01
86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:8;
metadata:ruleset community; reference:bugtraq,524; reference:cve,1999-0696;
classtype:attempted-admin; sid:1908; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD TCP
CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"|00 01
86 E4|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00
00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,524;
reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html;
classtype:misc-attack; sid:1909; rev:17;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD udp
CMSD_INSERT buffer overflow attempt"; flow:to_server; content:"|00 01 86 E4|";
depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00
00|"; depth:4; offset:4; metadata:ruleset community; reference:cve,1999-0696;
reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack;
sid:1910; rev:16;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC sadmind UDP
NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server; content:"|00
01 87 88|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
byte_jump:4,124,relative,align; byte_jump:4,20,relative,align;
byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community; reference:bugtraq,866; reference:cve,1999-0977;
classtype:attempted-admin; sid:1911; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC sadmind TCP
NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server,established;
content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4;
distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
byte_jump:4,124,relative,align; byte_jump:4,20,relative,align;
byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:8;
metadata:ruleset community; reference:bugtraq,0866; reference:bugtraq,866;
reference:cve,1999-0977; classtype:attempted-admin; sid:1912; rev:16;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC STATD UDP stat
mon_name format string exploit attempt"; flow:to_server; content:"|00 01 86 B8|";
depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666;
reference:nessus,10544; classtype:attempted-admin; sid:1913; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC STATD TCP stat
mon_name format string exploit attempt"; flow:to_server,established; content:"|00
01 86 B8|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8;
metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666;
reference:nessus,10544; classtype:attempted-admin; sid:1914; rev:18;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC STATD UDP monitor
mon_name format string exploit attempt"; flow:to_server; content:"|00 01 86 B8|";
depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666;
reference:nessus,10544; classtype:attempted-admin; sid:1915; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC STATD TCP monitor
mon_name format string exploit attempt"; flow:to_server,established; content:"|00
01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8;
metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666;
reference:nessus,10544; classtype:attempted-admin; sid:1916; rev:17;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"INDICATOR-SCAN UPnP service
discover attempt"; flow:to_server; content:"M-SEARCH "; depth:9; content:"ssdp|3A|
discover"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset
community; classtype:network-scan; sid:1917; rev:15;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP SolarWinds IP
scan attempt"; icode:0; itype:8; content:"SolarWinds.Net"; fast_pattern:only;
metadata:ruleset community; classtype:network-scan; sid:1918; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD overflow
attempt"; flow:to_server,established; content:"CWD"; nocase; isdataat:180,relative;
pcre:"/^CWD(?!\n)\s[^\n]{180}/smi"; metadata:ruleset community, service ftp;
reference:bugtraq,11069; reference:bugtraq,1227; reference:bugtraq,1690;
reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7950;
reference:cve,1999-0219; reference:cve,1999-1058; reference:cve,1999-1510;
reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0781;
reference:cve,2002-0126; reference:cve,2002-0405; classtype:attempted-admin;
sid:1919; rev:31;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE NEWER
overflow attempt"; flow:to_server,established; content:"SITE"; nocase;
content:"NEWER"; distance:0; nocase; isdataat:100,relative;
pcre:"/^SITE\s+NEWER\s[^\n]{100}/smi"; metadata:ruleset community, service ftp;
reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-admin;
sid:1920; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE ZIPCHK
overflow attempt"; flow:to_server,established; content:"SITE"; nocase;
content:"ZIPCHK"; distance:1; nocase; isdataat:100,relative;
pcre:"/^SITE\s+ZIPCHK\s[^\n]{100}/smi"; metadata:ruleset community, service ftp;
reference:cve,2000-0040; classtype:attempted-admin; sid:1921; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap proxy
attempt TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|";
depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-
portmap-decode; sid:1922; rev:12;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap proxy
attempt UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12;
content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4;
offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode;
sid:1923; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP export
request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00
00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community; classtype:attempted-recon; sid:1924; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP
exportall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4;
offset:16; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|";
depth:4; offset:8; metadata:ruleset community; classtype:attempted-recon; sid:1925;
rev:12;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP
exportall request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12;
content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4;
offset:4; metadata:ruleset community; classtype:attempted-recon; sid:1926; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP authorized_keys";
flow:to_server,established; content:"authorized_keys"; fast_pattern:only;
metadata:ruleset community, service ftp; classtype:suspicious-filename-detect;
sid:1927; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP shadow retrieval
attempt"; flow:to_server,established; content:"RETR"; nocase; content:"shadow";
pcre:"/^RETR[^\n]*shadow$/smi"; metadata:ruleset community, service ftp;
classtype:suspicious-filename-detect; sid:1928; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP auth literal
overflow attempt"; flow:established,to_server; content:"AUTH"; fast_pattern:only;
pcre:"/({(?=\d+}[^\n]*?\sAUTH)|AUTH\s[^\n]*?{(?=\d+}))/smi";
byte_test:5,>,256,0,string,dec,relative; metadata:policy max-detect-ips drop,
ruleset community, service imap; reference:bugtraq,21724; reference:cve,1999-0005;
reference:cve,2006-6424; classtype:misc-attack; sid:1930; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rpc-
nlog.pl access"; flow:to_server,established; content:"/rpc-nlog.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-1278; reference:url,marc.theaimsgroup.com/?
l=bugtraq&m=91470326629357&w=2; reference:url,marc.theaimsgroup.com/?
l=bugtraq&m=91471400632145&w=2; classtype:web-application-activity; sid:1931;
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rpc-
smb.pl access"; flow:to_server,established; content:"/rpc-smb.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-1278; classtype:web-application-activity; sid:1932; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cart.cgi access"; flow:to_server,established; content:"/cart.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1115; reference:cve,2000-0252; reference:nessus,10368;
classtype:web-application-activity; sid:1933; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP AUTH overflow
attempt"; flow:to_server,established; content:"AUTH"; nocase; isdataat:50,relative;
pcre:"/^AUTH\s[^\n]{50}/smi"; metadata:ruleset community, service pop3;
reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184;
classtype:attempted-admin; sid:1936; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP LIST overflow
attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:10,relative;
pcre:"/^LIST\s[^\n]{10}/smi"; metadata:ruleset community, service pop3;
reference:bugtraq,948; reference:cve,2000-0096; reference:nessus,10197;
classtype:attempted-admin; sid:1937; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP XTND overflow
attempt"; flow:to_server,established; content:"XTND"; nocase; isdataat:50,relative;
pcre:"/^XTND\s[^\n]{50}/smi"; metadata:ruleset community, service pop3;
classtype:attempted-admin; sid:1938; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"SERVER-OTHER bootp hardware
address length overflow"; flow:to_server; content:"|01|"; depth:1;
byte_test:1,>,6,2; metadata:ruleset community; reference:cve,1999-0798;
classtype:misc-activity; sid:1939; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"SERVER-OTHER bootp invalid
hardware type"; flow:to_server; content:"|01|"; depth:1; byte_test:1,>,7,1;
metadata:ruleset community; reference:cve,1999-0798; classtype:misc-activity;
sid:1940; rev:8;)
# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET filename overflow attempt";
flow:to_server; content:"|00 01|"; depth:2; isdataat:100,relative; content:!"|00|";
within:100; metadata:policy max-detect-ips drop, ruleset community, service tftp;
reference:bugtraq,20131; reference:bugtraq,22923; reference:bugtraq,36121;
reference:bugtraq,5328; reference:cve,2002-0813; reference:cve,2006-4948;
reference:cve,2007-1435; reference:cve,2009-2957; reference:cve,2009-2958;
reference:nessus,18264; classtype:attempted-admin; sid:1941; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RMDIR overflow
attempt"; flow:to_server,established; content:"RMDIR"; nocase;
isdataat:100,relative; pcre:"/^RMDIR(?!\n)\s[^\n]{100}/smi"; metadata:ruleset
community, service ftp; reference:bugtraq,819; classtype:attempted-admin; sid:1942;
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
/Carello/add.exe access"; flow:to_server,established; content:"/Carello/add.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1245; reference:cve,2000-0396; reference:nessus,11776;
classtype:web-application-activity; sid:1943; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
/ecscripts/ecware.exe access"; flow:to_server,established;
content:"/ecscripts/ecware.exe"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,6066; classtype:web-application-
activity; sid:1944; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"SERVER-WEBAPP answerbook2
admin attempt"; flow:to_server,established; content:"/cgi-bin/admin/admin";
metadata:ruleset community; reference:bugtraq,5383; reference:cve,2000-0696;
classtype:web-application-activity; sid:1946; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"SERVER-WEBAPP answerbook2
arbitrary command execution attempt"; flow:to_server,established; content:"/ab2/";
content:"|3B|"; distance:1; metadata:ruleset community; reference:bugtraq,1556;
reference:cve,2000-0697; classtype:web-application-attack; sid:1947; rev:14;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dns zone transfer
via UDP detected"; flow:to_server; content:"|00 01 00 00 00 00 00|"; depth:8;
offset:4; byte_test:1,!&,0xF8,2; content:"|00 00 FC 00 01|"; fast_pattern;
isdataat:!1,relative; metadata:ruleset community, service dns; reference:cve,1999-
0532; reference:nessus,10595; classtype:attempted-recon; sid:1948; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap SET
attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|";
depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-
portmap-decode; sid:1949; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap SET
attempt UDP 111"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12;
content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4;
offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode;
sid:1950; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP mount
request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16;
content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4;
offset:8; metadata:ruleset community; reference:cve,1999-0210; classtype:attempted-
recon; sid:1951; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP mount
request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00
00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-recon;
sid:1952; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD TCP pid
request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16;
content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4;
offset:8; metadata:ruleset community; classtype:rpc-portmap-decode; sid:1953;
rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD UDP pid
request"; flow:to_server; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00
00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community; classtype:rpc-portmap-decode; sid:1954; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD TCP version
request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16;
content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4;
offset:8; metadata:ruleset community; classtype:rpc-portmap-decode; sid:1955;
rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD UDP version
request"; flow:to_server; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00
00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community; reference:bugtraq,1554; reference:cve,2000-0696;
classtype:rpc-portmap-decode; sid:1956; rev:14;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC sadmind UDP
PING"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 00|";
within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset
community; reference:bugtraq,866; reference:cve,1999-0977; reference:nessus,10229;
classtype:protocol-command-decode; sid:1957; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC sadmind TCP
PING"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16;
content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4;
offset:8; metadata:ruleset community; reference:bugtraq,866; reference:cve,1999-
0977; reference:nessus,10229; classtype:protocol-command-decode; sid:1958; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap NFS
request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|";
within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1959;
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap NFS
request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86
A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset
community, service sunrpc; classtype:rpc-portmap-decode; sid:1960; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap RQUOTA
request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|";
within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1961;
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap RQUOTA
request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86
AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset
community, service sunrpc; classtype:rpc-portmap-decode; sid:1962; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC RQUOTA getquota
overflow attempt UDP"; content:"|00 01 86 AB|"; depth:4; offset:12; content:"|00 00
00 01|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00
00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,864;
reference:cve,1999-0974; classtype:misc-attack; sid:1963; rev:14;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC tooltalk UDP
overflow attempt"; flow:to_server; content:"|00 01 86 F3|"; depth:4; offset:12;
content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00
00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,122;
reference:cve,1999-0003; classtype:attempted-admin; sid:1964; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC tooltalk TCP
overflow attempt"; flow:to_server,established; content:"|00 01 86 F3|"; depth:4;
offset:16; content:"|00 00 00 07|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8;
metadata:ruleset community; reference:bugtraq,122; reference:cve,1999-0003;
reference:cve,2001-0717; classtype:attempted-admin; sid:1965; rev:17;)
# alert udp $EXTERNAL_NET any -> 255.255.255.255 27155 (msg:"SERVER-OTHER
GlobalSunTech Access Point Information Disclosure attempt"; flow:to_server;
content:"gstsearch"; fast_pattern:only; metadata:ruleset community;
reference:bugtraq,6100; reference:cve,2002-2137; classtype:misc-activity; sid:1966;
rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
phpbb quick-reply.php arbitrary command attempt"; flow:to_server,established;
content:"/quick-reply.php"; http_uri; content:"phpbb_root_path="; metadata:ruleset
community, service http; reference:bugtraq,6173; reference:cve,2002-2287;
classtype:web-application-attack; sid:1967; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
phpbb quick-reply.php access"; flow:to_server,established; content:"/quick-
reply.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,6173; reference:cve,2002-2287; classtype:web-application-
activity; sid:1968; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ion-
p access"; flow:to_server,established; content:"/ion-p"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,6091;
reference:cve,2002-1559; reference:nessus,11729; classtype:web-application-
activity; sid:1969; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS MDAC
Content-Type overflow attempt"; flow:to_server,established; content:"/msadcs.dll";
nocase; http_uri; content:"Content-Type|3A|"; nocase; isdataat:50,relative;
content:!"|0A|"; within:50; pcre:"/^POST\s/smi"; metadata:ruleset community,
service http; reference:bugtraq,6214; reference:cve,2002-1142;
reference:nessus,11161; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS02-065; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS98-004; reference:url,www.foundstone.com/knowledge/randd-
advisories-display.html?id=337; classtype:web-application-attack; sid:1970;
rev:22;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE EXEC format
string attempt"; flow:to_server,established; content:"SITE"; nocase;
content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/smi";
metadata:ruleset community, service ftp; reference:bugtraq,1387;
reference:bugtraq,1505; reference:cve,2000-0573; classtype:bad-unknown; sid:1971;
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PASS overflow
attempt"; flow:to_server,established; content:"PASS"; nocase;
isdataat:100,relative; pcre:"/^PASS(?!\n)\s[^\n]{100}/smi"; metadata:policy max-
detect-ips drop, ruleset community, service ftp; reference:bugtraq,10078;
reference:bugtraq,10720; reference:bugtraq,15457; reference:bugtraq,1690;
reference:bugtraq,22045; reference:bugtraq,3884; reference:bugtraq,45957;
reference:bugtraq,8601; reference:bugtraq,9285; reference:cve,1999-1519;
reference:cve,1999-1539; reference:cve,2000-1035; reference:cve,2002-0126;
reference:cve,2002-0895; reference:cve,2005-3683; reference:cve,2006-6576;
classtype:attempted-admin; sid:1972; rev:32;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP MKD overflow
attempt"; flow:to_server,established; content:"MKD"; nocase; isdataat:150,relative;
pcre:"/^MKD(?!\n)\s[^\n]{150}/smi"; metadata:policy max-detect-ips drop, ruleset
community, service ftp; reference:bugtraq,11772; reference:bugtraq,15457;
reference:bugtraq,39041; reference:bugtraq,612; reference:bugtraq,7278;
reference:bugtraq,9872; reference:cve,1999-0911; reference:cve,2004-1135;
reference:cve,2005-3683; reference:cve,2009-3023; reference:cve,2010-0625;
reference:nessus,12108; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS09-053; reference:url,www.kb.cert.org/vuls/id/276653;
classtype:attempted-admin; sid:1973; rev:31;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP REST overflow
attempt"; flow:to_server,established; content:"REST"; nocase;
isdataat:100,relative; pcre:"/^REST(?!\n)\s[^\n]{100}/smi"; metadata:ruleset
community, service ftp; reference:bugtraq,2972; reference:cve,2001-0826;
reference:nessus,11755; classtype:attempted-admin; sid:1974; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP DELE overflow
attempt"; flow:to_server,established; content:"DELE"; nocase;
isdataat:100,relative; pcre:"/^DELE(?!\n)\s[^\n]{100}/mi"; metadata:policy max-
detect-ips drop, ruleset community, service ftp; reference:bugtraq,15457;
reference:bugtraq,2972; reference:bugtraq,46922; reference:cve,2001-0826;
reference:cve,2001-1021; reference:cve,2005-3683; reference:cve,2010-4228;
reference:nessus,11755; classtype:attempted-admin; sid:1975; rev:27;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RMD overflow
attempt"; flow:to_server,established; content:"RMD"; nocase; isdataat:100,relative;
pcre:"/^RMD(?!\n)\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, ruleset
community, service ftp; reference:bugtraq,15457; reference:bugtraq,2972;
reference:bugtraq,39041; reference:cve,2000-0133; reference:cve,2001-0826;
reference:cve,2001-1021; reference:cve,2005-3683; reference:cve,2010-0625;
classtype:attempted-admin; sid:1976; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
xp_regwrite attempt"; flow:to_server,established; content:"xp_regwrite";
fast_pattern:only; metadata:ruleset community, service http; classtype:web-
application-activity; sid:1977; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
xp_regdeletekey attempt"; flow:to_server,established; content:"xp_regdeletekey";
fast_pattern:only; metadata:ruleset community, service http; classtype:web-
application-activity; sid:1978; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP perl
post attempt"; flow:to_server,established; content:"POST"; depth:4;
content:"/perl/"; http_uri; metadata:ruleset community, service http;
reference:bugtraq,5520; reference:cve,2002-1436; reference:nessus,11158;
classtype:web-application-attack; sid:1979; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 2140 (msg:"MALWARE-BACKDOOR DeepThroat
3.1 Connection"; flow:to_server; content:"00"; depth:2; metadata:ruleset community;
reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity;
sid:1980; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 3150 (msg:"MALWARE-BACKDOOR DeepThroat
3.1 Connection attempt on port 3150"; flow:to_server; content:"00"; depth:2;
metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053;
classtype:trojan-activity; sid:1981; rev:11;)
# alert udp $HOME_NET 3150 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR DeepThroat
3.1 Server Response on port 3150"; flow:to_client; content:"Ahhhh My Mouth Is
Open"; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053;
classtype:trojan-activity; sid:1982; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 4120 (msg:"MALWARE-BACKDOOR DeepThroat
3.1 Connection attempt on port 4120"; flow:to_server; content:"00"; depth:2;
metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053;
classtype:trojan-activity; sid:1983; rev:10;)
# alert udp $HOME_NET 4120 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR DeepThroat
3.1 Server Response on port 4120"; flow:to_client; content:"Ahhhh My Mouth Is
Open"; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053;
classtype:trojan-activity; sid:1984; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Doly variant
outbound connection attempt"; flow:to_client,established; content:"* Doly trojan
v1.5 - Connected."; fast_pattern:only; metadata:impact_flag red, ruleset community,
service http;
reference:url,virustotal.com/en/file/499446edf3dfd200ebf3df2526cd4d101979e626afcd18
60193f71829be23922/; classtype:trojan-activity; sid:1985; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"POLICY-SOCIAL Microsoft MSN
outbound file transfer request"; flow:established; content:"MSG "; depth:4;
content:"Content-Type|3A| application/x-msnmsgrp2p"; nocase; content:"INVITE";
distance:0; nocase; metadata:ruleset community; classtype:policy-violation;
sid:1986; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"SERVER-OTHER xfs overflow
attempt"; flow:to_server,established; isdataat:512; content:"B|00 02|"; depth:3;
metadata:ruleset community; reference:bugtraq,6241; reference:cve,2002-1317;
reference:nessus,11188; classtype:misc-activity; sid:1987; rev:11;)
# alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"POLICY-SOCIAL Microsoft MSN
outbound file transfer accept"; flow:established; content:"MSG "; depth:4;
content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase;
content:"MSNSLP/1.0 200 OK"; distance:0; nocase; metadata:ruleset community;
classtype:policy-violation; sid:1988; rev:11;)
# alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"POLICY-SOCIAL Microsoft MSN
outbound file transfer rejected"; flow:established; content:"MSG "; depth:4;
content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase;
content:"MSNSLP/1.0 603 Decline"; distance:0; nocase; metadata:ruleset community;
classtype:policy-violation; sid:1989; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"POLICY-SOCIAL Microsoft MSN
user search"; flow:to_server,established; content:"CAL "; depth:4; nocase;
metadata:ruleset community; classtype:policy-violation; sid:1990; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"POLICY-SOCIAL Microsoft MSN
login attempt"; flow:to_server,established; content:"USR "; depth:4; nocase;
content:" TWN "; distance:1; nocase; metadata:ruleset community; classtype:policy-
violation; sid:1991; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP LIST directory
traversal attempt"; flow:to_server,established; content:"LIST"; nocase;
content:".."; distance:1; content:".."; distance:1; metadata:ruleset community,
service ftp; reference:bugtraq,2618; reference:cve,2001-0680; reference:cve,2002-
1054; reference:nessus,11112; classtype:protocol-command-decode; sid:1992; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP login literal
buffer overflow attempt"; flow:established,to_server; pcre:"/\sLOGIN\s[^\n]*?\
{\s*(-|[3-9][0-9]{2}|2[6-9][0-9]|25[7-9]|[0-9]{4})/smi"; content:"LOGIN";
fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service
imap; reference:bugtraq,14718; reference:bugtraq,21724; reference:bugtraq,23810;
reference:bugtraq,6298; reference:cve,2002-1580; reference:cve,2005-1758;
reference:cve,2006-6424; reference:cve,2007-0221; reference:nessus,12532;
classtype:misc-attack; sid:1993; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
vpasswd.cgi access"; flow:to_server,established; content:"/vpasswd.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,6038; reference:nessus,11165; classtype:web-application-activity;
sid:1994; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
alya.cgi access"; flow:to_server,established; content:"/alya.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,11118; classtype:web-application-activity; sid:1995; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
viralator.cgi access"; flow:to_server,established; content:"/viralator.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3495; reference:cve,2001-0849; reference:nessus,11107;
classtype:web-application-activity; sid:1996; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
read_body.php access attempt"; flow:to_server,established;
content:"/read_body.php"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,6302; reference:cve,2002-1341;
reference:nessus,11415; classtype:web-application-activity; sid:1997; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
calendar.php access"; flow:to_server,established; content:"/calendar.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,5820; reference:bugtraq,9353; reference:cve,2002-1660;
reference:cve,2004-1785; reference:nessus,11179; classtype:web-application-
activity; sid:1998; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
edit_image.php access"; flow:to_server,established; content:"/edit_image.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3288; reference:cve,2001-1020; reference:nessus,11104;
classtype:web-application-activity; sid:1999; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
readmsg.php access"; flow:to_server,established; content:"/readmsg.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,2001-1408; reference:nessus,11073; classtype:web-application-
activity; sid:2000; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
smartsearch.cgi access"; flow:to_server,established; content:"/smartsearch.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,7133; classtype:web-application-activity; sid:2001; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
remote include path attempt"; flow:to_server,established; content:".php"; nocase;
http_uri; content:"path="; fast_pattern:only; http_uri; pcre:"/path=(https?|ftps?|
php)/Ui"; metadata:ruleset community, service http;
reference:url,en.wikipedia.org/wiki/File_inclusion_vulnerability;
reference:url,php.net/manual/en/function.include.php; classtype:web-application-
attack; sid:2002; rev:17;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SQL Worm propagation
attempt"; flow:to_server; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81
F1 01|"; fast_pattern:only; content:"sock"; content:"send"; metadata:ruleset
community; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649;
reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm;
classtype:misc-attack; sid:2003; rev:15;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"SQL Worm propagation attempt
OUTBOUND"; flow:to_server; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81
F1|"; fast_pattern:only; content:"sock"; content:"send"; metadata:ruleset
community; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649;
reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm;
classtype:misc-attack; sid:2004; rev:14;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap
kcms_server request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
offset:12; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}";
within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community,
service sunrpc; reference:bugtraq,6665; reference:cve,2003-0027;
reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode;
sid:2005; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap
kcms_server request TCP"; flow:to_server,established; content:"|00 01 86 A0|";
depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}";
within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community,
service sunrpc; reference:bugtraq,6665; reference:cve,2003-0027;
reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode;
sid:2006; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"PROTOCOL-RPC
kcms_server directory traversal attempt"; flow:to_server,established; content:"|00
01 87|}"; depth:4; offset:16; byte_jump:4,20,relative,align;
byte_jump:4,4,relative,align; content:"/../"; distance:0; content:"|00 00 00 00|";
depth:4; offset:8; metadata:ruleset community, service sunrpc;
reference:bugtraq,6665; reference:cve,2003-0027;
reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2007;
rev:16;)
# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS
invalid user authentication response"; flow:to_client,established; content:"E Fatal
error, aborting."; fast_pattern:only; content:"|3A| no such user"; metadata:ruleset
community; classtype:misc-attack; sid:2008; rev:9;)
# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS
invalid repository response"; flow:to_client,established; content:"error ";
content:"|3A| no such repository"; content:"I HATE YOU"; fast_pattern:only;
metadata:ruleset community; classtype:misc-attack; sid:2009; rev:7;)
# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS
double free exploit attempt response"; flow:to_client,established; content:"free|28
29 3A| warning|3A| chunk is already free"; fast_pattern:only; metadata:ruleset
community; reference:bugtraq,6650; reference:cve,2003-0015; reference:nessus,11385;
classtype:misc-attack; sid:2010; rev:12;)
# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS
invalid directory response"; flow:to_client,established; content:"E protocol error|
3A| invalid directory syntax in"; fast_pattern:only; metadata:ruleset community;
reference:bugtraq,6650; reference:cve,2003-0015; reference:nessus,11385;
classtype:misc-attack; sid:2011; rev:12;)
# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS
missing cvsroot response"; flow:to_client,established; content:"E protocol error|
3A| Root request missing"; fast_pattern:only; metadata:ruleset community;
classtype:misc-attack; sid:2012; rev:7;)
# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS
invalid module response"; flow:to_client,established; content:"cvs server|3A|
cannot find module"; fast_pattern:only; content:"error"; metadata:ruleset
community; classtype:misc-attack; sid:2013; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap UNSET
attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|";
depth:4; offset:8; metadata:ruleset community, service sunrpc;
reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2014; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap UNSET
attempt UDP 111"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12;
content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4;
offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,1892;
reference:cve,2011-0321; classtype:rpc-portmap-decode; sid:2015; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap status
request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86
B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset
community, service sunrpc; classtype:rpc-portmap-decode; sid:2016; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap espd
request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12;
content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00
00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc;
reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode;
sid:2017; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP dump
request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16;
content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4;
offset:8; metadata:ruleset community; classtype:attempted-recon; sid:2018; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP dump
request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00
00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community; classtype:attempted-recon; sid:2019; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP
unmount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4;
offset:16; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|";
depth:4; offset:8; metadata:ruleset community; classtype:attempted-recon; sid:2020;
rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP
unmount request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12;
content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4;
offset:4; metadata:ruleset community; classtype:attempted-recon; sid:2021; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP
unmountall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4;
offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|";
depth:4; offset:8; metadata:ruleset community; classtype:attempted-recon; sid:2022;
rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP
unmountall request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12;
content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4;
offset:4; metadata:ruleset community; classtype:attempted-recon; sid:2023; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC RQUOTA getquota
overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 AB|";
depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8;
metadata:ruleset community; reference:bugtraq,864; reference:cve,1999-0974;
classtype:misc-attack; sid:2024; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd username
overflow attempt UDP"; flow:to_server; content:"|00 01 86 A9|"; depth:4; offset:12;
content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; byte_jump:4,0,relative,align;
byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779;
reference:nessus,10684; classtype:rpc-portmap-decode; sid:2025; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd username
overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|";
depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|";
depth:4; offset:8; metadata:ruleset community; reference:bugtraq,2763;
reference:cve,2001-0779; reference:nessus,10684; classtype:rpc-portmap-decode;
sid:2026; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd old
password overflow attempt UDP"; flow:to_server; content:"|00 01 86 A9|"; depth:4;
offset:12; content:"|00 00 00 01|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779;
classtype:rpc-portmap-decode; sid:2027; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd old
password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86
A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8;
metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779;
classtype:rpc-portmap-decode; sid:2028; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd new
password overflow attempt UDP"; flow:to_server; content:"|00 01 86 A9|"; depth:4;
offset:12; content:"|00 00 00 01|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
byte_jump:4,0,relative,align; byte_jump:4,0,relative,align;
byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779;
classtype:rpc-portmap-decode; sid:2029; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd new
password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86
A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
byte_jump:4,0,relative,align; byte_jump:4,0,relative,align;
byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8;
metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779;
classtype:rpc-portmap-decode; sid:2030; rev:12;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd user
update UDP"; flow:to_server; content:"|00 01 86 A9|"; depth:4; offset:12;
content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4;
offset:4; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-
0779; classtype:rpc-portmap-decode; sid:2031; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd user
update TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4;
offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|";
depth:4; offset:8; metadata:ruleset community; reference:bugtraq,2763;
reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2032; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC ypserv maplist
request UDP"; flow:to_server; content:"|00 01 86 A4|"; depth:4; offset:12;
content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4;
offset:4; metadata:ruleset community; reference:bugtraq,5914;
reference:bugtraq,6016; reference:cve,2002-1232; reference:nessus,13976;
classtype:rpc-portmap-decode; sid:2033; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC ypserv maplist
request TCP"; flow:to_server,established; content:"|00 01 86 A4|"; depth:4;
offset:16; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|";
depth:4; offset:8; metadata:ruleset community; reference:bugtraq,5914;
reference:bugtraq,6016; reference:cve,2002-1232; classtype:rpc-portmap-decode;
sid:2034; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap network-
status-monitor request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
offset:12; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p";
within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community,
service sunrpc; classtype:rpc-portmap-decode; sid:2035; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap network-
status-monitor request TCP"; flow:to_server,established; content:"|00 01 86 A0|";
depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p";
within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community,
service sunrpc; classtype:rpc-portmap-decode; sid:2036; rev:12;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC network-status-
monitor mon-callback request UDP"; flow:to_server; content:"|00 03 0D|p"; depth:4;
offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|";
depth:4; offset:4; metadata:ruleset community; classtype:rpc-portmap-decode;
sid:2037; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC network-status-
monitor mon-callback request TCP"; flow:to_server,established; content:"|00 03 0D|
p"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00
00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:rpc-portmap-
decode; sid:2038; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"SERVER-OTHER bootp hostname
format string attempt"; flow:to_server; content:"|01|"; depth:1; content:"|0C|";
distance:240; content:"%"; distance:0; content:"%"; within:8; distance:1;
content:"%"; within:8; distance:1; metadata:ruleset community;
reference:bugtraq,4701; reference:cve,2002-0702; reference:nessus,11312;
classtype:misc-attack; sid:2039; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"POLICY-OTHER xtacacs login
attempt"; flow:to_server; content:"|80 01|"; depth:2; content:"|00|"; distance:4;
metadata:ruleset community; classtype:misc-activity; sid:2040; rev:7;)
# alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"INDICATOR-SCAN xtacacs failed
login response"; flow:to_client; content:"|80 02|"; depth:2; content:"|02|";
distance:4; metadata:ruleset community; classtype:misc-activity; sid:2041; rev:7;)
# alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"POLICY-OTHER xtacacs accepted
login response"; flow:to_client; content:"|80 02|"; depth:2; content:"|01|";
distance:4; metadata:ruleset community; classtype:misc-activity; sid:2042; rev:7;)
# alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"INDICATOR-SCAN isakmp login
failed"; content:"|10 05|"; depth:2; offset:17; content:"|00 00 00 01 01 00 00
18|"; within:8; distance:13; metadata:ruleset community; classtype:misc-activity;
sid:2043; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"POLICY-OTHER PPTP Start
Control Request attempt"; flow:to_server,established,no_stream; content:"|00 01|";
depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; metadata:ruleset
community; classtype:attempted-admin; sid:2044; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC snmpXdmi overflow
attempt UDP"; flow:to_server; content:"|00 01 87 99|"; depth:4; offset:12;
content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00
00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community;
reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659;
reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin;
sid:2045; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP partial
body.peek buffer overflow attempt"; flow:to_server,established; content:"PARTIAL";
nocase; content:"BODY.PEEK["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\.PEEK\
[[^\]]{1024}/smi"; metadata:ruleset community, service imap;
reference:bugtraq,4713; reference:cve,2002-0379; reference:nessus,10966;
classtype:misc-attack; sid:2046; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"SERVER-OTHER rsyncd module
list access"; flow:to_server,established; content:"|23|list"; depth:5;
metadata:ruleset community; classtype:misc-activity; sid:2047; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SQL ping attempt";
flow:to_server; content:"|02|"; depth:1; metadata:ruleset community;
reference:nessus,10674; classtype:misc-activity; sid:2049; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SERVER-MSSQL version overflow
attempt"; flow:to_server; dsize:>100; content:"|04|"; depth:1; metadata:ruleset
community; reference:bugtraq,5310; reference:cve,2002-0649; reference:nessus,10674;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-039;
classtype:attempted-admin; sid:2050; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cached_feed.cgi moreover shopping cart access"; flow:to_server,established;
content:"/cached_feed.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1762; reference:cve,2000-0906;
classtype:web-application-activity; sid:2051; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
overflow.cgi access"; flow:to_server,established; content:"/overflow.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,6326; reference:cve,2002-1361; reference:nessus,11190;
reference:url,www.cert.org/advisories/CA-2002-35.html; classtype:web-application-
activity; sid:2052; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Bugtraq process_bug.cgi access"; flow:to_server,established;
content:"/process_bug.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,3272; reference:cve,2002-0008;
classtype:web-application-activity; sid:2053; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Bugtraq enter_bug.cgi arbitrary command attempt"; flow:to_server,established;
content:"/enter_bug.cgi"; fast_pattern; nocase; http_uri; content:"who=";
content:"|3B|"; distance:0; metadata:ruleset community, service http;
reference:bugtraq,3272; reference:cve,2002-0008; classtype:web-application-attack;
sid:2054; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Bugtraq enter_bug.cgi access"; flow:to_server,established;
content:"/enter_bug.cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,3272; reference:cve,2002-0008; classtype:web-
application-activity; sid:2055; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TRACE
attempt"; flow:to_server,established; content:"TRACE"; depth:5; metadata:ruleset
community, service http; reference:bugtraq,9561; reference:cve,2003-1567;
reference:cve,2004-2320; reference:cve,2010-0360; reference:nessus,11213;
classtype:web-application-attack; sid:2056; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
helpout.exe access"; flow:to_server,established; content:"/helpout.exe"; http_uri;
metadata:ruleset community, service http; reference:bugtraq,6002;
reference:cve,2002-1169; reference:nessus,11162; classtype:web-application-
activity; sid:2057; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
MsmMask.exe attempt"; flow:to_server,established; content:"/MsmMask.exe"; http_uri;
content:"mask="; metadata:ruleset community, service http; reference:nessus,11163;
classtype:web-application-attack; sid:2058; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
MsmMask.exe access"; flow:to_server,established; content:"/MsmMask.exe"; http_uri;
metadata:ruleset community, service http; reference:nessus,11163; classtype:web-
application-activity; sid:2059; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DB4Web
access"; flow:to_server,established; content:"/DB4Web/"; http_uri; metadata:ruleset
community, service http; reference:nessus,11180; classtype:web-application-
activity; sid:2060; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache
Tomcat null byte directory listing attempt"; flow:to_server,established; content:"|
00|.jsp"; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2518; reference:bugtraq,6721; reference:cve,2003-0042;
reference:nessus,11438; classtype:web-application-attack; sid:2061; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
iPlanet .perf access"; flow:to_server,established; content:"/.perf"; http_uri;
metadata:ruleset community, service http; reference:nessus,11220; classtype:web-
application-activity; sid:2062; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Demarc
SQL injection attempt"; flow:to_server,established; content:"/dm/demarc"; http_uri;
content:"s_key="; content:"'"; distance:0; content:"'"; distance:1; content:"'";
distance:0; metadata:ruleset community, service http; reference:bugtraq,4520;
reference:cve,2002-0539; classtype:web-application-activity; sid:2063; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lotus
Notes .csp script source download attempt"; flow:to_server,established;
content:".csp."; http_uri; metadata:ruleset community, service http; classtype:web-
application-attack; sid:2065; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lotus
Notes .pl script source download attempt"; flow:to_server,established;
content:".pl"; http_uri; content:".pl"; content:"."; within:1; metadata:ruleset
community, service http; reference:bugtraq,6841; reference:cve,2003-1408;
classtype:web-application-attack; sid:2066; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lotus
Notes .exe script source download attempt"; flow:to_server,established;
content:".exe"; http_uri; content:".exe"; content:"."; within:1; metadata:ruleset
community, service http; reference:bugtraq,6841; reference:cve,2003-1408;
classtype:web-application-attack; sid:2067; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
BitKeeper arbitrary command attempt"; flow:to_server,established;
content:"/diffs/"; http_uri; content:"'"; content:"|3B|"; distance:0; content:"'";
distance:1; metadata:ruleset community, service http; reference:bugtraq,6588;
classtype:web-application-attack; sid:2068; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP chip.ini
access"; flow:to_server,established; content:"/chip.ini"; http_uri;
metadata:ruleset community, service http; reference:bugtraq,2755;
reference:bugtraq,2775; reference:cve,2001-0749; reference:cve,2001-0771;
classtype:web-application-activity; sid:2069; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
post32.exe arbitrary command attempt"; flow:to_server,established;
content:"/post32.exe|7C|"; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1485; classtype:web-application-attack; sid:2070; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
post32.exe access"; flow:to_server,established; content:"/post32.exe"; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1485; classtype:web-
application-activity; sid:2071; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP lyris.pl
access"; flow:to_server,established; content:"/lyris.pl"; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1584;
reference:cve,2000-0758; classtype:web-application-activity; sid:2072; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
globals.pl access"; flow:to_server,established; content:"/globals.pl"; http_uri;
metadata:ruleset community, service http; reference:bugtraq,2671;
reference:cve,2001-0330; classtype:web-application-activity; sid:2073; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Mambo uploadimage.php upload php file attempt"; flow:to_server,established;
content:"/uploadimage.php"; http_uri; content:"userfile_name="; content:".php";
distance:1; metadata:ruleset community, service http; reference:bugtraq,6572;
reference:cve,2003-1204; reference:nessus,16315; classtype:web-application-attack;
sid:2074; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Mambo upload.php upload php file attempt"; flow:to_server,established;
content:"/upload.php"; http_uri; content:"userfile_name="; content:".php";
distance:1; metadata:ruleset community, service http; reference:bugtraq,6572;
reference:cve,2003-1204; reference:nessus,16315; classtype:web-application-attack;
sid:2075; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Mambo uploadimage.php access"; flow:to_server,established;
content:"/uploadimage.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,6572; reference:cve,2003-1204;
reference:nessus,16315; classtype:web-application-activity; sid:2076; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Mambo upload.php access"; flow:to_server,established; content:"/upload.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,6572; reference:cve,2003-1204; reference:nessus,16315;
classtype:web-application-activity; sid:2077; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
phpBB privmsg.php access"; flow:to_server,established; content:"/privmsg.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,6634; reference:cve,2003-1530; classtype:web-application-
activity; sid:2078; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap nlockmgr
request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12;
content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00
00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc;
reference:bugtraq,1372; reference:cve,2000-0508; reference:nessus,10220;
classtype:rpc-portmap-decode; sid:2079; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap nlockmgr
request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86
B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset
community, service sunrpc; reference:bugtraq,1372; reference:cve,2000-0508;
reference:nessus,10220; classtype:rpc-portmap-decode; sid:2080; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rpc.xfsmd
request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12;
content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00
00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc;
reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359;
classtype:rpc-portmap-decode; sid:2081; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rpc.xfsmd
request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4;
offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h";
within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community,
service sunrpc; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-
0359; classtype:rpc-portmap-decode; sid:2082; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC rpc.xfsmd
xfs_export attempt UDP"; flow:to_server; content:"|00 05 F7|h"; depth:4; offset:12;
content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4;
offset:4; metadata:ruleset community; reference:bugtraq,5072;
reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode;
sid:2083; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC rpc.xfsmd
xfs_export attempt TCP"; flow:to_server,established; content:"|00 05 F7|h";
depth:4; offset:16; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00
00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,5072;
reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode;
sid:2084; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
parse_xml.cgi access"; flow:to_server,established; content:"/parse_xml.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,6954; reference:bugtraq,6955; reference:bugtraq,6956;
reference:bugtraq,6958; reference:cve,2003-0050; reference:cve,2003-0051;
reference:cve,2003-0052; reference:cve,2003-0053; reference:cve,2003-0423;
classtype:web-application-activity; sid:2085; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
streaming server parse_xml.cgi access"; flow:to_server,established;
content:"/parse_xml.cgi"; fast_pattern:only; metadata:ruleset community, service
http; reference:bugtraq,6954; reference:bugtraq,6955; reference:bugtraq,6956;
reference:bugtraq,6958; reference:cve,2003-0050; reference:cve,2003-0051;
reference:cve,2003-0052; reference:cve,2003-0053; reference:cve,2003-0423;
classtype:web-application-activity; sid:2086; rev:14;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL From comment
overflow attempt"; flow:to_server,established; content:"From|3A|"; nocase;
content:"<><><><><><><><><><><><><><><><><><><><><><>"; distance:0; content:"|28|";
distance:1; content:"|29|"; distance:1; metadata:ruleset community, service smtp;
reference:bugtraq,6991; reference:cve,2002-1337;
reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087;
rev:14;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC ypupdated
arbitrary command attempt UDP"; content:"|00 01 86 BC|"; depth:4; offset:12;
content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|";
depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community;
reference:bugtraq,1749; reference:bugtraq,28383; reference:cve,1999-0208;
classtype:misc-attack; sid:2088; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC ypupdated
arbitrary command attempt TCP"; flow:to_server,established; content:"|00 01 86
BC|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|";
distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-
ips drop, ruleset community; reference:bugtraq,1749; reference:cve,1999-0208;
classtype:misc-attack; sid:2089; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS WEBDAV
exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0A|Content-type|3A|
text/xml|0A|HOST|3A|"; http_header; content:"Accept|3A| */*|0A|Translate|3A| f|0A|
Content-length|3A|5276|0A 0A|"; http_header; metadata:ruleset community, service
http; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109;
reference:nessus,11413; reference:url,technet.microsoft.com/en-
us/security/bulletin/ms03-007; classtype:attempted-admin; sid:2090; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS WEBDAV
nessus safe scan attempt"; flow:to_server,established; content:"SEARCH / HTTP/1.1|
0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|"; within:255; metadata:ruleset community,
service http; reference:bugtraq,7116; reference:cve,2003-0109;
reference:nessus,11412; reference:nessus,11413;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-007;
classtype:attempted-admin; sid:2091; rev:16;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap proxy
integer overflow attempt UDP"; flow:to_server; content:"|00 01 86 A0 00|"; depth:5;
offset:12; content:"|00 00 00 05|"; within:4; distance:3;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community, service sunrpc; reference:bugtraq,36564;
reference:bugtraq,7123; reference:cve,2003-0028; reference:nessus,11420;
classtype:rpc-portmap-decode; sid:2092; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap proxy
integer overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A0
00|"; depth:5; offset:16; content:"|00 00 00 05|"; within:4; distance:3;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:8;
metadata:ruleset community, service sunrpc; reference:bugtraq,7123;
reference:cve,2003-0028; reference:nessus,11420; classtype:rpc-portmap-decode;
sid:2093; rev:12;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD UDP
CMSD_CREATE array buffer overflow attempt"; flow:to_server; content:"|00 01 86
E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community, service sunrpc; reference:bugtraq,36615;
reference:bugtraq,5356; reference:cve,2002-0391; reference:cve,2009-3699;
reference:nessus,11418; classtype:attempted-admin; sid:2094; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD TCP
CMSD_CREATE array buffer overflow attempt"; flow:to_server,established; content:"|
00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8;
metadata:ruleset community; reference:bugtraq,5356; reference:cve,2002-0391;
reference:nessus,11418; classtype:attempted-admin; sid:2095; rev:14;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR SubSeven 2.1
Gold server connection response"; flow:to_client,established; content:"connected.
time/date|3A| "; depth:22; content:"version|3A| GOLD 2.1"; distance:1;
metadata:ruleset community; reference:mcafee,10566; reference:nessus,10409;
classtype:trojan-activity; sid:2100; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows
SMB Trans Max Param/Count OS-WINDOWS attempt"; flow:to_server,established;
content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!
&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00 00 00|"; within:4; distance:5;
metadata:ruleset community; reference:bugtraq,5556; reference:cve,2002-0724;
reference:nessus,11110; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?
idx=262; classtype:protocol-command-decode; sid:2101; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 OPEN2
unicode maximum param count overflow attempt"; flow:established,to_server;
content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3;
byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2;
distance:29; byte_test:2,>,1024,-12,relative,little; metadata:ruleset community;
reference:cve,2003-0201; classtype:protocol-command-decode; sid:2103; rev:16;)
# alert tcp $HOME_NET 512 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE rexec
username too long response"; flow:to_client,established; content:"username too
long"; depth:17; metadata:ruleset community; reference:bugtraq,7459;
reference:cve,2003-1097; classtype:unsuccessful-user; sid:2104; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP authenticate
literal overflow attempt"; flow:established,to_server; content:"AUTHENTICATE";
fast_pattern:only; pcre:"/\sAUTHENTICATE\s[^\n]*?\{/smi";
byte_test:5,>,256,0,string,dec,relative; metadata:policy max-detect-ips drop,
ruleset community, service imap; reference:bugtraq,21724; reference:cve,1999-0042;
reference:cve,2006-6424; reference:nessus,10292; classtype:misc-attack; sid:2105;
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP lsub overflow
attempt"; flow:to_server,established; content:"LSUB"; isdataat:100,relative;
pcre:"/\sLSUB\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, ruleset
community, service imap; reference:bugtraq,1110; reference:bugtraq,15006;
reference:cve,2000-0284; reference:cve,2005-3155; reference:nessus,10374;
classtype:misc-attack; sid:2106; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP create buffer
overflow attempt"; flow:to_server,established; content:"CREATE";
isdataat:1024,relative; pcre:"/\sCREATE\s[^\n]{1024}/smi"; metadata:ruleset
community, service imap; reference:bugtraq,7446; reference:cve,2003-1470;
classtype:misc-attack; sid:2107; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP CAPA overflow
attempt"; flow:to_server,established; content:"CAPA"; nocase; isdataat:10,relative;
pcre:"/^CAPA\s[^\n]{10}/smi"; metadata:ruleset community, service pop3;
classtype:attempted-admin; sid:2108; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP TOP overflow
attempt"; flow:to_server,established; content:"TOP"; nocase; isdataat:50,relative;
pcre:"/^TOP\s[^\n]{50}/smi"; metadata:ruleset community, service pop3;
classtype:attempted-admin; sid:2109; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP STAT overflow
attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:10,relative;
pcre:"/^STAT\s[^\n]{10}/smi"; metadata:ruleset community, service pop3;
classtype:attempted-admin; sid:2110; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP DELE overflow
attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:10,relative;
pcre:"/^DELE\s[^\n]{10}/smi"; metadata:ruleset community, service pop3;
classtype:attempted-admin; sid:2111; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP RSET overflow
attempt"; flow:to_server,established; content:"RSET"; nocase; isdataat:10,relative;
pcre:"/^RSET\s[^\n]{10}/smi"; metadata:ruleset community, service pop3;
classtype:attempted-admin; sid:2112; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"PROTOCOL-SERVICES rexec
username overflow attempt"; flow:to_server,established; content:"|00|"; offset:9;
content:"|00|"; distance:0; content:"|00|"; distance:0; metadata:ruleset community;
classtype:attempted-admin; sid:2113; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"PROTOCOL-SERVICES rexec
password overflow attempt"; flow:to_server,established; content:"|00|"; content:"|
00|"; distance:33; content:"|00|"; distance:0; metadata:ruleset community;
classtype:attempted-admin; sid:2114; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
album.pl access"; flow:to_server,established; content:"/album.pl";
fast_pattern:only; metadata:ruleset community, service http;
reference:bugtraq,7444; reference:cve,2003-1456; reference:nessus,11581;
classtype:web-application-activity; sid:2115; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
chipcfg.cgi access"; flow:to_server,established; content:"/chipcfg.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2767; reference:cve,2001-1341;
reference:url,archives.neohapsis.com/archives/bugtraq/2001-05/0233.html;
classtype:web-application-activity; sid:2116; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
Battleaxe Forum login.asp access"; flow:to_server,established;
content:"myaccount/login.asp"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,7416; reference:cve,2003-0215;
reference:nessus,11548; classtype:web-application-activity; sid:2117; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP list overflow
attempt"; flow:established,to_server; content:"LIST"; nocase;
isdataat:100,relative; pcre:"/\sLIST\s[^\n]{100}/smi"; metadata:policy max-detect-
ips drop, ruleset community, service imap; reference:bugtraq,1110;
reference:bugtraq,15006; reference:cve,2000-0284; reference:cve,2005-3155;
reference:nessus,10374; classtype:misc-attack; sid:2118; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP rename literal
overflow attempt"; flow:established,to_server; content:"RENAME"; fast_pattern:only;
pcre:"/\sRENAME\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative;
metadata:ruleset community, service imap; reference:bugtraq,1110;
reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2119;
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP create literal
buffer overflow attempt"; flow:to_server,established; content:"CREATE";
fast_pattern:only; pcre:"/\sCREATE\s*\{/smi";
byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap;
reference:bugtraq,7446; reference:cve,2003-1470; classtype:misc-attack; sid:2120;
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP DELE negative
argument attempt"; flow:to_server,established; content:"DELE"; fast_pattern:only;
pcre:"/^DELE\s+-\d/smi"; metadata:ruleset community, service pop3;
reference:bugtraq,6053; reference:bugtraq,7445; reference:cve,2002-1539;
reference:nessus,11570; classtype:misc-attack; sid:2121; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP UIDL negative
argument attempt"; flow:to_server,established; content:"UIDL"; fast_pattern:only;
pcre:"/^UIDL\s+-\d/smi"; metadata:ruleset community, service pop3;
reference:bugtraq,6053; reference:cve,2002-1539; reference:nessus,11570;
classtype:misc-attack; sid:2122; rev:17;)
# alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE
Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows"; depth:18;
content:"|28|C|29| Copyright 1985-"; distance:0; content:"Microsoft Corp.";
distance:0; metadata:policy max-detect-ips drop, ruleset community;
reference:nessus,11633; classtype:successful-admin; sid:2123; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 34012 (msg:"MALWARE-BACKDOOR Remote PC
Access connection"; flow:to_server,established; content:"|28 00 01 00 04 00 00 00
00 00 00 00|"; depth:12; metadata:ruleset community; reference:nessus,11673;
classtype:trojan-activity; sid:2124; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD Root directory
traversal attempt"; flow:to_server,established; content:"CWD"; nocase; content:"C|
3A 5C|"; distance:1; metadata:ruleset community, service ftp;
reference:bugtraq,7674; reference:cve,2003-0392; reference:nessus,11677;
classtype:protocol-command-decode; sid:2125; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"OS-WINDOWS Microsoft Windows
PPTP Start Control Request buffer overflow attempt";
flow:to_server,established,no_stream; isdataat:156; content:"|00 01|"; depth:2;
offset:2; content:"|00 01|"; depth:2; offset:8; metadata:ruleset community;
reference:bugtraq,5807; reference:cve,2002-1214; reference:nessus,11178;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-063;
classtype:attempted-admin; sid:2126; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ikonboard.cgi access"; flow:to_server,established; content:"/ikonboard.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,7361; reference:nessus,11605; classtype:web-application-activity;
sid:2127; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
swsrv.cgi access"; flow:to_server,established; content:"/swsrv.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,7510; reference:cve,2003-0217; reference:nessus,11608;
classtype:web-application-activity; sid:2128; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
nsiislog.dll access"; flow:to_server,established; content:"/nsiislog.dll";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,8035; reference:cve,2003-0227; reference:cve,2003-0349;
reference:nessus,11664; reference:url,technet.microsoft.com/en-
us/security/bulletin/ms03-018; classtype:web-application-activity; sid:2129;
rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
IISProtect siteadmin.asp access"; flow:to_server,established;
content:"/iisprotect/admin/SiteAdmin.asp"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,7675; reference:cve,2003-0377;
reference:nessus,11662; classtype:web-application-activity; sid:2130; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
IISProtect access"; flow:to_server,established; content:"/iisprotect/admin/";
nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11661;
classtype:web-application-activity; sid:2131; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
Synchrologic Email Accelerator userid list access attempt";
flow:to_server,established; content:"/en/admin/aggregate.asp"; nocase; http_uri;
metadata:ruleset community, service http; reference:nessus,11657; classtype:web-
application-activity; sid:2132; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS MS
BizTalk server access"; flow:to_server,established;
content:"/biztalkhttpreceive.dll"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,7469; reference:bugtraq,7470; reference:cve,2003-
0117; reference:cve,2003-0118; reference:nessus,11638;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-016;
classtype:web-application-activity; sid:2133; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
register.asp access"; flow:to_server,established; content:"/register.asp"; nocase;
http_uri; metadata:ruleset community, service http; reference:nessus,11621;
classtype:web-application-activity; sid:2134; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
philboard.mdb access"; flow:to_server,established; content:"/philboard.mdb";
http_uri; metadata:ruleset community, service http; reference:nessus,11682;
classtype:web-application-activity; sid:2135; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
philboard_admin.asp authentication bypass attempt"; flow:to_server,established;
content:"/philboard_admin.asp"; http_uri; content:"Cookie"; nocase;
content:"philboard_admin=True"; distance:0; metadata:ruleset community, service
http; reference:bugtraq,7739; reference:nessus,11675; classtype:web-application-
attack; sid:2136; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
philboard_admin.asp access"; flow:to_server,established;
content:"/philboard_admin.asp"; http_uri; metadata:ruleset community, service http;
reference:bugtraq,7739; reference:nessus,11675; classtype:web-application-activity;
sid:2137; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
logicworks.ini access"; flow:to_server,established; content:"/logicworks.ini";
http_uri; metadata:ruleset community, service http; reference:bugtraq,6996;
reference:cve,2003-1383; reference:nessus,11639; classtype:web-application-
activity; sid:2138; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP /*.shtml
access"; flow:to_server,established; content:"/*.shtml"; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1517; reference:cve,2000-0683;
reference:nessus,11604; classtype:web-application-activity; sid:2139; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP p-
news.php access"; flow:to_server,established; content:"/p-news.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,11669; classtype:web-application-activity; sid:2140; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
shoutbox.php directory traversal attempt"; flow:to_server,established;
content:"/shoutbox.php"; http_uri; content:"conf="; content:"../"; distance:0;
metadata:ruleset community, service http; reference:nessus,11668; classtype:web-
application-attack; sid:2141; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
shoutbox.php access"; flow:to_server,established; content:"/shoutbox.php";
fast_pattern; nocase; http_uri; content:"conf="; nocase; http_uri; metadata:ruleset
community, service http; reference:nessus,11668; classtype:web-application-
activity; sid:2142; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP b2
cafelog gm-2-b2.php remote file include attempt"; flow:to_server,established;
content:"/gm-2-b2.php"; fast_pattern; nocase; http_uri; content:"b2inc=";
pcre:"/b2inc=(https?|ftps?|php)/i"; metadata:ruleset community, service http;
reference:nessus,11667; classtype:web-application-attack; sid:2143; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP b2
cafelog gm-2-b2.php access"; flow:to_server,established; content:"/gm-2-b2.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,11667; classtype:web-application-activity; sid:2144; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
TextPortal admin.php default password admin attempt"; flow:to_server,established;
content:"/admin.php"; http_uri; content:"op=admin_enter"; content:"password=admin";
fast_pattern:only; metadata:ruleset community, service http;
reference:bugtraq,7673; reference:nessus,11660; classtype:web-application-activity;
sid:2145; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
TextPortal admin.php default password 12345 attempt"; flow:to_server,established;
content:"/admin.php"; http_uri; content:"op=admin_enter"; content:"password=12345";
fast_pattern:only; metadata:ruleset community, service http;
reference:bugtraq,7673; reference:nessus,11660; classtype:web-application-activity;
sid:2146; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
BLNews objects.inc.php4 remote file include attempt"; flow:to_server,established;
content:"/objects.inc.php4"; http_uri; content:"Server[path]=";
pcre:"/Server\x5bpath\x5d=(https?|ftps?|php)/"; metadata:ruleset community, service
http; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647;
classtype:web-application-attack; sid:2147; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
BLNews objects.inc.php4 access"; flow:to_server,established;
content:"/objects.inc.php4"; http_uri; metadata:ruleset community, service http;
reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647;
classtype:web-application-activity; sid:2148; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Turba status.php access"; flow:to_server,established; content:"/turba/status.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,11646; classtype:web-application-activity; sid:2149; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ttCMS header.php remote file include attempt"; flow:to_server,established;
content:"/admin/templates/header.php"; fast_pattern; nocase; http_uri;
content:"admin_root="; nocase; http_uri; pcre:"/admin_root=(https?|ftps?|php)/Ui";
metadata:ruleset community, service http; reference:bugtraq,7542;
reference:bugtraq,7543; reference:bugtraq,7625; reference:cve,2003-1458;
reference:cve,2003-1459; reference:nessus,11636; classtype:web-application-attack;
sid:2150; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ttCMS header.php access"; flow:to_server,established;
content:"/admin/templates/header.php"; http_uri; metadata:ruleset community,
service http; reference:bugtraq,7542; reference:bugtraq,7543;
reference:bugtraq,7625; reference:cve,2003-1458; reference:cve,2003-1459;
reference:nessus,11636; classtype:web-application-activity; sid:2151; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
test.php access"; flow:to_server,established; content:"/test.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,11617; classtype:web-application-activity; sid:2152; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
autohtml.php directory traversal attempt"; flow:to_server,established;
content:"/autohtml.php"; fast_pattern; nocase; http_uri; content:"name=";
content:"../../"; distance:0; metadata:ruleset community, service http;
reference:nessus,11630; classtype:web-application-attack; sid:2153; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
autohtml.php access"; flow:to_server,established; content:"/autohtml.php";
http_uri; metadata:ruleset community, service http; reference:nessus,11630;
classtype:web-application-activity; sid:2154; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ttforum remote file include attempt"; flow:to_server,established;
content:"forum/index.php"; http_uri; content:"template="; http_uri;
pcre:"/template=(https?|ftps?|php)/Ui"; metadata:ruleset community, service http;
reference:bugtraq,7542; reference:bugtraq,7543; reference:cve,2003-1458;
reference:cve,2003-1459; reference:nessus,11615; classtype:web-application-attack;
sid:2155; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
mod_gzip_status access"; flow:to_server,established; content:"/mod_gzip_status";
http_uri; metadata:ruleset community, service http; reference:nessus,11685;
classtype:web-application-activity; sid:2156; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
IISProtect globaladmin.asp access"; flow:to_server,established;
content:"/iisprotect/admin/GlobalAdmin.asp"; nocase; http_uri; metadata:ruleset
community, service http; reference:nessus,11661; classtype:web-application-
activity; sid:2157; rev:14;)
# alert tcp any any <> any 179 (msg:"SERVER-OTHER BGP invalid length";
flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|";
byte_test:2,<,19,0,relative; metadata:ruleset community; reference:bugtraq,6213;
reference:cve,2002-1350; reference:nessus,14011; reference:nessus,15043;
reference:url,sf.net/tracker/index.php?
func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2158;
rev:12;)
# alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"SERVER-OTHER BGP invalid type
0"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|";
depth:16; content:"|00|"; within:1; distance:2; metadata:ruleset community;
reference:bugtraq,6213; reference:cve,2002-1350; reference:nessus,14011;
reference:nessus,15043; classtype:bad-unknown; sid:2159; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows
SMB startup folder access"; flow:to_server,established; content:"|00|"; depth:1;
content:"|FF|SMB2"; depth:5; offset:4; content:"Documents and Settings|5C|All
Users|5C|Start Menu|5C|Programs|5C|Startup|00|"; distance:0; nocase;
metadata:ruleset community, service netbios-ssn; classtype:attempted-recon;
sid:2176; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows
SMB startup folder unicode access"; flow:to_server,established; content:"|00|";
depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|5C 00|S|00|t|00|a|00|r|
00|t|00| |00|M|00|e|00|n|00|u|00 5C 00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5C
00|S|00|t|00|a|00|r|00|t|00|u|00|p"; distance:0; nocase; metadata:ruleset
community; classtype:attempted-recon; sid:2177; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP USER format string
attempt"; flow:to_server,established; content:"USER"; fast_pattern:only;
pcre:"/^USER\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp;
reference:bugtraq,7474; reference:bugtraq,7776; reference:bugtraq,9262;
reference:bugtraq,9402; reference:bugtraq,9600; reference:bugtraq,9800;
reference:cve,2004-0277; reference:nessus,10041; reference:nessus,11687;
classtype:misc-attack; sid:2178; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PASS format string
attempt"; flow:to_server,established; content:"PASS"; fast_pattern:only;
pcre:"/^PASS\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp;
reference:bugtraq,7474; reference:bugtraq,9262; reference:bugtraq,9800;
reference:cve,2000-0699; reference:cve,2007-1195; reference:nessus,10490;
classtype:misc-attack; sid:2179; rev:16;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P BitTorrent announce
request"; flow:to_server,established; content:"/announce"; content:"info_hash=";
content:"peer_id="; content:"event="; metadata:ruleset community, service http;
classtype:policy-violation; sid:2180; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P BitTorrent transfer";
flow:to_server,established; content:"|13|BitTorrent protocol"; depth:20;
metadata:ruleset community; classtype:policy-violation; sid:2181; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail
Content-Transfer-Encoding overflow attempt"; flow:to_server,established;
content:"Content-Transfer-Encoding"; nocase; content:"|3A|"; distance:0;
isdataat:100,relative; content:!"|0A|"; within:100; pcre:"/^\s*Content-Transfer-
Encoding\s*\x3A[^\n]{100}/mi"; metadata:ruleset community, service smtp;
reference:cve,2003-0161; reference:url,www.cert.org/advisories/CA-2003-12.html;
classtype:attempted-admin; sid:2183; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP mount
path overflow attempt"; flow:to_server,established; content:"|00 01 86 A5 00|";
depth:5; offset:16; content:"|00 00 00 01|"; within:4; distance:3;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:8;
metadata:ruleset community; reference:bugtraq,8179; reference:cve,2003-0252;
reference:nessus,11800; classtype:misc-attack; sid:2184; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC invalid bind
attempt"; flow:to_server,established; content:"|05|"; depth:1; content:"|0B|";
within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1;
distance:21; metadata:ruleset community; classtype:attempted-dos; sid:2190; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC invalid
bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4;
nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00
5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2;
content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|";
within:1; distance:21; metadata:ruleset community, service netbios-ssn;
classtype:attempted-dos; sid:2191; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
CSMailto.cgi access"; flow:to_server,established; content:"/CSMailto.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,4579; reference:bugtraq,6265; reference:cve,2002-0749;
reference:nessus,11748; classtype:web-application-activity; sid:2194; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
alert.cgi access"; flow:to_server,established; content:"/alert.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,4211; reference:bugtraq,4579; reference:cve,2002-0346;
reference:nessus,11748; classtype:web-application-activity; sid:2195; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
catgy.cgi access"; flow:to_server,established; content:"/catgy.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3714; reference:bugtraq,4579; reference:cve,2001-1212;
reference:nessus,11748; classtype:web-application-activity; sid:2196; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cvsview2.cgi access"; flow:to_server,established; content:"/cvsview2.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153;
reference:nessus,11748; classtype:web-application-activity; sid:2197; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cvslog.cgi access"; flow:to_server,established; content:"/cvslog.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153;
reference:nessus,11748; classtype:web-application-activity; sid:2198; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
multidiff.cgi access"; flow:to_server,established; content:"/multidiff.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153;
reference:nessus,11748; classtype:web-application-activity; sid:2199; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
dnewsweb.cgi access"; flow:to_server,established; content:"/dnewsweb.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1172; reference:bugtraq,4579; reference:cve,2000-0423;
reference:nessus,11748; classtype:web-application-activity; sid:2200; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Matt
Wright download.cgi access"; flow:to_server,established; content:"/download.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,4579; reference:cve,1999-1377; reference:nessus,11748;
classtype:web-application-activity; sid:2201; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Webmin Directory edit_action.cgi access"; flow:to_server,established;
content:"/edit_action.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,3698; reference:bugtraq,4579;
reference:cve,2001-1196; reference:nessus,11748; classtype:web-application-
activity; sid:2202; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Leif
M. Wright everythingform.cgi access"; flow:to_server,established;
content:"/everythingform.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2101; reference:bugtraq,4579;
reference:cve,2001-0023; reference:nessus,11748; classtype:web-application-
activity; sid:2203; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
EasyBoard 2000 ezadmin.cgi access"; flow:to_server,established;
content:"/ezadmin.cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-
0263; reference:nessus,11748; classtype:web-application-activity; sid:2204;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
EasyBoard 2000 ezboard.cgi access"; flow:to_server,established;
content:"/ezboard.cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-
0263; reference:nessus,11748; classtype:web-application-activity; sid:2205;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
EasyBoard 2000 ezman.cgi access"; flow:to_server,established; content:"/ezman.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263;
reference:nessus,11748; classtype:web-application-activity; sid:2206; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
FileSeek fileseek.cgi access"; flow:to_server,established; content:"/fileseek.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,4579; reference:bugtraq,6784; reference:cve,2002-0611;
reference:nessus,11748; classtype:web-application-activity; sid:2207; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Faq-
O-Matic fom.cgi access"; flow:to_server,established; content:"/fom.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,4579; reference:cve,2002-0230; reference:nessus,11748;
classtype:web-application-activity; sid:2208; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Infonautics getdoc.cgi access"; flow:to_server,established; content:"/getdoc.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,4579; reference:cve,2000-0288; reference:nessus,11748;
classtype:web-application-activity; sid:2209; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Multiple Vendors global.cgi access"; flow:to_server,established;
content:"/global.cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,4579; reference:cve,2000-0952;
reference:nessus,11748; classtype:web-application-activity; sid:2210; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Lars
Ellingsen guestserver.cgi access"; flow:to_server,established;
content:"/guestserver.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,4579; reference:cve,2001-0180;
reference:nessus,11748; classtype:web-application-activity; sid:2211; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cgiCentral WebStore imageFolio.cgi access"; flow:to_server,established;
content:"/imageFolio.cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,4579; reference:bugtraq,6265; reference:cve,2002-
1334; reference:nessus,11748; classtype:web-application-activity; sid:2212;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Oatmeal Studios Mail File mailfile.cgi access"; flow:to_server,established;
content:"/mailfile.cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,1807; reference:bugtraq,4579; reference:cve,2000-
0977; reference:nessus,11748; classtype:web-application-activity; sid:2213;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP 3R
Soft MailStudio 2000 mailview.cgi access"; flow:to_server,established;
content:"/mailview.cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,1335; reference:bugtraq,4579; reference:cve,2000-
0526; reference:nessus,11748; classtype:web-application-activity; sid:2214;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Alabanza Control Panel nsManager.cgi access"; flow:to_server,established;
content:"/nsManager.cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,1710; reference:bugtraq,4579; reference:cve,2000-
1023; reference:nessus,11748; classtype:web-application-activity; sid:2215;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Ipswitch IMail readmail.cgi access"; flow:to_server,established;
content:"/readmail.cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,3427; reference:bugtraq,4579; reference:cve,2001-
1283; reference:nessus,11748; classtype:web-application-activity; sid:2216;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Ipswitch IMail printmail.cgi access"; flow:to_server,established;
content:"/printmail.cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,3427; reference:bugtraq,4579; reference:cve,2001-
1283; reference:nessus,11748; classtype:web-application-activity; sid:2217;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Oracle Cobalt RaQ service.cgi access"; flow:to_server,established;
content:"/service.cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,4211; reference:bugtraq,4579; reference:cve,2002-
0346; reference:nessus,11748; classtype:web-application-activity; sid:2218;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Trend Micro Interscan VirusWall setpasswd.cgi access"; flow:to_server,established;
content:"/setpasswd.cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,2212; reference:bugtraq,4579; reference:cve,2001-
0133; reference:nessus,11748; classtype:web-application-activity; sid:2219;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Leif
M. Wright simplestmail.cgi access"; flow:to_server,established;
content:"/simplestmail.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2106; reference:bugtraq,4579;
reference:cve,2001-0022; reference:nessus,11748; classtype:web-application-
activity; sid:2220; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cgiCentral WebStore ws_mail.cgi access"; flow:to_server,established;
content:"/ws_mail.cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,2861; reference:bugtraq,4579; reference:cve,2001-
1343; reference:nessus,11748; classtype:web-application-activity; sid:2221;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Infinity CGI exploit scanner nph-exploitscanget.cgi access";
flow:to_server,established; content:"/nph-exploitscanget.cgi"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,7910;
reference:bugtraq,7911; reference:bugtraq,7913; reference:cve,2003-0434;
reference:nessus,11740; classtype:web-application-activity; sid:2222; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
CGIScript.net csNews.cgi access"; flow:to_server,established;
content:"/csNews.cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,4994; reference:cve,2002-0923;
reference:nessus,11726; classtype:web-application-activity; sid:2223; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Psunami Bulletin Board psunami.cgi access"; flow:to_server,established;
content:"/psunami.cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,6607; reference:nessus,11750; classtype:web-
application-activity; sid:2224; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Linksys BEFSR41 gozila.cgi access"; flow:to_server,established;
content:"/gozila.cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,6086; reference:cve,2002-1236;
reference:nessus,11773; classtype:web-application-activity; sid:2225; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
pmachine remote file include attempt"; flow:to_server,established;
content:"lib.inc.php"; fast_pattern; nocase; http_uri; content:"pm_path=";
http_uri; pcre:"/pm_path=(https?|ftps?|php)/Ui"; metadata:ruleset community,
service http; reference:bugtraq,7919; reference:nessus,11739; classtype:web-
application-attack; sid:2226; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
forum_details.php access"; flow:to_server,established; content:"forum_details.php";
http_uri; metadata:ruleset community, service http; reference:bugtraq,7933;
reference:nessus,11760; classtype:web-application-attack; sid:2227; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
phpMyAdmin db_details_importdocsql.php access"; flow:to_server,established;
content:"db_details_importdocsql.php"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,7962;
reference:bugtraq,7965; reference:nessus,11761; classtype:web-application-attack;
sid:2228; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
viewtopic.php access"; flow:to_server,established; content:"/viewtopic.php";
fast_pattern; nocase; http_uri; content:"days="; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,7979; reference:cve,2003-0486;
reference:nessus,11767; classtype:web-application-attack; sid:2229; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NetGear
router default password login attempt admin/password"; flow:to_server,established;
content:"Authorization|3A|"; nocase; http_header; content:"YWRtaW46cGFzc3dvcmQ";
nocase; http_header;
pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s+YWRtaW46cGFzc3dvcmQ/smiH";
metadata:ruleset community, service http; reference:nessus,11737;
classtype:default-login-attempt; sid:2230; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
register.dll access"; flow:to_server,established; content:"/register.dll";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747;
classtype:web-application-activity; sid:2231; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ContentFilter.dll access"; flow:to_server,established;
content:"/ContentFilter.dll"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,3327; reference:cve,2001-0958;
reference:nessus,11747; classtype:web-application-activity; sid:2232; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
SFNofitication.dll access"; flow:to_server,established;
content:"/SFNofitication.dll"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,3327; reference:cve,2001-0958;
reference:nessus,11747; classtype:web-application-activity; sid:2233; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
TOP10.dll access"; flow:to_server,established; content:"/TOP10.dll";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747;
classtype:web-application-activity; sid:2234; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
SpamExcp.dll access"; flow:to_server,established; content:"/SpamExcp.dll";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747;
classtype:web-application-activity; sid:2235; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
spamrule.dll access"; flow:to_server,established; content:"/spamrule.dll";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747;
classtype:web-application-activity; sid:2236; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cgiWebupdate.exe access"; flow:to_server,established; content:"/cgiWebupdate.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3216; reference:cve,2001-1150; reference:nessus,11722;
classtype:web-application-activity; sid:2237; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
WebLogic ConsoleHelp view source attempt"; flow:to_server,established;
content:"/ConsoleHelp/"; nocase; http_uri; content:".jsp"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,1518;
reference:cve,2000-0682; reference:nessus,11724; classtype:web-application-attack;
sid:2238; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
redirect.exe access"; flow:to_server,established; content:"/redirect.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1256; reference:cve,2000-0401; reference:nessus,11723;
classtype:web-application-activity; sid:2239; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
changepw.exe access"; flow:to_server,established; content:"/changepw.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1256; reference:cve,2000-0401; reference:nessus,11723;
classtype:web-application-activity; sid:2240; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cwmail.exe access"; flow:to_server,established; content:"/cwmail.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,4093; reference:cve,2002-0273; reference:nessus,11727;
classtype:web-application-activity; sid:2241; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ddicgi.exe access"; flow:to_server,established; content:"/ddicgi.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1657; reference:cve,2000-0826; reference:nessus,11728;
classtype:web-application-activity; sid:2242; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ndcgi.exe access"; flow:to_server,established; content:"/ndcgi.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3583; reference:cve,2001-0922; reference:nessus,11730;
classtype:web-application-activity; sid:2243; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
VsSetCookie.exe access"; flow:to_server,established; content:"/VsSetCookie.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3784; reference:cve,2002-0236; reference:nessus,11731;
classtype:web-application-activity; sid:2244; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Webnews.exe access"; flow:to_server,established; content:"/Webnews.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,4124; reference:cve,2002-0290; reference:nessus,11732;
classtype:web-application-activity; sid:2245; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
webadmin.dll access"; flow:to_server,established; content:"/webadmin.dll";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,7438; reference:bugtraq,7439; reference:bugtraq,8024;
reference:cve,2003-0471; reference:nessus,11771; classtype:web-application-
activity; sid:2246; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
UploadScript11.asp access"; flow:to_server,established;
content:"/UploadScript11.asp"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,3608; reference:cve,2001-0938;
reference:nessus,11746; classtype:web-application-activity; sid:2247; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
DirectoryListing.asp access"; flow:to_server,established;
content:"/DirectoryListing.asp"; nocase; http_uri; metadata:ruleset community,
service http; reference:cve,2001-0938; classtype:web-application-activity;
sid:2248; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
/pcadmin/login.asp access"; flow:to_server,established;
content:"/pcadmin/login.asp"; nocase; http_uri; metadata:ruleset community, service
http; reference:bugtraq,8103; reference:nessus,11785; classtype:web-application-
activity; sid:2249; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP USER format
string attempt"; flow:to_server,established; content:"USER"; fast_pattern:only;
pcre:"/^USER\s+[^\n]*?%/smi"; metadata:ruleset community, service pop3;
reference:bugtraq,10976; reference:bugtraq,7667; reference:cve,2003-0391;
reference:nessus,11742; classtype:attempted-admin; sid:2250; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows
SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established;
content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2;
distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5;
nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1;
byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W";
within:16; distance:29; tag:session,5,packets; metadata:ruleset community, service
netbios-ssn; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-
0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798;
reference:nessus,11835; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS03-039; classtype:attempted-admin; sid:2252; rev:22;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL XEXCH50
overflow attempt"; flow:to_server,established; content:"XEXCH50";
fast_pattern:only; pcre:"/^XEXCH50\s+-\d/smi"; metadata:ruleset community, service
smtp; reference:bugtraq,8838; reference:cve,2003-0714; reference:nessus,11889;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-046;
classtype:attempted-admin; sid:2253; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC sadmind query
with root credentials attempt TCP"; flow:to_server,established; content:"|00 01 87
88|"; depth:4; offset:16; content:"|00 00 00 01 00 00 00 01|"; within:8;
distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4;
metadata:ruleset community; classtype:misc-attack; sid:2255; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC sadmind query
with root credentials attempt UDP"; flow:to_server; content:"|00 01 87 88|";
depth:4; offset:12; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4;
byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; metadata:ruleset
community, service sunrpc; classtype:misc-attack; sid:2256; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"OS-WINDOWS DCERPC Messenger
Service buffer overflow attempt"; content:"|04 00|"; depth:2;
byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative;
byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative;
metadata:ruleset community; reference:bugtraq,8826; reference:cve,2003-0717;
reference:nessus,11888; reference:nessus,11890;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-043;
classtype:attempted-admin; sid:2257; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows
SMB-DS DCERPC Messenger Service buffer overflow attempt";
flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase;
content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C
00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2;
byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative;
byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative;
metadata:ruleset community, service netbios-ssn; reference:bugtraq,8826;
reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-043;
classtype:attempted-admin; sid:2258; rev:17;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL EXPN overflow
attempt"; flow:to_server,established; content:"EXPN"; nocase;
isdataat:255,relative; pcre:"/^EXPN[^\n]{255}/smi"; metadata:ruleset community,
service smtp; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-
1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2259; rev:17;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL VRFY overflow
attempt"; flow:to_server,established; content:"VRFY"; nocase;
isdataat:255,relative; pcre:"/^VRFY[^\n]{255}/smi"; metadata:ruleset community,
service smtp; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-
1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2260; rev:17;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail SEND
FROM prescan too many addresses overflow"; flow:to_server,established;
content:"SEND FROM|3A|"; fast_pattern:only; pcre:"/^SEND FROM\x3a\s*[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi";
metadata:ruleset community, service smtp; reference:bugtraq,6991;
reference:cve,2002-1337; reference:nessus,11316; classtype:attempted-admin;
sid:2261; rev:16;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail SEND
FROM prescan too long addresses overflow"; flow:to_server,established;
content:"SEND FROM|3A|"; fast_pattern:only; pcre:"/^SEND FROM\x3a\s+[\w\s@\.]
{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200}/smi"; metadata:ruleset community,
service smtp; reference:bugtraq,7230; reference:cve,2003-0161;
reference:nessus,11499; classtype:misc-attack; sid:2262; rev:16;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail SAML
FROM prescan too many addresses overflow"; flow:to_server,established;
content:"SAML FROM|3A|"; fast_pattern:only; pcre:"/^SAML FROM\x3a\s*[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi";
metadata:ruleset community, service smtp; reference:bugtraq,6991;
reference:cve,2002-1337; classtype:attempted-admin; sid:2263; rev:16;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail SAML
FROM prescan too long addresses overflow"; flow:to_server,established;
content:"SAML FROM|3A|"; fast_pattern:only; pcre:"/^SAML FROM\x3a\s+[\w\s@\.]
{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200}/smi"; metadata:ruleset community,
service smtp; reference:bugtraq,7230; reference:cve,2003-0161;
reference:nessus,11499; classtype:misc-attack; sid:2264; rev:16;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail SOML
FROM prescan too many addresses overflow"; flow:to_server,established;
content:"SOML FROM|3A|"; fast_pattern:only; pcre:"/^SOML FROM\x3a\s*[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi";
metadata:ruleset community, service smtp; reference:bugtraq,6991;
reference:cve,2002-1337; classtype:attempted-admin; sid:2265; rev:14;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail SOML
FROM prescan too long addresses overflow"; flow:to_server,established;
content:"SOML FROM|3A|"; fast_pattern:only; pcre:"/^SOML FROM\x3a\s+[\w\s@\.]
{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200}/smi"; metadata:ruleset community,
service smtp; reference:bugtraq,7230; reference:cve,2003-0161;
reference:nessus,11499; classtype:misc-attack; sid:2266; rev:16;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail MAIL
FROM prescan too many addresses overflow"; flow:to_server,established;
content:"MAIL FROM|3A|"; fast_pattern:only; pcre:"/^MAIL FROM\x3a\s*[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi";
metadata:ruleset community, service smtp; reference:bugtraq,6991;
reference:cve,2002-1337; classtype:attempted-admin; sid:2267; rev:15;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail MAIL
FROM prescan too long addresses overflow"; flow:to_server,established;
content:"MAIL FROM|3A|"; fast_pattern:only; pcre:"/^MAIL FROM\x3a\s+[\w\s@\.]
{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200}/smi"; metadata:ruleset community,
service smtp; reference:bugtraq,7230; reference:cve,2003-0161;
reference:nessus,11499; classtype:attempted-admin; sid:2268; rev:16;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail RCPT
TO prescan too many addresses overflow"; flow:to_server,established; content:"RCPT
TO|3A|"; fast_pattern:only; pcre:"/^RCPT TO\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; metadata:ruleset community,
service smtp; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-
admin; sid:2269; rev:15;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail RCPT
TO prescan too long addresses overflow"; flow:to_server,established; content:"RCPT
TO|3A|"; fast_pattern:only; pcre:"/^RCPT TO\x3a\s*[\w\s@\.]{200,}\x3b[\w\s@\.]
{200,}\x3b[\w\s@\.]{200}/smi"; metadata:ruleset community, service smtp;
reference:bugtraq,7230; reference:cve,2003-0161; reference:cve,2003-0694;
reference:nessus,11499; classtype:attempted-admin; sid:2270; rev:18;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR FsSniffer
connection attempt"; flow:to_server,established; content:"RemoteNC Control
Password|3A|"; metadata:ruleset community; reference:nessus,11854;
classtype:trojan-activity; sid:2271; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP LIST integer
overflow attempt"; flow:to_server,established; content:"LIST"; fast_pattern:only;
pcre:"/^LIST\s+\x22-W\s+\d+/smi"; metadata:ruleset community, service ftp;
reference:bugtraq,8875; reference:cve,2003-0853; reference:cve,2003-0854;
reference:nessus,11912; classtype:misc-attack; sid:2272; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP login brute
force attempt"; flow:to_server,established,no_stream; content:"LOGIN";
fast_pattern:only; detection_filter:track by_dst, count 30, seconds 30;
metadata:ruleset community, service imap; classtype:suspicious-login; sid:2273;
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP login brute force
attempt"; flow:to_server,established,no_stream; content:"USER"; fast_pattern:only;
detection_filter:track by_dst, count 30, seconds 30; metadata:ruleset community,
service pop3; classtype:suspicious-login; sid:2274; rev:10;)
# alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SERVER-MAIL AUTH LOGON
brute force attempt"; flow:to_client,established,no_stream; content:"Authentication
unsuccessful"; offset:54; nocase; detection_filter:track by_dst, count 5, seconds
60; metadata:ruleset community, service smtp; classtype:suspicious-login; sid:2275;
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
oracle portal demo access"; flow:to_server,established;
content:"/pls/portal/PORTAL_DEMO"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:nessus,11918; classtype:web-application-
activity; sid:2276; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
PeopleSoft PeopleBooks psdoccgi access"; flow:to_server,established;
content:"/psdoccgi"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,9037; reference:bugtraq,9038; reference:cve,2003-
0626; reference:cve,2003-0627; classtype:web-application-activity; sid:2277;
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP HTTP
request with negative Content-Length attempt"; flow:to_server,established;
content:"Content-Length|3A|"; nocase;
byte_test:10,>,0x7FFFFFFF,1,relative,string,dec; metadata:policy max-detect-ips
drop, ruleset community, service http; reference:bugtraq,16354;
reference:bugtraq,17879; reference:bugtraq,9098; reference:bugtraq,9476;
reference:bugtraq,9576; reference:cve,2004-0095; reference:cve,2005-3653;
reference:cve,2006-2162; reference:cve,2006-3655; reference:cve,2014-9192;
reference:cve,2015-5343; reference:cve,2017-1000470; classtype:misc-attack;
sid:2278; rev:33;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
UpdateClasses.php access"; flow:to_server,established;
content:"/UpdateClasses.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,9057; classtype:web-application-
activity; sid:2279; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Title.php access"; flow:to_server,established; content:"/Title.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,9057; classtype:web-application-activity; sid:2280; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Setup.php access"; flow:to_server,established; content:"/Setup.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,9057; reference:cve,2009-1151; classtype:web-application-
activity; sid:2281; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
GlobalFunctions.php access"; flow:to_server,established;
content:"/GlobalFunctions.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,9057; classtype:web-application-
activity; sid:2282; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
DatabaseFunctions.php access"; flow:to_server,established;
content:"/DatabaseFunctions.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,9057; classtype:web-application-
activity; sid:2283; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
rolis guestbook remote file include attempt"; flow:to_server,established;
content:"/insert.inc.php"; fast_pattern; nocase; http_uri; content:"path=";
metadata:ruleset community, service http; reference:bugtraq,9057; classtype:web-
application-attack; sid:2284; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
rolis guestbook access"; flow:to_server,established; content:"/insert.inc.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,9057; classtype:web-application-activity; sid:2285; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
friends.php access"; flow:to_server,established; content:"/friends.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,9088; classtype:web-application-activity; sid:2286; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Advanced Poll admin_comment.php access"; flow:to_server,established;
content:"/admin_comment.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,8890; reference:cve,2003-1178;
reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181;
reference:nessus,11487; classtype:web-application-activity; sid:2287; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Advanced Poll admin_edit.php access"; flow:to_server,established;
content:"/admin_edit.php"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-
1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487;
classtype:web-application-activity; sid:2288; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Advanced Poll admin_embed.php access"; flow:to_server,established;
content:"/admin_embed.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,8890; reference:cve,2003-1178;
reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181;
reference:nessus,11487; classtype:web-application-activity; sid:2289; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Advanced Poll admin_help.php access"; flow:to_server,established;
content:"/admin_help.php"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-
1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487;
classtype:web-application-activity; sid:2290; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Advanced Poll admin_license.php access"; flow:to_server,established;
content:"/admin_license.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,8890; reference:cve,2003-1178;
reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181;
reference:nessus,11487; classtype:web-application-activity; sid:2291; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Advanced Poll admin_logout.php access"; flow:to_server,established;
content:"/admin_logout.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,8890; reference:cve,2003-1178;
reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181;
reference:nessus,11487; classtype:web-application-activity; sid:2292; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Advanced Poll admin_password.php access"; flow:to_server,established;
content:"/admin_password.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,8890; reference:cve,2003-1178;
reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181;
reference:nessus,11487; classtype:web-application-activity; sid:2293; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Advanced Poll admin_preview.php access"; flow:to_server,established;
content:"/admin_preview.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,8890; reference:cve,2003-1178;
reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181;
reference:nessus,11487; classtype:web-application-activity; sid:2294; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Advanced Poll admin_settings.php access"; flow:to_server,established;
content:"/admin_settings.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,8890; reference:cve,2003-1178;
reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181;
reference:nessus,11487; classtype:web-application-activity; sid:2295; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Advanced Poll admin_stats.php access"; flow:to_server,established;
content:"/admin_stats.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,8890; reference:cve,2003-1178;
reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181;
reference:nessus,11487; classtype:web-application-activity; sid:2296; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Advanced Poll admin_templates_misc.php access"; flow:to_server,established;
content:"/admin_templates_misc.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,8890; reference:cve,2003-1178;
reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181;
reference:nessus,11487; classtype:web-application-activity; sid:2297; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Advanced Poll admin_templates.php access"; flow:to_server,established;
content:"/admin_templates.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,8890; reference:cve,2003-1178;
reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181;
reference:nessus,11487; classtype:web-application-activity; sid:2298; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Advanced Poll admin_tpl_misc_new.php access"; flow:to_server,established;
content:"/admin_tpl_misc_new.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,8890; reference:cve,2003-1178;
reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181;
reference:nessus,11487; classtype:web-application-activity; sid:2299; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Advanced Poll admin_tpl_new.php access"; flow:to_server,established;
content:"/admin_tpl_new.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,8890; reference:cve,2003-1178;
reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181;
reference:nessus,11487; classtype:web-application-activity; sid:2300; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Advanced Poll booth.php access"; flow:to_server,established; content:"/booth.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179;
reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487;
classtype:web-application-activity; sid:2301; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Advanced Poll poll_ssi.php access"; flow:to_server,established;
content:"/poll_ssi.php"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-
1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487;
classtype:web-application-activity; sid:2302; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Advanced Poll popup.php access"; flow:to_server,established; content:"/popup.php";
fast_pattern; nocase; http_uri; content:"include_path="; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,8890;
reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180;
reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-
activity; sid:2303; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
files.inc.php access"; flow:to_server,established; content:"/files.inc.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,8910; reference:cve,2003-1153; classtype:web-application-
activity; sid:2304; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
chatbox.php access"; flow:to_server,established; content:"/chatbox.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,8930; reference:cve,2003-1191; classtype:web-application-
activity; sid:2305; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
gallery remote file include attempt"; flow:to_server,established;
content:"/setup/"; http_uri; content:"GALLERY_BASEDIR="; http_uri;
pcre:"/GALLERY_BASEDIR=(https?|ftps?|php)/Ui"; metadata:ruleset community, service
http; reference:bugtraq,8814; reference:cve,2003-1227; reference:nessus,11876;
classtype:web-application-attack; sid:2306; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
PayPal Storefront remote file include attempt"; flow:to_server,established;
content:"do=ext"; http_uri; content:"page="; http_uri; pcre:"/page=(https?|ftps?|
php)/Ui"; metadata:ruleset community, service http; reference:bugtraq,8791;
reference:nessus,11873; classtype:web-application-attack; sid:2307; rev:15;)
# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS non-
relative path error response"; flow:to_client,established; content:"E cvs server|
3A| warning|3A| cannot make directory CVS in /"; fast_pattern:only;
metadata:ruleset community; reference:bugtraq,9178; reference:cve,2003-0977;
reference:nessus,11947; classtype:misc-attack; sid:2317; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-OTHER CVS non-relative
path access attempt"; flow:to_server,established; content:"Argument";
pcre:"/^Argument\s+\//smi"; pcre:"/^Directory/smiR"; metadata:ruleset community;
reference:bugtraq,9178; reference:cve,2003-0977; reference:nessus,11947;
classtype:misc-attack; sid:2318; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"SERVER-OTHER ebola PASS
overflow attempt"; flow:to_server,established; content:"PASS"; fast_pattern:only;
pcre:"/^PASS\s[^\n]{49}/smi"; metadata:ruleset community; reference:bugtraq,9156;
classtype:attempted-admin; sid:2319; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"SERVER-OTHER ebola USER
overflow attempt"; flow:to_server,established; content:"USER"; fast_pattern:only;
pcre:"/^USER\s[^\n]{49}/smi"; metadata:ruleset community; reference:bugtraq,9156;
classtype:attempted-admin; sid:2320; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
foxweb.exe access"; flow:to_server,established; content:"/foxweb.exe"; nocase;
http_uri; metadata:ruleset community, service http; reference:nessus,11939;
classtype:web-application-activity; sid:2321; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
foxweb.dll access"; flow:to_server,established; content:"/foxweb.dll"; nocase;
http_uri; metadata:ruleset community, service http; reference:nessus,11939;
classtype:web-application-activity; sid:2322; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
iSoft-Solutions QuickStore shopping cart quickstore.cgi access";
flow:to_server,established; content:"/quickstore.cgi"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,9282;
reference:nessus,11975; classtype:web-application-activity; sid:2323; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS VP-ASP
shopsearch.asp access"; flow:to_server,established; content:"/shopsearch.asp";
nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,9133;
reference:bugtraq,9134; reference:nessus,11942; classtype:web-application-activity;
sid:2324; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS VP-ASP
ShopDisplayProducts.asp access"; flow:to_server,established;
content:"/ShopDisplayProducts.asp"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,9133; reference:bugtraq,9134;
reference:nessus,11942; classtype:web-application-activity; sid:2325; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
sgdynamo.exe access"; flow:to_server,established; content:"/sgdynamo.exe"; nocase;
http_uri; metadata:ruleset community, service http; reference:bugtraq,4720;
reference:cve,2002-0375; reference:nessus,11955; classtype:web-application-
activity; sid:2326; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
bsml.pl access"; flow:to_server,established; content:"/bsml.pl"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,9311;
reference:nessus,11973; classtype:web-application-activity; sid:2327; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
authentication_index.php access"; flow:to_server,established;
content:"/authentication_index.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:cve,2004-0032; reference:nessus,11982;
classtype:web-application-activity; sid:2328; rev:15;)
# alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"SERVER-MSSQL probe response
overflow attempt"; flow:to_server; content:"|05|"; depth:1; byte_test:2,>,512,1;
content:"|3B|"; distance:0; isdataat:512,relative; content:!"|3B|"; within:512;
metadata:ruleset community; reference:bugtraq,9407; reference:cve,2003-0903;
reference:nessus,11990; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS04-003; classtype:attempted-user; sid:2329; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP auth overflow
attempt"; flow:to_server,established; content:"AUTH"; isdataat:368,relative;
content:!"|0A|"; within:368; metadata:ruleset community, service imap;
reference:bugtraq,8861; reference:cve,2003-1177; reference:nessus,11910;
classtype:misc-attack; sid:2330; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
MatrikzGB privilege escalation attempt"; flow:to_server,established;
content:"new_rights=admin"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,8430; classtype:web-application-
activity; sid:2331; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP MKD format string
attempt"; flow:to_server,established; content:"MKD"; fast_pattern:only;
pcre:"/^MKD\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp;
reference:bugtraq,9262; classtype:misc-attack; sid:2332; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RENAME format
string attempt"; flow:to_server,established; content:"RENAME"; fast_pattern:only;
pcre:"/^RENAME\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp;
reference:bugtraq,9262; classtype:misc-attack; sid:2333; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"PROTOCOL-FTP Yak! FTP server
default account login attempt"; flow:to_server,established; content:"USER"; nocase;
content:"y049575046"; fast_pattern:only; pcre:"/^USER\s+y049575046/smi";
metadata:ruleset community; reference:bugtraq,9072; classtype:suspicious-login;
sid:2334; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"PROTOCOL-FTP RMD / attempt";
flow:to_server,established; content:"RMD"; fast_pattern:only;
pcre:"/^RMD\s+\x2f$/smi"; metadata:ruleset community; reference:bugtraq,9159;
classtype:attempted-dos; sid:2335; rev:10;)
# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP PUT filename overflow attempt";
flow:to_server; content:"|00|"; depth:1; byte_test:1,<,3,0,relative;
isdataat:101,relative; content:!"|00|"; within:100; distance:2; metadata:ruleset
community; reference:bugtraq,20131; reference:bugtraq,22923;
reference:bugtraq,7819; reference:bugtraq,8505; reference:cve,2003-0380;
reference:cve,2003-0729; reference:cve,2006-4948; reference:cve,2006-6184;
reference:cve,2008-1611; reference:cve,2009-2957; reference:cve,2009-2958;
reference:nessus,18264; classtype:attempted-admin; sid:2337; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP LIST buffer
overflow attempt"; flow:to_server,established; content:"LIST"; nocase;
isdataat:128,relative; pcre:"/^LIST(?!\n)\s[^\n]{128}/smi"; metadata:policy max-
detect-ips drop, ruleset community, service ftp; reference:bugtraq,10181;
reference:bugtraq,14339; reference:bugtraq,33454; reference:bugtraq,58247;
reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7861;
reference:bugtraq,8486; reference:bugtraq,9675; reference:cve,1999-0349;
reference:cve,1999-1510; reference:cve,2000-0129; reference:cve,2004-1992;
reference:cve,2005-2373; reference:cve,2007-0019; reference:cve,2009-0351;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-003;
classtype:misc-attack; sid:2338; rev:35;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP NULL command
attempt"; flow:to_server; content:"|00 00|"; depth:2; metadata:ruleset community;
reference:bugtraq,7575; classtype:bad-unknown; sid:2339; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE CHMOD
overflow attempt"; flow:to_server,established; content:"SITE"; nocase;
content:"CHMOD"; distance:0; nocase; isdataat:200,relative;
pcre:"/^SITE\s+CHMOD\s[^\n]{200}/smi"; metadata:ruleset community, service ftp;
reference:bugtraq,10181; reference:bugtraq,9483; reference:bugtraq,9675;
reference:cve,1999-0838; reference:nessus,12037; classtype:attempted-admin;
sid:2340; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DCP-
Portal remote file include editor script attempt"; flow:to_server,established;
content:"/library/editor/editor.php"; fast_pattern; nocase; http_uri;
content:"root="; http_uri; metadata:ruleset community, service http;
reference:bugtraq,6525; classtype:web-application-attack; sid:2341; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DCP-
Portal remote file include lib script attempt"; flow:to_server,established;
content:"/library/lib.php"; fast_pattern; nocase; http_uri; content:"root=";
http_uri; metadata:ruleset community, service http; reference:bugtraq,6525;
classtype:web-application-attack; sid:2342; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP STOR overflow
attempt"; flow:to_server,established; content:"STOR"; nocase;
isdataat:200,relative; content:!"|0D|"; within:200; content:!"|0A|"; within:200;
content:!"|00|"; within:200; metadata:ruleset community, service ftp;
reference:bugtraq,8668; reference:cve,2000-0133; reference:url,exploit-
db.com/exploits/39662/; classtype:attempted-admin; sid:2343; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP XCWD overflow
attempt"; flow:to_server,established; content:"XCWD"; nocase;
isdataat:100,relative; pcre:"/^XCWD(?!\n)\s[^\n]{100}/smi"; metadata:ruleset
community, service ftp; reference:bugtraq,11542; reference:bugtraq,8704;
reference:cve,2004-2728; classtype:attempted-admin; sid:2344; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
PhpGedView search.php access"; flow:to_server,established; content:"/search.php";
nocase; http_uri; content:"action=soundex"; fast_pattern; nocase; http_uri;
content:"firstname="; nocase; http_uri; metadata:ruleset community, service http;
reference:bugtraq,9369; reference:cve,2004-0032; classtype:web-application-
activity; sid:2345; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
myPHPNuke chatheader.php access"; flow:to_server,established;
content:"/chatheader.php"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,6544; classtype:web-application-activity; sid:2346;
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
myPHPNuke partner.php access"; flow:to_server,established; content:"/partner.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,6544; classtype:web-application-activity; sid:2347; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
IdeaBox cord.php file include"; flow:to_server,established; content:"/index.php";
nocase; http_uri; content:"ideaDir="; fast_pattern:only; content:"cord.php";
nocase; metadata:ruleset community, service http; reference:bugtraq,7488;
classtype:web-application-activity; sid:2353; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
IdeaBox notification.php file include"; flow:to_server,established;
content:"/index.php"; nocase; http_uri; content:"gorumDir="; fast_pattern:only;
content:"notification.php"; nocase; metadata:ruleset community, service http;
reference:bugtraq,7488; classtype:web-application-activity; sid:2354; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Invision Board emailer.php file include"; flow:to_server,established;
content:"/ad_member.php"; fast_pattern; nocase; http_uri; content:"emailer.php";
nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,7204;
classtype:web-application-activity; sid:2355; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
WebChat db_mysql.php file include"; flow:to_server,established;
content:"/defines.php"; nocase; http_uri; content:"WEBCHATPATH="; nocase;
content:"db_mysql.php"; fast_pattern:only; metadata:ruleset community, service
http; reference:bugtraq,7000; reference:cve,2007-0485; classtype:web-application-
attack; sid:2356; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
WebChat english.php file include"; flow:to_server,established;
content:"/defines.php"; nocase; http_uri; content:"WEBCHATPATH="; nocase;
content:"english.php"; fast_pattern:only; metadata:ruleset community, service http;
reference:bugtraq,7000; reference:cve,2007-0485; classtype:web-application-attack;
sid:2357; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Typo3 translations.php file include"; flow:to_server,established;
content:"/translations.php"; fast_pattern; nocase; http_uri; content:"ONLY=";
nocase; metadata:ruleset community, service http; reference:bugtraq,6984;
classtype:web-application-attack; sid:2358; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Invision Board ipchat.php file include"; flow:to_server,established;
content:"/ipchat.php"; nocase; http_uri; content:"root_path=";
content:"conf_global.php"; fast_pattern:only; metadata:ruleset community, service
http; reference:bugtraq,6976; reference:cve,2003-1385; classtype:web-application-
attack; sid:2359; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
myphpPagetool pt_config.inc file include"; flow:to_server,established;
content:"/doc/admin"; nocase; http_uri; content:"ptinclude="; nocase;
content:"pt_config.inc"; fast_pattern:only; metadata:ruleset community, service
http; reference:bugtraq,6744; classtype:web-application-attack; sid:2360; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
news.php file include"; flow:to_server,established; content:"/news.php";
fast_pattern; nocase; http_uri; content:"template="; nocase; metadata:ruleset
community, service http; reference:bugtraq,6674; classtype:web-application-attack;
sid:2361; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP YaBB
SE packages.php file include"; flow:to_server,established; content:"/packages.php";
fast_pattern; nocase; http_uri; content:"packer.php"; nocase; metadata:ruleset
community, service http; reference:bugtraq,6663; classtype:web-application-attack;
sid:2362; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Cyboards default_header.php access"; flow:to_server,established;
content:"/default_header.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,6597; classtype:web-application-
activity; sid:2363; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Cyboards options_form.php access"; flow:to_server,established;
content:"/options_form.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,6597; classtype:web-application-
activity; sid:2364; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
newsPHP Language file include attempt"; flow:to_server,established;
content:"/nphpd.php"; fast_pattern; nocase; http_uri; content:"LangFile"; nocase;
metadata:ruleset community, service http; reference:bugtraq,8488; classtype:web-
application-activity; sid:2365; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
PhpGedView PGV authentication_index.php base directory manipulation attempt";
flow:to_server,established; content:"/authentication_index.php"; nocase; http_uri;
content:"PGV_BASE_DIRECTORY"; fast_pattern:only; metadata:ruleset community,
service http; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-
application-attack; sid:2366; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
PhpGedView PGV functions.php base directory manipulation attempt";
flow:to_server,established; content:"/functions.php"; nocase; http_uri;
content:"PGV_BASE_DIRECTORY"; fast_pattern:only; metadata:ruleset community,
service http; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-
application-attack; sid:2367; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
PhpGedView PGV config_gedcom.php base directory manipulation attempt";
flow:to_server,established; content:"/config_gedcom.php"; nocase; http_uri;
content:"PGV_BASE_DIRECTORY"; fast_pattern:only; metadata:ruleset community,
service http; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-
application-attack; sid:2368; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ISAPISkeleton.dll access"; flow:to_server,established;
content:"/ISAPISkeleton.dll"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,9516; reference:cve,2004-2128;
classtype:web-application-activity; sid:2369; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
BugPort config.conf file access"; flow:to_server,established;
content:"/config.conf"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,9542; reference:cve,2004-2353; classtype:attempted-
recon; sid:2370; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Sample_showcode.html access"; flow:to_server,established;
content:"/Sample_showcode.html"; nocase; http_uri; content:"fname";
metadata:ruleset community, service http; reference:bugtraq,9555;
reference:cve,2004-2170; classtype:web-application-activity; sid:2371; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Photopost PHP Pro showphoto.php access"; flow:to_server,established;
content:"/showphoto.php"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,9557; reference:cve,2004-0239; reference:cve,2004-
0250; classtype:web-application-activity; sid:2372; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP XMKD overflow
attempt"; flow:to_server,established; content:"XMKD"; nocase;
isdataat:200,relative; pcre:"/^XMKD(?!\n)\s[^\n]{200}/smi"; metadata:ruleset
community, service ftp; reference:bugtraq,7909; reference:cve,2000-0133;
reference:cve,2001-1021; classtype:attempted-admin; sid:2373; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP NLST overflow
attempt"; flow:to_server,established; content:"NLST"; nocase;
isdataat:200,relative; pcre:"/^NLST(?!\n)\s[^\n]{200}/smi"; metadata:ruleset
community, service ftp; reference:bugtraq,7909; reference:cve,1999-1544;
reference:cve,2009-3023; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS09-053; reference:url,www.kb.cert.org/vuls/id/276653;
classtype:attempted-admin; sid:2374; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3199 (msg:"MALWARE-CNC
DoomJuice/mydoom.a backdoor upload/execute"; flow:to_server,established; content:"|
85 13|<|9E A2|"; depth:5; metadata:ruleset community;
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.h
tml; classtype:trojan-activity; sid:2375; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP first
payload certificate request length overflow attempt"; flow:to_server;
byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30;
metadata:ruleset community; reference:bugtraq,9582; reference:cve,2004-0040;
classtype:attempted-admin; sid:2376; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP second
payload certificate request length overflow attempt"; flow:to_server;
byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30;
byte_test:2,>,2043,-2,relative; metadata:ruleset community; reference:bugtraq,9582;
reference:cve,2004-0040; classtype:attempted-admin; sid:2377; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP third
payload certificate request length overflow attempt"; flow:to_server;
byte_test:4,>,2043,24; byte_jump:2,30; content:"|07|"; within:1; distance:-4;
byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; metadata:ruleset community;
reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin;
sid:2378; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP forth
payload certificate request length overflow attempt"; flow:to_server;
byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; content:"|07|";
within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative;
metadata:ruleset community; reference:bugtraq,9582; reference:cve,2004-0040;
classtype:attempted-admin; sid:2379; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP fifth
payload certificate request length overflow attempt"; flow:to_server;
byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; byte_jump:2,-
2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative;
byte_test:2,>,2043,-2,relative; metadata:ruleset community; reference:bugtraq,9582;
reference:cve,2004-0040; classtype:attempted-admin; sid:2380; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Checkpoint Firewall-1 HTTP parsing format string vulnerability attempt";
flow:to_server,established; content:"|3A|/"; offset:11; http_uri;
pcre:"/^[^\x3a\x3f]{11,}\x3a\x2f/Usmi"; metadata:ruleset community, service http;
reference:bugtraq,9581; reference:cve,2004-0039; reference:nessus,12084;
classtype:attempted-admin; sid:2381; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows
SMB Session Setup NTLMSSP asn1 overflow attempt"; flow:to_server,established;
content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!
&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little;
content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow,
bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset
community; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818;
reference:nessus,12052; reference:nessus,12065;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007;
classtype:protocol-command-decode; sid:2382; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows
SMB-DS Session Setup NTLMSSP asn1 overflow attempt"; flow:to_server,established;
content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!
&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little;
content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow,
bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset
community, service netbios-ssn; reference:bugtraq,9633; reference:bugtraq,9635;
reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007;
classtype:protocol-command-decode; sid:2383; rev:26;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS NTLM
ASN1 vulnerability scan attempt"; flow:to_server,established;
content:"Authorization|3A|"; nocase; http_header; content:"Negotiate"; within:20;
nocase; http_header;
content:"YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; within:100;
http_header; metadata:ruleset community, service http; reference:bugtraq,9633;
reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052;
reference:nessus,12055; reference:nessus,12065;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007;
classtype:attempted-dos; sid:2386; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Apple QuickTime streaming server view_broadcast.cgi access";
flow:to_server,established; content:"/view_broadcast.cgi"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,8257;
reference:cve,2003-0422; classtype:web-application-activity; sid:2388; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RNTO overflow
attempt"; flow:to_server,established; content:"RNTO"; nocase;
isdataat:200,relative; pcre:"/^RNTO(?!\n)\s[^\n]{200}/smi"; metadata:policy max-
detect-ips drop, ruleset community, service ftp; reference:bugtraq,15457;
reference:bugtraq,8315; reference:cve,2000-0133; reference:cve,2001-1021;
reference:cve,2003-0466; reference:cve,2005-3683; classtype:attempted-admin;
sid:2389; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP STOU overflow
attempt"; flow:to_server,established; content:"STOU"; nocase;
isdataat:200,relative; pcre:"/^STOU\s[^\n]{200}/smi"; metadata:ruleset community,
service ftp; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-
admin; sid:2390; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP APPE overflow
attempt"; flow:to_server,established; content:"APPE"; nocase;
isdataat:200,relative; pcre:"/^APPE(?!\n)\s[^\n]{200}/smi"; metadata:ruleset
community, service ftp; reference:bugtraq,8315; reference:bugtraq,8542;
reference:cve,2000-0133; reference:cve,2003-0466; reference:cve,2003-0772;
classtype:attempted-admin; sid:2391; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RETR overflow
attempt"; flow:to_server,established; content:"RETR"; nocase;
isdataat:200,relative; pcre:"/^RETR(?!\n)\s[^\n]{200}/smi"; metadata:policy max-
detect-ips drop, ruleset community, service ftp; reference:bugtraq,15457;
reference:bugtraq,23168; reference:bugtraq,8315; reference:cve,2003-0466;
reference:cve,2004-0287; reference:cve,2004-0298; reference:cve,2005-3683;
classtype:attempted-admin; sid:2392; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
/_admin access"; flow:to_server,established; content:"/_admin/"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,9537;
reference:cve,2007-1156; reference:nessus,12032; classtype:web-application-
activity; sid:2393; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"SERVER-WEBAPP Compaq web-
based management agent denial of service attempt"; flow:to_server,established;
content:"<!"; depth:75; content:">"; within:50; metadata:ruleset community;
reference:bugtraq,8014; classtype:web-application-attack; sid:2394; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
InteractiveQuery.jsp access"; flow:to_server,established;
content:"/InteractiveQuery.jsp"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,8938; reference:cve,2003-0624;
classtype:web-application-activity; sid:2395; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
CCBill whereami.cgi arbitrary command execution attempt";
flow:to_server,established; content:"/whereami.cgi?"; nocase; http_uri;
content:"g="; distance:0; nocase; http_uri; metadata:ruleset community, service
http; reference:bugtraq,8095; reference:url,secunia.com/advisories/9191/;
classtype:web-application-attack; sid:2396; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
CCBill whereami.cgi access"; flow:to_server,established; content:"/whereami.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,8095; reference:url,secunia.com/advisories/9191/; classtype:web-
application-activity; sid:2397; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
WAnewsletter newsletter.php file include attempt"; flow:to_server,established;
content:"newsletter.php"; nocase; http_uri; content:"waroot"; fast_pattern:only;
content:"start.php"; nocase; metadata:ruleset community, service http;
reference:bugtraq,6965; classtype:web-application-attack; sid:2398; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
WAnewsletter db_type.php access"; flow:to_server,established;
content:"/sql/db_type.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,6964; classtype:web-application-
activity; sid:2399; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
edittag.pl access"; flow:to_server,established; content:"/edittag.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,6675; reference:cve,2003-1351; classtype:web-application-
activity; sid:2400; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup andx
username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|
SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR";
byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39;
byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little;
content:!"|00|"; within:255; distance:29; metadata:ruleset community;
reference:bugtraq,9752; reference:cve,2004-0193;
reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html;
classtype:protocol-command-decode; sid:2401; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup
andx username overflow attempt"; flow:stateless; content:"|00|"; depth:1;
content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!
&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative;
byte_test:4,!&,2147483648,21,relative,little; content:!"|00|"; within:255;
distance:29; metadata:ruleset community, service netbios-ssn;
reference:bugtraq,9752; reference:cve,2004-0193;
reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html;
classtype:protocol-command-decode; sid:2402; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup
unicode username overflow attempt"; flow:stateless; content:"|00|"; depth:1;
content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.
{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|";
within:510; distance:29; metadata:ruleset community; reference:bugtraq,9752;
reference:cve,2004-0193;
reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html;
classtype:protocol-command-decode; sid:2403; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup
unicode andx username overflow attempt"; flow:stateless; content:"|00|"; depth:1;
content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR";
byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39;
byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little;
content:!"|00 00|"; within:510; distance:29; metadata:ruleset community, service
netbios-ssn; reference:bugtraq,9752; reference:cve,2004-0193;
reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html;
classtype:protocol-command-decode; sid:2404; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
phptest.php access"; flow:to_server,established; content:"/phptest.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,9737; reference:cve,2004-2374; classtype:web-application-
activity; sid:2405; rev:14;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET APC
SmartSlot default admin account attempt"; flow:to_server,established;
content:"TENmanUFactOryPOWER"; fast_pattern:only; metadata:ruleset community,
service telnet; reference:bugtraq,9681; reference:cve,2004-0311;
reference:nessus,12066; classtype:suspicious-login; sid:2406; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
util.pl access"; flow:to_server,established; content:"/util.pl"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:bugtraq,9748;
reference:cve,2004-2379; classtype:web-application-activity; sid:2407; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Invision Power Board search.pl access"; flow:to_server,established;
content:"/search.pl"; http_uri; content:"st="; nocase; metadata:ruleset community,
service http; reference:bugtraq,9766; reference:cve,2004-0338; classtype:web-
application-activity; sid:2408; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP APOP USER
overflow attempt"; flow:to_server,established; content:"APOP"; nocase;
isdataat:256,relative; pcre:"/^APOP\s+USER\s[^\n]{256}/smi"; metadata:ruleset
community, service pop3; reference:bugtraq,9794; reference:cve,2004-2375;
classtype:attempted-admin; sid:2409; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
IGeneric Free Shopping Cart page.php access"; flow:to_server,established;
content:"/page.php"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,9773; classtype:web-application-activity; sid:2410;
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-WEBAPP RealNetworks
RealSystem Server DESCRIBE buffer overflow attempt"; flow:to_server,established;
content:"DESCRIBE"; nocase; content:"../"; distance:1; pcre:"/^DESCRIBE\s[^\n]
{300}/smi"; metadata:ruleset community; reference:bugtraq,8476; reference:cve,2003-
0725; reference:nessus,11642;
reference:url,www.service.real.com/help/faq/security/rootexploit091103.html;
classtype:web-application-attack; sid:2411; rev:16;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE
successful cross site scripting forced download attempt";
flow:to_server,established; content:"|0A|Referer|3A| res|3A|/C|3A|";
metadata:ruleset community; classtype:successful-user; sid:2412; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP delete
hash with empty hash attempt"; flow:to_server; content:"|08|"; depth:1; offset:16;
content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30;
metadata:ruleset community; reference:bugtraq,9416; reference:bugtraq,9417;
reference:cve,2004-0164; classtype:misc-attack; sid:2413; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP initial
contact notification without SPI attempt"; flow:to_server; content:"|0B|"; depth:1;
offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30;
metadata:ruleset community; reference:bugtraq,9416; reference:bugtraq,9417;
reference:cve,2004-0164; classtype:misc-attack; sid:2414; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP second
payload initial contact notification without SPI attempt"; flow:to_server;
content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01
00|`|02|"; within:10; distance:-2; metadata:ruleset community;
reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164;
classtype:misc-attack; sid:2415; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP invalid MDTM
command attempt"; flow:to_server,established; content:"MDTM"; fast_pattern:only;
pcre:"/^MDTM \d+[-+]\D/smi"; metadata:ruleset community, service ftp;
reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330;
classtype:attempted-admin; sid:2416; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP format string
attempt"; flow:to_server,established; content:"%"; fast_pattern:only; pcre:"/\s+.*?
%.*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,15352;
reference:bugtraq,30993; reference:bugtraq,9800; reference:cve,2002-2074;
reference:cve,2007-1195; reference:cve,2009-4769; classtype:string-detect;
sid:2417; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"POLICY-OTHER Microsoft
Windows Terminal Server no encryption session initiation attempt";
flow:to_server,established; content:"|03 00 01|"; depth:3; content:"|00|"; depth:1;
offset:288; metadata:ruleset community; reference:cve,2001-0663;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-052;
classtype:attempted-dos; sid:2418; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY
RealNetworks Realplayer .ram playlist file download request";
flow:to_server,established; content:".ra"; fast_pattern:only; http_uri;
pcre:"/\x2eram?([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.realplayer.playlist;
flowbits:noalert; metadata:ruleset community, service http;
reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2419;
rev:28;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY
RealNetworks Realplayer .rmp playlist file download request";
flow:to_server,established; content:".rmp"; fast_pattern:only; http_uri;
pcre:"/\x2ermp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.rmp;
flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:ruleset
community, service http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-
activity; sid:2420; rev:30;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY
RealNetworks Realplayer .rt playlist file download request";
flow:to_server,established; content:".rt"; fast_pattern:only; http_uri;
pcre:"/\x2ert([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.realplayer.playlist;
flowbits:noalert; metadata:ruleset community, service http;
reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2422;
rev:29;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY
RealNetworks Realplayer .rp playlist file download request";
flow:to_server,established; content:".rp"; fast_pattern:only; http_uri;
pcre:"/\x2erp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.realplayer.playlist;
flowbits:noalert; metadata:ruleset community, service http;
reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2423;
rev:28;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP sendsys overflow
attempt"; flow:to_server,established; content:"sendsys"; fast_pattern:only;
pcre:"/^sendsys\x3a[^\n]{21}/smi"; metadata:ruleset community;
reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984;
classtype:attempted-admin; sid:2424; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP senduuname
overflow attempt"; flow:to_server,established; content:"senduuname";
fast_pattern:only; pcre:"/^senduuname\x3a[^\n]{21}/smi"; metadata:ruleset
community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984;
classtype:attempted-admin; sid:2425; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP version overflow
attempt"; flow:to_server,established; content:"version"; fast_pattern:only;
pcre:"/^version\x3a[^\n]{21}/smi"; metadata:ruleset community;
reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984;
classtype:attempted-admin; sid:2426; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP checkgroups
overflow attempt"; flow:to_server,established; content:"checkgroups";
fast_pattern:only; pcre:"/^checkgroups\x3a[^\n]{21}/smi"; metadata:ruleset
community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984;
classtype:attempted-admin; sid:2427; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP ihave overflow
attempt"; flow:to_server,established; content:"ihave"; fast_pattern:only;
pcre:"/^ihave\x3a[^\n]{21}/smi"; metadata:ruleset community;
reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984;
classtype:attempted-admin; sid:2428; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP sendme overflow
attempt"; flow:to_server,established; content:"sendme"; fast_pattern:only;
pcre:"/^sendme\x3a[^\n]{21}/smi"; metadata:ruleset community;
reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984;
classtype:attempted-admin; sid:2429; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP newgroup
overflow attempt"; flow:to_server,established; content:"newgroup";
fast_pattern:only; pcre:"/^newgroup\x3a[^\n]{32}/smi"; metadata:ruleset community,
service nntp; reference:bugtraq,9382; reference:cve,2004-0045;
reference:nessus,11984; classtype:attempted-admin; sid:2430; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP rmgroup overflow
attempt"; flow:to_server,established; content:"rmgroup"; fast_pattern:only;
pcre:"/^rmgroup\x3a[^\n]{32}/smi"; metadata:ruleset community, service nntp;
reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984;
classtype:attempted-admin; sid:2431; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP article post
without path attempt"; flow:to_server,established; content:"takethis";
fast_pattern:only; pcre:!"/^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si";
metadata:ruleset community; classtype:attempted-admin; sid:2432; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-WEBAPP MDaemon
form2raw.cgi overflow attempt"; flow:to_server,established;
content:"/form2raw.cgi"; fast_pattern:only; pcre:"/\Wfrom=[^\x3b&\n]{100}/si";
metadata:ruleset community; reference:bugtraq,9317; reference:cve,2003-1200;
reference:url,secunia.com/advisories/10512/; classtype:web-application-attack;
sid:2433; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
MDaemon form2raw.cgi access"; flow:to_server,established; content:"/form2raw.cgi";
fast_pattern:only; metadata:ruleset community, service http;
reference:bugtraq,9317; reference:cve,2003-1200;
reference:url,secunia.com/advisories/10512/; classtype:web-application-activity;
sid:2434; rev:11;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft
emf file download request"; flow:to_server,established; content:".emf";
fast_pattern:only; http_uri; pcre:"/\x2eemf([\?\x5c\x2f]|$)/smiU";
flowbits:set,file.emf; metadata:policy balanced-ips alert, policy max-detect-ips
drop, policy security-ips alert, ruleset community, service http;
reference:bugtraq,10120; reference:bugtraq,28819; reference:bugtraq,9707;
reference:cve,2003-0906; reference:cve,2007-5746;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-032;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-053;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-001;
classtype:misc-activity; sid:2435; rev:33;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft
Windows Audio wmf file download request"; flow:to_server,established;
content:".wmf"; fast_pattern:only; http_uri; pcre:"/\x2ewmf([\?\x5c\x2f]|$)/smiU";
flowbits:set,file.wmf; flowbits:noalert; metadata:ruleset community, service http;
reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:2436;
rev:29;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA
RealNetworks RealPlayer arbitrary javascript command attempt";
flow:to_client,established; content:"application/smi"; fast_pattern; nocase;
http_header; file_data; content:"file|3A|javascript|3A|";
pcre:"/<area\s+href=[\x22\x27]file\x3ajavascript\x3a/smi"; metadata:ruleset
community, service http; reference:bugtraq,8453; reference:bugtraq,9378;
reference:cve,2003-0726; classtype:attempted-user; sid:2437; rev:20;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA
RealNetworks RealPlayer playlist file URL overflow attempt";
flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data;
content:"file|3A|//"; nocase; pcre:"/^file\x3a\x2f\x2f[^\n]{400}/smi";
metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service
http, service imap, service pop3; reference:bugtraq,13264; reference:bugtraq,9579;
reference:cve,2004-0258; reference:cve,2005-0755; classtype:attempted-user;
sid:2438; rev:23;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA
RealNetworks RealPlayer playlist http URL overflow attempt";
flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data;
content:"http|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi";
metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service
http, service imap, service pop3; reference:bugtraq,13264; reference:bugtraq,9579;
reference:cve,2004-0258; reference:cve,2005-0755; classtype:attempted-user;
sid:2439; rev:23;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA
RealNetworks RealPlayer playlist rtsp URL overflow attempt";
flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data;
content:"rtsp|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi";
metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service
http, service imap, service pop3; reference:bugtraq,13264; reference:bugtraq,9579;
reference:cve,2004-0258; reference:cve,2005-0755; classtype:attempted-user;
sid:2440; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
NetObserve authentication bypass attempt"; flow:to_server,established;
content:"login=0"; nocase; content:"login=0"; nocase; http_cookie; metadata:ruleset
community, service http; reference:bugtraq,9319; classtype:web-application-attack;
sid:2441; rev:14;)
# alert udp any 4000 -> any any (msg:"SERVER-OTHER ICQ SRV_MULTI/SRV_META_USER
overflow attempt - ISS Witty Worm"; flow:to_server; content:"|05 00|"; depth:2;
content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05
00|"; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|";
within:2; distance:5; byte_test:2,>,512,-11,relative,little; metadata:ruleset
community; reference:cve,2004-0362;
reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html;
classtype:misc-attack; sid:2446; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ServletManager access"; flow:to_server,established;
content:"/servlet/ServletManager"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,3697; reference:cve,2001-1195;
reference:nessus,12122; classtype:web-application-activity; sid:2447; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
setinfo.hts access"; flow:to_server,established; content:"/setinfo.hts";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,9973; reference:cve,2004-1857; reference:nessus,12120;
classtype:web-application-activity; sid:2448; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP ALLO overflow
attempt"; flow:to_server,established; content:"ALLO"; nocase;
isdataat:200,relative; pcre:"/^ALLO(?!\n)\s[^\n]{200}/smi"; metadata:ruleset
community, service ftp; reference:bugtraq,9953; reference:cve,2004-1883;
reference:nessus,14598; classtype:attempted-admin; sid:2449; rev:12;)
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo IM
successful logon"; flow:to_client,established; content:"YMSG"; depth:4; nocase;
content:"|00 01|"; depth:2; offset:10; metadata:ruleset community;
classtype:policy-violation; sid:2450; rev:9;)
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo IM
voicechat"; flow:to_client,established; content:"YMSG"; depth:4; nocase; content:"|
00|J"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation;
sid:2451; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"POLICY-SOCIAL Yahoo IM ping";
flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 12|";
depth:2; offset:10; metadata:ruleset community; classtype:policy-violation;
sid:2452; rev:9;)
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo IM
conference invitation"; flow:to_client,established; content:"YMSG"; depth:4;
nocase; content:"|00 18|"; depth:2; offset:10; metadata:ruleset community;
classtype:policy-violation; sid:2453; rev:9;)
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo IM
conference logon success"; flow:to_client,established; content:"YMSG"; depth:4;
nocase; content:"|00 19|"; depth:2; offset:10; metadata:ruleset community;
classtype:policy-violation; sid:2454; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"POLICY-SOCIAL Yahoo IM
conference message"; flow:to_server,established; content:"YMSG"; depth:4; nocase;
content:"|00 1D|"; depth:2; offset:10; metadata:ruleset community;
classtype:policy-violation; sid:2455; rev:8;)
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo Messenger
File Transfer Receive Request"; flow:established; content:"YMSG"; depth:4;
content:"|00|M"; depth:2; offset:10; metadata:ruleset community; classtype:policy-
violation; sid:2456; rev:9;)
# alert tcp any any <> any 5101 (msg:"POLICY-SOCIAL Yahoo IM message";
flow:established; content:"YMSG"; depth:4; nocase; metadata:ruleset community;
classtype:policy-violation; sid:2457; rev:7;)
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo IM
successful chat join"; flow:to_client,established; content:"YMSG"; depth:4; nocase;
content:"|00 98|"; depth:2; offset:10; metadata:ruleset community;
classtype:policy-violation; sid:2458; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"POLICY-SOCIAL Yahoo IM
conference offer invitation"; flow:to_server,established; content:"YMSG"; depth:4;
nocase; content:"|00|P"; depth:2; offset:10; metadata:ruleset community;
classtype:policy-violation; sid:2459; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 (msg:"POLICY-SOCIAL Yahoo IM
conference request"; flow:to_server,established; content:"<R"; depth:2;
pcre:"/^\x3c(REQIMG|RVWCFG)\x3e/ism"; metadata:ruleset community; classtype:policy-
violation; sid:2460; rev:9;)
# alert tcp $EXTERNAL_NET 5100 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo IM
conference watch"; flow:to_client,established; content:"|0D 00 05 00|"; depth:4;
metadata:ruleset community; classtype:policy-violation; sid:2461; rev:10;)
# alert ip any any -> any any (msg:"SERVER-OTHER Ethereal IGMP IGAP account
overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0;
byte_test:1,>,16,12; metadata:ruleset community; reference:bugtraq,9952;
reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin;
sid:2462; rev:10;)
# alert ip any any -> any any (msg:"SERVER-OTHER Ethereal IGMP IGAP message
overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0;
byte_test:1,>,64,13; metadata:ruleset community; reference:bugtraq,9952;
reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin;
sid:2463; rev:10;)
# alert ip any any -> any any (msg:"SERVER-OTHER Ethereal EIGRP prefix length
overflow attempt"; ip_proto:88; byte_test:1,>,32,44; metadata:ruleset community;
reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367;
classtype:attempted-admin; sid:2464; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ share
access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu";
within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R";
byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase;
metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode;
sid:2474; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
source.jsp access"; flow:to_server,established; content:"/source.jsp";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,12119; classtype:web-application-activity; sid:2484; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS
Symantec Norton Internet Security 2004 ActiveX clsid access";
flow:to_client,established; file_data; content:"0534CF61-83C5-4765-B19B-
45F7A4E135D0"; fast_pattern:only; metadata:ruleset community, service ftp-data,
service http, service imap, service pop3; reference:bugtraq,9916;
reference:cve,2004-0363; classtype:attempted-user; sid:2485; rev:18;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP invalid
identification payload attempt"; flow:to_server; content:"|05|"; depth:1;
offset:16; byte_test:1,!&,1,19; byte_test:1,>,8,32; byte_test:2,>,0,30;
byte_test:2,<,10,30; byte_test:2,!=,8,30; metadata:ruleset community;
reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos;
sid:2486; rev:13;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL WinZip MIME
content-type buffer overflow"; flow:to_server,established; content:"Content-Type|
3A|"; fast_pattern:only; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi";
pcre:"/(name|id|number|total|boundary)=\s*[^\r\n\x3b\s\x2c]{300}/smi";
metadata:ruleset community, service smtp; reference:bugtraq,9758;
reference:cve,2004-0333; reference:nessus,12621; classtype:attempted-user;
sid:2487; rev:17;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL WinZip MIME
content-disposition buffer overflow"; flow:to_server,established; content:"Content-
Type|3A|"; fast_pattern:only; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|
xxe)/smi"; content:"Content-Disposition|3A|"; nocase;
pcre:"/name=\s*[^\r\n\x3b\s\x2c]{300}/smi"; metadata:ruleset community, service
smtp; reference:bugtraq,9758; reference:cve,2004-0333; reference:nessus,12621;
classtype:attempted-user; sid:2488; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SERVER-OTHER esignal
STREAMQUOTE buffer overflow attempt"; flow:to_server,established;
content:"<STREAMQUOTE>"; nocase; isdataat:1040,relative; content:!"</STREAMQUOTE>";
within:1040; nocase; metadata:ruleset community; reference:bugtraq,9978;
reference:cve,2004-1868; classtype:attempted-admin; sid:2489; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SERVER-OTHER esignal SNAPQUOTE
buffer overflow attempt"; flow:to_server,established; content:"<SNAPQUOTE>";
nocase; isdataat:1024,relative; content:!"</SNAPQUOTE>"; within:1052; nocase;
metadata:ruleset community; reference:bugtraq,9978; reference:cve,2004-1868;
classtype:attempted-admin; sid:2490; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS
DCERPC NCACN-IP-TCP lsass DsRolerUpgradeDownlevelServer overflow attempt";
flow:to_server,established; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5;
dce_opnum:9; dce_stub_data; byte_test:4,>,256,0,dce; metadata:policy max-detect-ips
drop, ruleset community, service netbios-ssn; reference:bugtraq,10108;
reference:cve,2003-0533; reference:nessus,12205;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011;
classtype:attempted-admin; sid:2508; rev:24;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,138,1024:] (msg:"OS-WINDOWS DCERPC
NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt";
dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:9; dce_stub_data;
byte_test:4,>,256,0,dce; metadata:ruleset community, service netbios-dgm;
reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011;
classtype:attempted-admin; sid:2511; rev:21;)
# alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"SERVER-OTHER BGP spoofed
connection reset attempt"; flow:established,no_stream; flags:RSF*;
detection_filter:track by_dst,count 10,seconds 10; metadata:ruleset community;
reference:bugtraq,10183; reference:cve,2004-0230;
reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-
dos; sid:2523; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"SERVER-OTHER AFP FPLoginExt
username buffer overflow attempt"; flow:to_server,established; content:"|00 02|";
depth:2; content:"?"; within:1; distance:14; content:"cleartxt passwrd"; nocase;
byte_jump:2,1,relative; byte_jump:2,1,relative; isdataat:2,relative;
metadata:ruleset community; reference:bugtraq,10271; reference:cve,2004-0430;
reference:url,www.atstake.com/research/advisories/2004/a050304-1.txt;
classtype:attempted-admin; sid:2545; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP MDTM overflow
attempt"; flow:to_server,established; content:"MDTM"; nocase;
isdataat:100,relative; pcre:"/^MDTM(?!\n)\s[^\n]{100}/smi"; metadata:ruleset
community, service ftp; reference:bugtraq,9751; reference:cve,2001-1021;
reference:cve,2004-0330; reference:nessus,12080; classtype:attempted-admin;
sid:2546; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER HP Web JetAdmin
remote file upload attempt"; flow:to_server,established;
content:"/plugins/hpjwja/script/devices_update_printer_fw_upload.hts";
fast_pattern:only; metadata:ruleset community, service http;
reference:bugtraq,9971; reference:cve,2004-1856; classtype:web-application-
activity; sid:2547; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER HP Web JetAdmin
setinfo access"; flow:to_server,established;
content:"/plugins/hpjdwm/script/test/setinfo.hts"; fast_pattern:only;
metadata:ruleset community; reference:bugtraq,9972; reference:cve,2004-1857;
reference:nessus,12120; classtype:web-application-activity; sid:2548; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER HP Web JetAdmin
file write attempt"; flow:to_server,established;
content:"/plugins/framework/script/tree.xms"; fast_pattern:only;
content:"WriteToFile"; nocase; metadata:ruleset community; reference:bugtraq,9973;
classtype:web-application-activity; sid:2549; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER
Nullsoft Winamp XM file buffer overflow attempt"; flow:to_client,established;
flowbits:isset,file.xm; file_data; content:"Extended Module|3A 20|"; nocase;
byte_test:1,!=,26,20,relative; metadata:ruleset community, service ftp-data,
service http, service imap, service pop3; reference:cve,2004-1896;
reference:url,www.securityfocus.com/bid/10045; classtype:attempted-user; sid:2550;
rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web
Cache GET overflow attempt"; flow:to_server,established; content:"GET";
pcre:"/^GET[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868;
reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin;
sid:2551; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web
Cache HEAD overflow attempt"; flow:to_server,established; content:"HEAD";
pcre:"/^HEAD[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868;
reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin;
sid:2552; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web
Cache PUT overflow attempt"; flow:to_server,established; content:"PUT";
pcre:"/^PUT[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868;
reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin;
sid:2553; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web
Cache POST overflow attempt"; flow:to_server,established; content:"POST";
pcre:"/^POST[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868;
reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin;
sid:2554; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web
Cache TRACE overflow attempt"; flow:to_server,established; content:"TRACE";
pcre:"/^TRACE[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868;
reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin;
sid:2555; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web
Cache DELETE overflow attempt"; flow:to_server,established; content:"DELETE";
pcre:"/^DELETE[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868;
reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin;
sid:2556; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web
Cache LOCK overflow attempt"; flow:to_server,established; content:"LOCK";
pcre:"/^LOCK[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868;
reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin;
sid:2557; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web
Cache MKCOL overflow attempt"; flow:to_server,established; content:"MKCOL";
pcre:"/^MKCOL[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868;
reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin;
sid:2558; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web
Cache COPY overflow attempt"; flow:to_server,established; content:"COPY";
pcre:"/^COPY[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868;
reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin;
sid:2559; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web
Cache MOVE overflow attempt"; flow:to_server,established; content:"MOVE";
pcre:"/^MOVE[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868;
reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin;
sid:2560; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"SERVER-OTHER rsync backup-dir
directory traversal attempt"; flow:to_server,established; content:"--backup-dir";
fast_pattern:only; pcre:"/--backup-dir\s+\x2e\x2e\x2f/"; metadata:ruleset
community; reference:bugtraq,10247; reference:cve,2004-0426;
reference:nessus,12230; classtype:string-detect; sid:2561; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 81 (msg:"SERVER-WEBAPP McAfee ePO file
upload attempt"; flow:to_server,established; content:"/spipe/repl_file"; nocase;
content:"Command=BEGIN"; nocase; metadata:ruleset community;
reference:bugtraq,10200; reference:cve,2004-0038; classtype:attempted-admin;
sid:2562; rev:8;)
# alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"NETBIOS NS lookup response
name overflow attempt"; byte_test:1,&,0x80,2; content:"|00 01|"; depth:2; offset:6;
byte_test:1,>,32,12; metadata:ruleset community, service netbios-ns;
reference:bugtraq,10333; reference:cve,2004-0444;
reference:url,www.eeye.com/html/Research/Advisories/AD20040512A.html;
classtype:attempted-admin; sid:2563; rev:7;)
# alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"NETBIOS NS lookup short
response attempt"; dsize:<56; byte_test:1,&,0x80,2; content:"|00 01|"; depth:2;
offset:6; metadata:ruleset community, service netbios-ns; reference:bugtraq,10335;
reference:cve,2004-0444;
reference:url,www.eeye.com/html/Research/Advisories/AD20040512C.html;
classtype:attempted-admin; sid:2564; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
modules.php access"; flow:to_server,established; content:"/modules.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,9879; reference:cve,2004-1817; classtype:web-application-
activity; sid:2565; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
PHPBB viewforum.php access"; flow:to_server,established; content:"/viewforum.php";
nocase; http_uri; content:"topic_id="; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,9865;
reference:bugtraq,9866; reference:cve,2004-1809; reference:nessus,12093;
classtype:web-application-activity; sid:2566; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Emumail init.emu access"; flow:to_server,established; content:"/init.emu";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,9861; reference:cve,2004-2334; reference:cve,2004-2385;
reference:nessus,12095; classtype:web-application-activity; sid:2567; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Emumail emumail.fcgi access"; flow:to_server,established; content:"/emumail.fcgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,9861; reference:cve,2004-2334; reference:cve,2004-2385;
reference:nessus,12095; classtype:web-application-activity; sid:2568; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
cPanel resetpass access"; flow:to_server,established; content:"/resetpass";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,9848; reference:cve,2004-1769; classtype:web-application-
activity; sid:2569; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP invalid
HTTP version string"; flow:to_server,established; content:" HTTP/"; depth:300;
nocase; isdataat:5,relative; content:!"0.9"; within:3; content:!"1.0"; within:3;
content:!"1.1"; within:3; pcre:!"/^[^\n]* HTTP\x2f(0\.9|1\.[01])\s*\n/i";
metadata:policy max-detect-ips drop, ruleset community, service http;
reference:bugtraq,34240; reference:bugtraq,9809; reference:cve,2009-0478;
reference:nessus,11593; classtype:non-standard-protocol; sid:2570; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
SmarterTools SmarterMail frmGetAttachment.aspx access"; flow:to_server,established;
content:"/frmGetAttachment.aspx"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,9805; reference:cve,2004-2585; classtype:web-
application-activity; sid:2571; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
SmarterTools SmarterMail login.aspx buffer overflow attempt";
flow:to_server,established; content:"/login.aspx"; nocase; http_uri;
content:"txtusername="; isdataat:980,relative; content:!"|0A|"; within:980; nocase;
metadata:ruleset community, service http; reference:bugtraq,9805;
reference:cve,2004-2585; classtype:web-application-attack; sid:2572; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
SmarterTools SmarterMail frmCompose.asp access"; flow:to_server,established;
content:"/frmCompose.aspx"; nocase; http_uri; metadata:ruleset community, service
http; reference:bugtraq,9805; reference:cve,2004-2585; classtype:web-application-
activity; sid:2573; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RETR format string
attempt"; flow:to_server,established; content:"RETR"; fast_pattern:only;
pcre:"/^RETR\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp;
reference:bugtraq,9800; reference:cve,2004-1883; classtype:attempted-admin;
sid:2574; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Opt-
X header.php remote file include attempt"; flow:to_server,established;
content:"/header.php"; nocase; http_uri; content:"systempath="; fast_pattern:only;
pcre:"/systempath=(https?|ftps?|php)/i"; metadata:ruleset community, service http;
reference:bugtraq,9732; reference:cve,2004-2368; classtype:web-application-attack;
sid:2575; rev:11;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.generate_replication_support buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.generate_replication_support";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*package_prefix[\r\n\s]*=>[\r\n\s]*\2|
package_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*procedure_prefix[\r\n\s]*=>[\r\n\s]*\2|
procedure_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]
{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck93.html; classtype:attempted-
user; sid:2576; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER local
resource redirection attempt"; flow:to_client,established; content:"Location|3A|";
nocase; http_header; pcre:"/^Location\x3a(\s*|\s*\r?\n\s+)*URL\s*\x3a/smiH";
metadata:ruleset community, service http; reference:cve,2004-0549;
reference:url,www.kb.cert.org/vuls/id/713878; classtype:attempted-user; sid:2577;
rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER kerberos principal
name overflow UDP"; flow:to_server; content:"j"; depth:1; content:"|01 A1|";
asn1:oversize_length 1024,relative_offset -1; metadata:ruleset community, service
kerberos; reference:cve,2003-0072; reference:nessus,11512;
reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt;
classtype:attempted-admin; sid:2578; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER kerberos principal
name overflow TCP"; flow:to_server,established; content:"j"; depth:1; offset:4;
content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; metadata:ruleset
community, service kerberos; reference:cve,2003-0072; reference:nessus,11512;
reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt;
classtype:attempted-admin; sid:2579; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP server
negative Content-Length attempt"; flow:to_client,established; content:"Content-
Length"; nocase; pcre:"/^Content-Length\s*\x3a\s*-\d+/mi"; metadata:ruleset
community, service http; reference:bugtraq,10508; reference:cve,2004-0492;
reference:url,www.guninski.com/modproxy1.html; classtype:attempted-admin; sid:2580;
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SAP
Crystal Reports crystalimagehandler.aspx access"; flow:to_server,established;
content:"/crystalimagehandler.aspx"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:cve,2004-0204;
reference:url,www.microsoft.com/security/bulletins/200406_crystal.mspx;
classtype:web-application-activity; sid:2581; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OS-WINDOWS SAP
Crystal Reports crystalImageHandler.asp directory traversal attempt";
flow:to_server,established; content:"/crystalimagehandler"; fast_pattern:only;
http_uri; content:"dynamicimage=../"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,10260; reference:cve,2004-0204;
reference:nessus,12271; reference:url,technet.microsoft.com/en-
us/security/bulletin/ms04-017; classtype:web-application-attack; sid:2582; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-OTHER CVS Max-dotdot
integer overflow attempt"; flow:to_server,established; content:"Max-dotdot";
fast_pattern:only; pcre:"/^Max-dotdot[\s\r\n]*\d{3,}/msi"; metadata:ruleset
community; reference:bugtraq,10499; reference:cve,2004-0417; classtype:misc-attack;
sid:2583; rev:8;)
# alert tcp $EXTERNAL_NET 6666:6669 -> $HOME_NET any (msg:"SERVER-OTHER eMule
buffer overflow attempt"; flow:to_client,established; content:"PRIVMSG";
fast_pattern:only; pcre:"/^PRIVMSG\s+[^\s]+\s+\x3a\s*\x01SENDLINK\x7c[^\x7c]
{69}/smi"; metadata:ruleset community; reference:bugtraq,10039; reference:cve,2004-
1892; reference:nessus,12233; classtype:attempted-user; sid:2584; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
nessus 2.x 404 probe"; flow:to_server,established; content:"/NessusTest";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,10386; classtype:attempted-recon; sid:2585; rev:9;)
# alert tcp $HOME_NET 4711 -> $EXTERNAL_NET any (msg:"PUA-P2P eDonkey server
response"; flow:established,to_client; content:"Server|3A| eMule";
fast_pattern:only; metadata:ruleset community; reference:url,www.emule-project.net;
classtype:policy-violation; sid:2587; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
TUTOS path disclosure attempt"; flow:to_server,established;
content:"/note_overview.php"; http_uri; content:"id="; metadata:ruleset community,
service http; reference:bugtraq,10129;
reference:url,www.securiteam.com/unixfocus/5FP0J15CKE.html; classtype:web-
application-activity; sid:2588; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft
Windows Content-Disposition CLSID command attempt"; flow:to_client,established;
content:"Content-Disposition|3A|"; nocase; http_header; pcre:"/^Content-
Disposition\x3a(\s*|\s*\r?\n\s+)[^\r\n]*?\{[\da-fA-F]{8}(-[\da-fA-F]{4}){3}-[\da-
fA-F]{12}\}/smiH"; metadata:ruleset community, service http;
reference:bugtraq,9510; reference:cve,2004-0420;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-024;
classtype:attempted-user; sid:2589; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Samba SWAT Authorization overflow attempt"; flow:to_server,established;
content:"Authorization|3A|"; nocase; http_header; content:"Basic"; within:50;
nocase; http_header; pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s+=/smiH";
metadata:ruleset community, service http; reference:bugtraq,10780;
reference:cve,2004-0600; classtype:web-application-attack; sid:2597; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Samba SWAT Authorization port 901 overflow attempt"; flow:to_server,established;
content:"Authorization|3A| Basic"; nocase;
pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s+=/smi"; metadata:ruleset
community, service http; reference:bugtraq,10780; reference:cve,2004-0600;
classtype:web-application-attack; sid:2598; rev:13;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.add_grouped_column buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|
oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]
{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2599;
rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.drop_master_repgroup buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
metadata:ruleset community; classtype:attempted-user; sid:2601; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.create_mview_repgroup buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*fname[\r\n\s]*=>[\r\n\s]*\2|fname\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s
*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\
s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-
user; sid:2603; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.compare_old_values buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.compare_old_values"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s
*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]
{1024,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-
user; sid:2605; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.comment_on_repobject buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s
*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-
user; sid:2606; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt";
flow:to_server,established; content:"sysdbms_repcat_rgt.check_ddl_text"; nocase;
pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; metadata:ruleset
community; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html;
classtype:attempted-user; sid:2608; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.cancel_statistics buffer overflow attempt"; flow:to_server,established;
content:"dbms_repcat.cancel_statistics"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|
oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]
{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2609;
rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
LINK metadata buffer overflow attempt"; flow:to_server,established;
content:"CREATE"; nocase; content:"DATABASE"; nocase; content:"LINK"; nocase;
pcre:"/USING\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; metadata:policy
max-detect-ips drop, ruleset community; reference:bugtraq,12296;
reference:bugtraq,7453; reference:cve,2003-0222; reference:cve,2005-0297;
reference:nessus,11563; reference:url,archives.neohapsis.com/archives/bugtraq/2003-
04/0360.html; classtype:attempted-user; sid:2611; rev:12;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_auth.revoke_surrogate_repcat";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-
user; sid:2612; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
time_zone buffer overflow attempt"; flow:to_server,established;
content:"TIME_ZONE"; nocase; pcre:"/TIME_ZONE\s*=\s*((\x27[^\x27]{1000,})|
(\x22[^\x22]{1000,}))/msi"; metadata:ruleset community; reference:bugtraq,9587;
reference:cve,2003-1208; reference:nessus,12047;
reference:url,www.nextgenss.com/advisories/ora_time_zone.txt; classtype:attempted-
user; sid:2614; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_auth.grant_surrogate_repcat";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-
user; sid:2615; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat.alter_mview_propagation buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat.alter_mview_propagation";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-
user; sid:2617; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.alter_master_repobject buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s
*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-
user; sid:2619; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat_sna_utl.register_flavor_change";
nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; metadata:ruleset
community; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html;
classtype:attempted-user; sid:2621; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|
privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]
{1024,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-
user; sid:2624; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.send_old_values buffer overflow attempt"; flow:to_server,established;
content:"dbms_repcat.send_old_values"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s
*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]
{1024,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-
user; sid:2626; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.repcat_import_check buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|
gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|
false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset
community; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html;
classtype:attempted-user; sid:2627; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat_admin.register_user_repgroup buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|
privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]
{1024,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-
user; sid:2629; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_rectifier_diff.rectify buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_rectifier_diff.rectify"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-
user; sid:2633; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.drop_master_repobject buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s
*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-
user; sid:2637; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.drop_mview_repgroup buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|
false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset
community; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html;
classtype:attempted-user; sid:2639; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat_instantiate.drop_site_instantiation"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|
refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community;
classtype:attempted-user; sid:2641; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_fla.ensure_not_published";
nocase; pcre:"/\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck96.html; classtype:attempted-
user; sid:2643; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
from_tz buffer overflow attempt"; flow:to_server,established; content:"FROM_TZ";
nocase; pcre:"/\
(\s*TIMESTAMP\s*(\s*(\x27[^\x27]+'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|
(\x22[^\x22]{1000,}))/Rmsi"; metadata:ruleset community;
reference:url,www.nextgenss.com/advisories/ora_from_tz.txt; classtype:attempted-
user; sid:2644; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat_instantiate.instantiate_offline buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_offline";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|
refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community;
classtype:attempted-user; sid:2645; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $ORACLE_PORTS (msg:"SERVER-ORACLE Oracle
9i TNS Listener SERVICE_NAME Remote Buffer Overflow attempt";
flow:to_server,established; content:"connect_data"; nocase; content:"|28|
service_name="; nocase; isdataat:1000,relative; content:!"|29|"; within:1000;
metadata:ruleset community; reference:cve,2002-0965; classtype:attempted-user;
sid:2649; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
user name buffer overflow attempt"; flow:to_server,established;
content:"connect_data"; nocase; content:"|28|user="; nocase;
isdataat:1000,relative; content:!"|29|"; within:1000; metadata:ruleset community;
reference:bugtraq,6849; reference:cve,2003-0095;
reference:url,otn.oracle.com/deploy/security/pdf/2003alert51.pdf;
reference:url,www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-
user; sid:2650; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
NUMTODSINTERVAL/NUMTOYMINTERVAL buffer overflow attempt";
flow:to_server,established; content:"NUMTO"; nocase; content:"INTERVAL";
distance:2; nocase; pcre:"/NUMTO(DS|YM)INTERVAL\s*\(\s*\d+\s*,\s*((\x27[^\x27]
{1000,})|(\x22[^\x22]{1000,}))/msi"; metadata:ruleset community;
reference:bugtraq,9587; reference:cve,2003-1208;
reference:url,www.nextgenss.com/advisories/ora_numtodsinterval.txt;
reference:url,www.nextgenss.com/advisories/ora_numtoyminterval.txt;
classtype:attempted-user; sid:2651; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established;
content:"dbms_offline_og.begin_load"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck632.html;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2652; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHPNuke
Forum viewtopic SQL insertion attempt"; flow:to_server,established;
content:"/modules.php"; nocase; http_uri; content:"name=Forums";
content:"file=viewtopic"; fast_pattern:only; pcre:"/forum=.*'/"; metadata:ruleset
community, service http; reference:bugtraq,7193; classtype:web-application-attack;
sid:2654; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER HP Web JetAdmin
ExecuteFile admin access"; flow:to_server,established;
content:"/plugins/framework/script/content.hts"; fast_pattern:only;
content:"ExecuteFile"; nocase; metadata:ruleset community; reference:bugtraq,10224;
classtype:attempted-admin; sid:2655; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-WEBAPP SSLv2
Client_Hello Challenge Length overflow attempt"; flow:to_server,established;
ssl_version:sslv2; ssl_state:client_hello; content:"|01 00 02|"; depth:3; offset:2;
byte_test:1,>,127,0; byte_test:2,>,32,9; metadata:ruleset community, service ssl;
reference:bugtraq,11015; reference:cve,2004-0826; classtype:attempted-admin;
sid:2656; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-WEBAPP SSLv2
Client_Hello with pad Challenge Length overflow attempt";
flow:to_server,established; ssl_version:sslv2; ssl_state:client_hello; content:"|01
00 02|"; depth:3; offset:2; byte_test:2,>,32,9; metadata:ruleset community, service
ssl; classtype:attempted-admin; sid:2657; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Ipswitch WhatsUpGold instancename overflow attempt"; flow:to_server,established;
content:"/_maincfgret.cgi"; fast_pattern:only; http_uri; content:"instancename=";
nocase; http_uri; isdataat:513,relative; pcre:"/instancename=[^&\x3b\r\n]
{513}/Usmi"; metadata:ruleset community, service http; reference:bugtraq,11043;
reference:cve,2004-0798; classtype:web-application-attack; sid:2663; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP login format
string attempt"; flow:established,to_server; content:"LOGIN"; fast_pattern:only;
pcre:"/\sLOGIN\s[^\n]*?%/smi"; metadata:ruleset community, service imap;
reference:bugtraq,10976; reference:cve,2004-0777; classtype:attempted-admin;
sid:2664; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP login literal
format string attempt"; flow:established,to_server; content:"LOGIN";
fast_pattern:only; pcre:"/\sLOGIN\s\w+\s\{\d+\}[\r]?\n[^\n]*?%/smi";
metadata:policy max-detect-ips drop, ruleset community, service imap;
reference:bugtraq,10976; reference:cve,2007-0221;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-026;
classtype:attempted-admin; sid:2665; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP PASS format
string attempt"; flow:to_server,established; content:"PASS"; fast_pattern:only;
pcre:"/^PASS\s+[^\n]*?%/smi"; metadata:ruleset community, service pop3;
reference:bugtraq,10976; reference:cve,2004-0777; classtype:attempted-admin;
sid:2666; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
ping.asp access"; flow:to_server,established; content:"/ping.asp"; nocase;
http_uri; metadata:ruleset community, service http; reference:nessus,10968;
classtype:web-application-activity; sid:2667; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
processit access"; flow:to_server,established; content:"/processit.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:nessus,10649; classtype:web-application-activity; sid:2668; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
ibillpm.pl access"; flow:to_server,established; content:"/ibillpm.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3476; reference:cve,2001-0839; reference:nessus,11083;
classtype:web-application-activity; sid:2669; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
pgpmail.pl access"; flow:to_server,established; content:"/pgpmail.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3605; reference:cve,2001-0937; reference:nessus,11070;
classtype:web-application-activity; sid:2670; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE
Microsoft Internet Explorer bitmap BitmapOffset integer overflow attempt";
flow:to_client,established; flowbits:isset,file.bmp; file_data; content:"BM";
byte_test:4,>,2147480000,8,relative,little; metadata:ruleset community, service
ftp-data, service http, service imap, service pop3; reference:bugtraq,9663;
reference:cve,2004-0566; reference:url,technet.microsoft.com/en-
us/security/bulletin/ms04-025; classtype:attempted-user; sid:2671; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
sresult.exe access"; flow:to_server,established; content:"/sresult.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,10837; reference:cve,2004-2528; reference:nessus,14186;
classtype:web-application-activity; sid:2672; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE libpng
tRNS overflow attempt"; flow:to_client,established; flowbits:isset,file.png;
file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:4; distance:4;
content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; pcre:"/IHDR(?!.*?
PLTE).*?tRNS/s"; metadata:ruleset community, service ftp-data, service http,
service imap, service pop3; reference:bugtraq,10872; reference:cve,2004-0597;
classtype:attempted-user; sid:2673; rev:12;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.add_delete_resolution buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_delete_resolution"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|
oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]
{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2674;
rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat_rgt.instantiate_offline buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat_rgt.instantiate_offline"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|
privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-
user; sid:2675; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat_rgt.instantiate_online buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat_rgt.instantiate_online"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|
refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1024,}|\x22[^\x22]
{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2677;
rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
ctx_output.start_log buffer overflow attempt"; flow:to_server,established;
content:"ctx_output.start_log"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
metadata:ruleset community; classtype:attempted-user; sid:2678; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_system.ksdwrt buffer overflow attempt"; flow:to_server,established;
content:"sys.dbms_system.ksdwrt"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*tst[\r\n\s]*=>[\r\n\s]*\2|tst\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]
{1024,})|\(\s*\d+\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
metadata:ruleset community; classtype:attempted-user; sid:2679; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
ctxsys.driddlr.subindexpopulate buffer overflow attempt";
flow:to_server,established; content:"ctxsys.driddlr.subindexpopulate"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\d+\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]
{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2680;
rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
mdsys.sdo_admin.sdo_code_size buffer overflow attempt"; flow:to_server,established;
content:"mdsys.sdo_admin.sdo_code_size"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
metadata:ruleset community; classtype:attempted-user; sid:2681; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
mdsys.md2.validate_geom buffer overflow attempt"; flow:to_server,established;
content:"mdsys.md2.validate_geom"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{128,}\x27|\x22[^\x22]{128,}\x22)
[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]
{128,}|\x22[^\x22]{128,})|\(\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,}))/si";
metadata:ruleset community; classtype:attempted-user; sid:2682; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
mdsys.md2.sdo_code_size buffer overflow attempt"; flow:to_server,established;
content:"mdsys.md2.sdo_code_size"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)
[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]
{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si";
metadata:ruleset community; classtype:attempted-user; sid:2683; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.ltutil.pushdeferredtxns buffer overflow attempt"; flow:to_server,established;
content:"sys.ltutil.pushdeferredtxns"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)
[\r\n\s]*\x3b.*repgrpname[\r\n\s]*=>[\r\n\s]*\2|repgrpname\s*=>\s*(\x27[^\x27]
{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si";
metadata:ruleset community; classtype:attempted-user; sid:2684; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_rq.add_column buffer overflow attempt"; flow:to_server,established;
content:"sys.dbms_repcat_rq.add_column"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*SCHEMA_NAME[\r\n\s]*=>[\r\n\s]*\2|SCHEMA_NAME\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
metadata:ruleset community; classtype:attempted-user; sid:2685; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_rectifier_diff.differences buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_rectifier_diff.differences"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]*\x22)\s*,\s*){9}
(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community;
reference:bugtraq,10871; reference:cve,2004-1362; reference:cve,2004-1363;
reference:cve,2004-1364; reference:cve,2004-1365; reference:cve,2004-1366;
reference:cve,2004-1368; reference:cve,2004-1369; reference:cve,2004-1370;
reference:cve,2004-1371; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html;
classtype:attempted-user; sid:2686; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_internal_repcat.validate buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_internal_repcat.validate"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
metadata:ruleset community; classtype:attempted-user; sid:2687; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_internal_repcat.enable_receiver_trace buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_internal_repcat.enable_receiver_trace"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
metadata:ruleset community; classtype:attempted-user; sid:2688; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_internal_repcat.disable_receiver_trace buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_internal_repcat.disable_receiver_trace"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
metadata:ruleset community; classtype:attempted-user; sid:2689; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_defer_repcat.enable_propagation_to_dblink"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*dblink[\r\n\s]*=>[\r\n\s]*\2|dblink\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
metadata:ruleset community; classtype:attempted-user; sid:2690; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_defer_internal_sys.parallel_push_recovery"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*destination[\r\n\s]*=>[\r\n\s]*\2|destination\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
metadata:ruleset community; classtype:attempted-user; sid:2691; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_aqadm_sys.verify_queue_types";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|
src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-
user; sid:2692; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_no_queue";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|
src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-
user; sid:2693; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_get_nrp";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|
src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-
user; sid:2694; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_aq_import_internal.aq_table_defn_update"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*qt_name[\r\n\s]*=>[\r\n\s]*\2|qt_name\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]
{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2695;
rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_utl.is_master buffer overflow attempt"; flow:to_server,established;
content:"sys.dbms_repcat_utl.is_master"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*CANON_GNAME[\r\n\s]*=>[\r\n\s]*\2|CANON_GNAME\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-
user; sid:2696; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
alter file buffer overflow attempt"; flow:to_server,established; content:"alter";
nocase; pcre:"/ALTER\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]
{512})/smi"; metadata:ruleset community; classtype:attempted-user; sid:2697;
rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
create file buffer overflow attempt"; flow:to_server,established; content:"create";
nocase; pcre:"/CREATE\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]
{512})/smi"; metadata:ruleset community; classtype:attempted-user; sid:2698;
rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
TO_CHAR buffer overflow attempt"; flow:to_server,established; content:"TO_CHAR";
nocase; pcre:"/TO_CHAR\s*\(\s*SYSTIMESTAMP\s*,\s*(\x27[^\x27]{256}|\x22[^\x22]
{256})/smi"; metadata:ruleset community; reference:bugtraq,10871;
reference:cve,2004-1364; classtype:attempted-user; sid:2699; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Oracle iSQLPlus sid overflow attempt"; flow:to_server,established;
content:"/isqlplus"; nocase; http_uri; pcre:"/sid=[^&\x3b\r\n]{255}/si";
metadata:ruleset community, service http; reference:bugtraq,10871;
reference:cve,2004-1362; reference:cve,2004-1363; reference:cve,2004-1364;
reference:cve,2004-1365; reference:cve,2004-1366; reference:cve,2004-1368;
reference:cve,2004-1369; reference:cve,2004-1370; reference:cve,2004-1371;
reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-
application-attack; sid:2701; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Oracle iSQLPlus username overflow attempt"; flow:to_server,established;
content:"/isqlplus"; nocase; http_uri; pcre:"/username=[^&\x3b\r\n]{255}/si";
metadata:ruleset community, service http; reference:bugtraq,10871;
reference:cve,2004-1362; reference:cve,2004-1363; reference:cve,2004-1364;
reference:cve,2004-1365; reference:cve,2004-1366; reference:cve,2004-1368;
reference:cve,2004-1369; reference:cve,2004-1370; reference:cve,2004-1371;
reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-
application-attack; sid:2702; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Oracle iSQLPlus login.uix username overflow attempt"; flow:to_server,established;
content:"/login.uix"; nocase; http_uri; pcre:"/username=[^&\x3b\r\n]{250}/smi";
metadata:ruleset community, service http; reference:bugtraq,10871;
reference:cve,2004-1362; reference:cve,2004-1363; reference:cve,2004-1364;
reference:cve,2004-1365; reference:cve,2004-1366; reference:cve,2004-1368;
reference:cve,2004-1369; reference:cve,2004-1370; reference:cve,2004-1371;
reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-
application-attack; sid:2703; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Oracle 10g iSQLPlus login.unix connectID overflow attempt";
flow:to_server,established; content:"/login.uix"; nocase; http_uri;
content:"connectID="; nocase; isdataat:255,relative; pcre:"/connectID=[^&\x3b\r\n]
{255}/smi"; metadata:ruleset community, service http; reference:bugtraq,10871;
reference:cve,2004-1362; reference:cve,2004-1363; reference:cve,2004-1364;
reference:cve,2004-1365; reference:cve,2004-1366; reference:cve,2004-1368;
reference:cve,2004-1369; reference:cve,2004-1370; reference:cve,2004-1371;
reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-
application-attack; sid:2704; rev:12;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft
Multiple Products JPEG parser heap overflow attempt"; flow:to_client,established;
content:"Content-Type"; nocase; http_header; content:"image/"; nocase; http_header;
pcre:"/^Content-Type\x3A\s*image\x2F/smiH"; file_data; content:"|FF D8|"; within:2;
fast_pattern; pcre:"/^.{0,100}\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/sR";
metadata:ruleset community, service http; reference:bugtraq,11173;
reference:cve,2004-0200;
reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx;
classtype:attempted-user; sid:2705; rev:18;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE JPEG
parser multipacket heap overflow attempt"; flow:to_client,established;
flowbits:isset,file.jpeg; file_data; content:"|00 48 00 00 FF|"; fast_pattern:only;
pcre:"/\x00\x48\x00\x00\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/"; metadata:ruleset
community, service ftp-data, service http, service imap, service pop3;
reference:bugtraq,11173; reference:cve,2004-0200; reference:cve,2017-16392;
reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-028;
classtype:attempted-admin; sid:2707; rev:14;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_offline_og.begin_flavor_change buffer overflow attempt";
flow:to_server,established; content:"dbms_offline_og.begin_flavor_change"; nocase;
pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset
community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-
0001/25.html; classtype:attempted-user; sid:2708; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_offline_og.begin_instantiation buffer overflow attempt";
flow:to_server,established; content:"dbms_offline_og.begin_instantiation"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2709; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_offline_og.end_flavor_change buffer overflow attempt";
flow:to_server,established; content:"dbms_offline_og.end_flavor_change"; nocase;
pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset
community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-
0001/25.html; classtype:attempted-user; sid:2711; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_offline_og.end_instantiation buffer overflow attempt";
flow:to_server,established; content:"dbms_offline_og.end_instantiation"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2712; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_offline_og.end_load buffer overflow attempt"; flow:to_server,established;
content:"dbms_offline_og.end_load"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2713; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_offline_og.resume_subset_of_masters buffer overflow attempt";
flow:to_server,established; content:"dbms_offline_og.resume_subset_of_masters";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2714; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_offline_snapshot.begin_load buffer overflow attempt";
flow:to_server,established; content:"dbms_offline_snapshot.begin_load"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2715; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_offline_snapshot.end_load buffer overflow attempt";
flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck632.html;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2716; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_rectifier_diff.differences buffer overflow attempt";
flow:to_server,established; content:"dbms_rectifier_diff.differences"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|
(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){10}
(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck97.html;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2717; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established;
content:"dbms_rectifier_diff.rectify"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|
(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){8}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}
(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2718; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.abort_flavor_definition buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.abort_flavor_definition"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2719; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.add_column_group_to_flavor buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_column_group_to_flavor";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2720; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.add_columns_to_flavor buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_columns_to_flavor"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2721; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.add_object_to_flavor buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_object_to_flavor"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2722; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.add_priority_char buffer overflow attempt"; flow:to_server,established;
content:"dbms_repcat.add_priority_char"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2723; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.add_priority_date buffer overflow attempt"; flow:to_server,established;
content:"dbms_repcat.add_priority_date"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2724; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.add_priority_nchar buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_priority_nchar"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2725; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.add_priority_number buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_priority_number"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2726; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.add_priority_nvarchar2 buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_priority_nvarchar2"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2727; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.add_priority_raw buffer overflow attempt"; flow:to_server,established;
content:"dbms_repcat.add_priority_raw"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2728; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.add_priority_varchar2 buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_priority_varchar2"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2729; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.add_site_priority_site buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_site_priority_site"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2730; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.add_unique_resolution buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_unique_resolution"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2731; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.add_update_resolution buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_update_resolution"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2732; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.alter_master_propagation buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_master_propagation"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2733; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.alter_mview_propagation buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}
(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2734; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.alter_priority_char buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_priority_char"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2735; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.alter_priority_date buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_priority_date"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2736; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.alter_priority_nchar buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_priority_nchar"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2737; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.alter_priority_number buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_priority_number"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2738; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_priority_nvarchar2"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2739; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.alter_priority_raw buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_priority_raw"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2740; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.alter_priority buffer overflow attempt"; flow:to_server,established;
content:"dbms_repcat.alter_priority"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2741; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.alter_priority_varchar2 buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_priority_varchar2"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2742; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.alter_site_priority_site buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_site_priority_site"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2743; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.alter_site_priority buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_site_priority"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2744; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.alter_snapshot_propagation buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_snapshot_propagation";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2745; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2746; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.begin_flavor_definition buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.begin_flavor_definition"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2747; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.comment_on_column_group buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.comment_on_column_group"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2748; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.comment_on_delete_resolution buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.comment_on_delete_resolution";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2749; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.comment_on_mview_repsites buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.comment_on_mview_repsites";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(gowner|gname)[\r\n\s]*=>[\r\n\s]*\2|(gowner|
gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2750; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.comment_on_priority_group buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.comment_on_priority_group";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2751; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.comment_on_repgroup buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.comment_on_repgroup"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2752; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.comment_on_repsites buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.comment_on_repsites"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2753; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.comment_on_site_priority buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.comment_on_site_priority"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2754; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.comment_on_unique_resolution buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.comment_on_unique_resolution";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2755; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.comment_on_update_resolution buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.comment_on_update_resolution";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2756; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.create_master_repgroup buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.create_master_repgroup"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2757; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.create_master_repobject buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.create_master_repobject"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}
(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2758; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.create_snapshot_repgroup buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.create_snapshot_repgroup"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|fname)[\r\n\s]*=>[\r\n\s]*\2|(gname|
fname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}
(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2759; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.define_column_group buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.define_column_group"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2760; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.define_priority_group buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.define_priority_group"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2761; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.define_site_priority buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.define_site_priority"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2762; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.do_deferred_repcat_admin buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.do_deferred_repcat_admin"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2763; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.drop_column_group_from_flavor buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_column_group_from_flavor";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2764; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.drop_column_group buffer overflow attempt"; flow:to_server,established;
content:"dbms_repcat.drop_column_group"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2765; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.drop_columns_from_flavor buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_columns_from_flavor"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2766; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.drop_delete_resolution buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_delete_resolution"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2767; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.drop_grouped_column buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_grouped_column"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2768; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.drop_mview_repobject buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_mview_repobject"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|
type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2769; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.drop_object_from_flavor buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_object_from_flavor"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2770; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.drop_priority_char buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_priority_char"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2771; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.drop_priority_date buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_priority_date"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2772; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.drop_priority_nchar buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_priority_nchar"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2773; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.drop_priority_number buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_priority_number"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2774; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_priority_nvarchar2"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2775; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.drop_priority_raw buffer overflow attempt"; flow:to_server,established;
content:"dbms_repcat.drop_priority_raw"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2776; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.drop_priority buffer overflow attempt"; flow:to_server,established;
content:"dbms_repcat.drop_priority"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2777; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.drop_priority_varchar2 buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_priority_varchar2"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2778; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.drop_site_priority_site buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_site_priority_site"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2779; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.drop_site_priority buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_site_priority"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2780; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.drop_snapshot_repgroup buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_snapshot_repgroup"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2781; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.drop_snapshot_repobject buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_snapshot_repobject"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|
type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2782; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.drop_unique_resolution buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_unique_resolution"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2783; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.drop_update_resolution buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_update_resolution"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2784; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.execute_ddl buffer overflow attempt"; flow:to_server,established;
content:"dbms_repcat.execute_ddl"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2785; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.generate_replication_package buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.generate_replication_package";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2786; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat_instantiate.instantiate_online buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|
refresh_template_name\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2787; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.make_column_group buffer overflow attempt"; flow:to_server,established;
content:"dbms_repcat.make_column_group"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2788; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.obsolete_flavor_definition buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.obsolete_flavor_definition";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2789; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.publish_flavor_definition buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.publish_flavor_definition";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2790; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.purge_flavor_definition buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.purge_flavor_definition"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2791; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.purge_master_log buffer overflow attempt"; flow:to_server,established;
content:"dbms_repcat.purge_master_log"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2792; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.purge_statistics buffer overflow attempt"; flow:to_server,established;
content:"dbms_repcat.purge_statistics"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2793; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.refresh_mview_repgroup buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck90.html;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2794; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.refresh_snapshot_repgroup";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2795; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.register_mview_repgroup buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.register_mview_repgroup"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}
(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2796; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.register_snapshot_repgroup buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.register_snapshot_repgroup";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2797; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.register_statistics buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.register_statistics"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2798; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.relocate_masterdef buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.relocate_masterdef"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2799; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.rename_shadow_column_group buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.rename_shadow_column_group";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2800; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.resume_master_activity buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.resume_master_activity"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2801; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat_rgt.check_ddl_text buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat_rgt.check_ddl_text"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(object_type|user_name)[\r\n\s]*=>[\r\n\s]*\2|(object_type|
user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2802; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(refresh_template_name|user_name)[\r\n\s]*=>[\r\n\s]*\2|
(refresh_template_name|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2803; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.send_and_compare_old_values buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.send_and_compare_old_values";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2804; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.set_columns buffer overflow attempt"; flow:to_server,established;
content:"dbms_repcat.set_columns"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2805; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.set_local_flavor buffer overflow attempt"; flow:to_server,established;
content:"dbms_repcat.set_local_flavor"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2806; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.specify_new_masters buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.specify_new_masters"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2807; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.suspend_master_activity buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.suspend_master_activity"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2808; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.unregister_mview_repgroup buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.unregister_mview_repgroup";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}
(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2809; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.unregister_snapshot_repgroup";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2810; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.validate_flavor_definition buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.validate_flavor_definition";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2811; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.validate_for_local_flavor buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.validate_for_local_flavor";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}
(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2812; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_fla.abort_flavor_definition buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_fla.abort_flavor_definition";
nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset
community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-
0001/25.html; classtype:attempted-user; sid:2813; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_fla.add_object_to_flavor";
nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset
community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-
0001/25.html; classtype:attempted-user; sid:2814; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_fla.begin_flavor_definition buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_fla.begin_flavor_definition";
nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset
community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-
0001/25.html; classtype:attempted-user; sid:2815; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_fla.drop_object_from_flavor";
nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset
community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-
0001/25.html; classtype:attempted-user; sid:2816; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_fla_mas.add_column_group_to_flavor"; nocase; pcre:"/\
(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2817; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_fla_mas.add_columns_to_flavor"; nocase; pcre:"/\
(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2818; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_fla_mas.drop_column_group_from_flavor"; nocase; pcre:"/\
(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2819; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_fla_mas.drop_columns_from_flavor"; nocase; pcre:"/\
(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2820; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_fla_mas.obsolete_flavor_definition"; nocase; pcre:"/\
(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2821; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_fla_mas.publish_flavor_definition"; nocase; pcre:"/\
(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2822; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_fla_mas.purge_flavor_definition"; nocase; pcre:"/\
(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2823; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_fla.set_local_flavor"; nocase;
pcre:"/(\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2824; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_fla.validate_flavor_definition buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_fla.validate_flavor_definition"; nocase; pcre:"/\
(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2825; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_fla.validate_for_local_flavor"; nocase; pcre:"/(\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2826; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_mas.alter_master_repobject buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_mas.alter_master_repobject";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}
(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2827; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repgroup";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2828; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repobject";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}
(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2829; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repgroup";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2830; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_mas.create_master_repobject buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repobject";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}
(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2831; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_mas.do_deferred_repcat_admin";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2832; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_mas.drop_master_repgroup";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2833; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_mas.generate_replication_package buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_mas.generate_replication_package"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2834; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_mas.purge_master_log buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_mas.purge_master_log"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2835; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_mas.relocate_masterdef";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2836; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_mas.rename_shadow_column_group"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2837; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_mas.resume_master_activity buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_mas.resume_master_activity";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2838; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_mas.suspend_master_activity buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_mas.suspend_master_activity";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2839; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_sna_utl.alter_snapshot_propagation"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}
(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2840; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck97.html;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2841; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_sna_utl.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2842; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_sna_utl.drop_snapshot_repobject"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|
type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2843; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2844; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_sna_utl.register_snapshot_repgroup"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}
(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2845; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_sna_utl.repcat_import_check";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2846; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}
(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2847; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_utl4.drop_master_repobject";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}
(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2848; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_utl.drop_an_object buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_utl.drop_an_object"; nocase;
pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck97.html;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2849; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.create_mview_repobject buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.create_mview_repobject"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|
type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2850; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.create_snapshot_repobject buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.create_snapshot_repobject";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname|type|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2851; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.generate_mview_support buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.generate_mview_support"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|
type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2852; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.generate_replication_trigger buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.generate_replication_trigger";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|
gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2853; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.generate_snapshot_support buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.generate_snapshot_support";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|
type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2854; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.remove_master_databases buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.remove_master_databases"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2855; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.switch_mview_master buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.switch_mview_master"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}
(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2856; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
dbms_repcat.switch_snapshot_master buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.switch_snapshot_master"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1073,}\x27|\x22[^\x22]{1073,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1073,}|\x22[^\x22]{1073,})|\(\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2857; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.add_delete_resolution buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.add_delete_resolution";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2858; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.add_priority_char buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_char";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2859; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.add_priority_date buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_date";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2860; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nchar";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2861; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.add_priority_number buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_number";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2862; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nvarchar2";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2863; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_raw";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2864; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_varchar2";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2865; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.add_site_priority_site buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.add_site_priority_site";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2866; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.add_unique_resolution buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.add_unique_resolution";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2867; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.add_update_resolution buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.add_update_resolution";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2868; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_char";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2869; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_date";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2870; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.alter_priority_nchar buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nchar";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2871; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_number";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2872; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.alter_priority_nvarchar2 buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_conf.alter_priority_nvarchar2"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2873; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_raw";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2874; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.alter_priority buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2875; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_varchar2";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2876; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_conf.alter_site_priority_site"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2877; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2878; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.cancel_statistics";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2879; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_conf.comment_on_delete_resolution"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2880; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.comment_on_priority_group buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_conf.comment_on_priority_group"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2881; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.comment_on_site_priority buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_conf.comment_on_site_priority"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2882; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_conf.comment_on_unique_resolution"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2883; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_conf.comment_on_update_resolution"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2884; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.define_priority_group buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.define_priority_group";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2885; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.define_site_priority buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.define_site_priority";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2886; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.drop_delete_resolution buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.drop_delete_resolution";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2887; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_char";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2888; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_date";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2889; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nchar";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2890; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.drop_priority_number buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_number";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2891; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nvarchar2";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2892; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_raw";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2893; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.drop_priority buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2894; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_varchar2";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2895; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.drop_site_priority_site buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority_site";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2896; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2897; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.drop_unique_resolution buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.drop_unique_resolution";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2898; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.drop_update_resolution buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.drop_update_resolution";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2899; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.purge_statistics buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.purge_statistics";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2900; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_conf.register_statistics buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.register_statistics";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2901; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_sna.alter_snapshot_propagation"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}
(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2902; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repgroup";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2903; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_sna.create_snapshot_repobject"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|
type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2904; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_sna.create_snapshot_repschema"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2905; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repgroup";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2906; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repobject";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|
type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2907; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repschema";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2908; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_sna.generate_snapshot_support buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_sna.generate_snapshot_support"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|
type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2909; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_sna.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2910; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_sna.refresh_snapshot_repschema"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2911; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_sna.register_snapshot_repgroup"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}
(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2912; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_sna.repcat_import_check";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}
(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2913; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_sna.set_local_flavor"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2914; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_sna.switch_snapshot_master buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_sna.switch_snapshot_master";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}
(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2915; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_sna.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}
(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2916; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_sna_utl.switch_snapshot_master"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}
(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2917; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_sna.validate_for_local_flavor"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}
(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2918; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE
sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_untrusted.register_snapshot_repgroup"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html;
classtype:attempted-user; sid:2919; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS UDP inverse
query"; flow:to_server; byte_test:1,<,16,2; byte_test:1,&,8,2; metadata:ruleset
community, service dns; reference:bugtraq,2321; reference:cve,2001-0012;
reference:nessus,10605; classtype:attempted-recon; sid:2921; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS TCP inverse
query"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4;
metadata:ruleset community, service dns; reference:bugtraq,2321;
reference:cve,2001-0012; reference:nessus,10605; classtype:attempted-recon;
sid:2922; rev:11;)
# alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"NETBIOS SMB repeated logon
failure"; flow:to_client,established,no_stream; content:"|FF|SMBs"; depth:5;
offset:4; content:"m|00 00 C0|"; within:4; detection_filter:track by_dst,count
10,seconds 60; metadata:ruleset community; classtype:unsuccessful-user; sid:2923;
rev:14;)
# alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"NETBIOS SMB-DS repeated logon
failure"; flow:to_client,established,no_stream; content:"|FF|SMBs"; depth:5;
offset:4; content:"m|00 00 C0|"; within:4; detection_filter:track by_dst,count
10,seconds 60; metadata:ruleset community, service netbios-ssn;
classtype:unsuccessful-user; sid:2924; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
PhpGedView PGV base directory manipulation"; flow:to_server,established;
content:"_conf.php"; nocase; http_uri; content:"PGV_BASE_DIRECTORY";
fast_pattern:only; metadata:ruleset community, service http;
reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack;
sid:2926; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"OS-WINDOWS Microsoft Windows
XPAT pattern overflow attempt"; flow:to_server,established; content:"PAT|20|";
depth:5; nocase; isdataat:160,relative; pcre:"/^X?PAT\s+[^\n]{160}/i";
metadata:ruleset community; reference:cve,2004-0574;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-036;
classtype:attempted-admin; sid:2927; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-
IP-TCP nddeapi NDdeSetTrustedShareW overflow attempt"; flow:to_server,established;
dce_iface:2f5f3220-c126-1076-b549-074d078619da; dce_opnum:12; dce_stub_data;
isdataat:256; content:!"|00|"; depth:256; offset:12; metadata:ruleset community,
service netbios-ssn; reference:bugtraq,11372; reference:cve,2004-0206;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031;
classtype:attempted-admin; sid:2936; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS DCERPC NCACN-IP-
TCP winreg InitiateSystemShutdown attempt"; flow:established,to_server;
dce_iface:338cd001-2244-31f1-aaaa-900038001003; dce_opnum:24; metadata:ruleset
community, service netbios-ssn;
reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-
us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode;
sid:2942; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows
SMB Session Setup NTLMSSP unicode asn1 overflow attempt";
flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5;
distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R";
byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7;
distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27,
oversize_length 2048; metadata:ruleset community; reference:bugtraq,9633;
reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052;
reference:nessus,12065; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:3000;
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows
SMB Session Setup NTLMSSP andx asn1 overflow attempt"; flow:to_server,established;
content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative;
content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative;
byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7;
distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27,
oversize_length 2048; metadata:ruleset community; reference:bugtraq,9633;
reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052;
reference:nessus,12065; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:3001;
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows
SMB Session Setup NTLMSSP unicode andx asn1 overflow attempt";
flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4;
distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR";
byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39;
byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little;
content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow,
bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset
community; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818;
reference:nessus,12052; reference:nessus,12065;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007;
classtype:protocol-command-decode; sid:3002; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows
SMB-DS Session Setup NTLMSSP unicode asn1 overflow attempt";
flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5;
distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R";
byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7;
distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27,
oversize_length 2048; metadata:ruleset community, service netbios-ssn;
reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818;
reference:nessus,12052; reference:nessus,12065;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007;
classtype:protocol-command-decode; sid:3003; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows
SMB-DS Session Setup NTLMSSP andx asn1 overflow attempt";
flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4;
distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!
&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative;
byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7;
distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27,
oversize_length 2048; metadata:ruleset community, service netbios-ssn;
reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818;
reference:nessus,12052; reference:nessus,12065;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007;
classtype:protocol-command-decode; sid:3004; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows
SMB-DS Session Setup NTLMSSP unicode andx asn1 overflow attempt";
flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4;
distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR";
byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39;
byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little;
content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow,
bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset
community, service netbios-ssn; reference:bugtraq,9633; reference:bugtraq,9635;
reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007;
classtype:protocol-command-decode; sid:3005; rev:12;)
# alert udp $EXTERNAL_NET 7808 -> $HOME_NET any (msg:"SERVER-OTHER Volition
Freespace 2 buffer overflow attempt"; flow:to_client; content:"|00 E1|..|B4 00 00
00|"; depth:8; isdataat:160,relative; metadata:ruleset community;
reference:bugtraq,9785; classtype:misc-attack; sid:3006; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP command overflow
attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative;
pcre:"/\s(APPEND|CHECK|CLOSE|CREATE|DELETE|EXAMINE|EXPUNGE|FETCH|LIST|RENAME|
SEARCH|SELECT|STATUS|SUBSCRIBE|UNSUBSCRIBE)\s[^\n]{100}/smi"; metadata:policy max-
detect-ips drop, ruleset community, service imap; reference:bugtraq,11675;
reference:bugtraq,11775; reference:bugtraq,15006; reference:bugtraq,15753;
reference:cve,2004-1211; reference:cve,2005-0707; reference:cve,2005-1520;
reference:cve,2005-2923; reference:cve,2005-3155; reference:nessus,15771;
classtype:misc-attack; sid:3007; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP delete literal
overflow attempt"; flow:established,to_server; content:"DELETE"; fast_pattern:only;
pcre:"/\sDELETE\s[^\n]*?\{/smi"; byte_test:5,>,100,0,string,dec,relative;
metadata:ruleset community, service imap; reference:bugtraq,11675;
reference:cve,2005-1520; reference:nessus,15771; classtype:misc-attack; sid:3008;
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20034 (msg:"MALWARE-BACKDOOR NetBus Pro
2.0 connection request"; flow:to_server,established; content:"BN |00 02 00|";
depth:6; content:"|05 00|"; depth:2; offset:8;
flowbits:set,backdoor.netbus_2.connect; flowbits:noalert; metadata:ruleset
community; classtype:misc-activity; sid:3009; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"MALWARE-CNC RUX the Tick get
windows directory"; flow:to_server,established; content:"WINDIR"; depth:6;
metadata:ruleset community; classtype:misc-activity; sid:3010; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"MALWARE-CNC RUX the Tick get
system directory"; flow:to_server,established; content:"SYSDIR"; depth:6;
metadata:ruleset community; classtype:misc-activity; sid:3011; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"MALWARE-CNC RUX the Tick
upload/execute arbitrary file"; flow:to_server,established; content:"ABCJZDATEIV";
depth:11; metadata:ruleset community; classtype:misc-activity; sid:3012; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23432 (msg:"MALWARE-CNC Asylum 0.1
connection request"; flow:to_server,established; content:"RQS"; depth:3;
flowbits:set,backdoor.asylum.connect; flowbits:noalert; metadata:ruleset community;
classtype:misc-activity; sid:3013; rev:8;)
# alert tcp $HOME_NET 23432 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Asylum 0.1
connection"; flow:to_client,established; flowbits:isset,backdoor.asylum.connect;
content:"GNT"; depth:3; metadata:ruleset community; classtype:misc-activity;
sid:3014; rev:10;)
# alert tcp $HOME_NET 2000 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Insane Network
4.0 connection"; flow:to_client,established; content:"Insane Network vs 4.0 by Suid
Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; metadata:ruleset
community; classtype:misc-activity; sid:3015; rev:10;)
# alert tcp $HOME_NET 63536 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Insane Network
4.0 connection port 63536"; flow:to_client,established; content:"Insane Network vs
4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62;
metadata:ruleset community; classtype:misc-activity; sid:3016; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft Windows
WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6;
byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}
(\x05\x37(\x1E[\x90-\xFF]|
[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s";
metadata:ruleset community, service wins; reference:bugtraq,11763;
reference:cve,2004-0567; reference:cve,2004-1080;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-045;
reference:url,www.immunitysec.com/downloads/instantanea.pdf; classtype:misc-attack;
sid:3017; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE
oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|";
depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!
&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R";
byte_test:4,>,1024,36,relative,little; metadata:ruleset community;
reference:cve,2004-1154; classtype:protocol-command-decode; sid:3018; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE
andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|
00|"; depth:1; content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!
&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R";
byte_test:4,>,1024,36,relative,little; metadata:ruleset community;
reference:cve,2004-1154; classtype:protocol-command-decode; sid:3019; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE
unicode oversized Security Descriptor attempt"; flow:established,to_server;
content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3;
byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2;
distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R";
byte_test:4,>,1024,36,relative,little; metadata:ruleset community;
reference:cve,2004-1154; classtype:protocol-command-decode; sid:3020; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE
unicode andx oversized Security Descriptor attempt"; flow:established,to_server;
content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR";
byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R";
byte_test:4,>,1024,36,relative,little; metadata:ruleset community;
reference:cve,2004-1154; classtype:protocol-command-decode; sid:3021; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT
CREATE oversized Security Descriptor attempt"; flow:established,to_server;
content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!
&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R";
byte_test:4,>,1024,36,relative,little; metadata:ruleset community, service netbios-
ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3022; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT
CREATE andx oversized Security Descriptor attempt"; flow:established,to_server;
content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!
&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R";
byte_test:4,>,1024,36,relative,little; metadata:ruleset community, service netbios-
ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3023; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT
CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server;
content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3;
byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2;
distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R";
byte_test:4,>,1024,36,relative,little; metadata:ruleset community, service netbios-
ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3024; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT
CREATE unicode andx oversized Security Descriptor attempt";
flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4;
distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR";
byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R";
byte_test:4,>,1024,36,relative,little; metadata:ruleset community, service netbios-
ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3025; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE
SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1;
content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative;
pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-
7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|";
within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-
16,relative,little; metadata:ruleset community; reference:cve,2004-1154;
classtype:protocol-command-decode; sid:3026; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE
andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1;
content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!
&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00
00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-
16,relative,little; metadata:ruleset community; reference:cve,2004-1154;
classtype:protocol-command-decode; sid:3027; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE
unicode SACL overflow attempt"; flow:established,to_server; content:"|00|";
depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative;
pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-
7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|";
within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-
16,relative,little; metadata:ruleset community; reference:cve,2004-1154;
classtype:protocol-command-decode; sid:3028; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE
unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|";
depth:1; content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR";
byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00
00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-
16,relative,little; metadata:ruleset community; reference:cve,2004-1154;
classtype:protocol-command-decode; sid:3029; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT
CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1;
content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative;
pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-
7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|";
within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-
16,relative,little; metadata:ruleset community, service netbios-ssn;
reference:cve,2004-1154; classtype:protocol-command-decode; sid:3030; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT
CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|";
depth:1; content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!
&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00
00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-
16,relative,little; metadata:ruleset community, service netbios-ssn;
reference:cve,2004-1154; classtype:protocol-command-decode; sid:3031; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT
CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|";
depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative;
pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-
7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|";
within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-
16,relative,little; metadata:ruleset community, service netbios-ssn;
reference:cve,2004-1154; classtype:protocol-command-decode; sid:3032; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT
CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|
00|"; depth:1; content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR";
byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00
00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-
16,relative,little; metadata:ruleset community, service netbios-ssn;
reference:cve,2004-1154; classtype:protocol-command-decode; sid:3033; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE
DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1;
content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative;
pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-
7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|";
within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-
16,relative,little; metadata:ruleset community; reference:cve,2004-1154;
classtype:protocol-command-decode; sid:3034; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE
andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1;
content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!
&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00
00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-
16,relative,little; metadata:ruleset community; reference:cve,2004-1154;
classtype:protocol-command-decode; sid:3035; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE
unicode DACL overflow attempt"; flow:established,to_server; content:"|00|";
depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative;
pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-
7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|";
within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-
16,relative,little; metadata:ruleset community; reference:cve,2004-1154;
classtype:protocol-command-decode; sid:3036; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE
unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|";
depth:1; content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR";
byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00
00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-
16,relative,little; metadata:ruleset community; reference:cve,2004-1154;
classtype:protocol-command-decode; sid:3037; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT
CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1;
content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative;
pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-
7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|";
within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-
16,relative,little; metadata:ruleset community, service netbios-ssn;
reference:cve,2004-1154; classtype:protocol-command-decode; sid:3038; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT
CREATE andx DACL overflow attempt"; flow:established,to_server; content:"|00|";
depth:1; content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!
&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00
00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-
16,relative,little; metadata:ruleset community, service netbios-ssn;
reference:cve,2004-1154; classtype:protocol-command-decode; sid:3039; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT
CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|";
depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative;
pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-
7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|";
within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-
16,relative,little; metadata:ruleset community, service netbios-ssn;
reference:cve,2004-1154; classtype:protocol-command-decode; sid:3040; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT
CREATE unicode andx DACL overflow attempt"; flow:established,to_server; content:"|
00|"; depth:1; content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR";
byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00
00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-
16,relative,little; metadata:ruleset community, service netbios-ssn;
reference:cve,2004-1154; classtype:protocol-command-decode; sid:3041; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE
invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1;
content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative;
pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-
7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|";
within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2;
distance:-10; metadata:ruleset community; classtype:protocol-command-decode;
sid:3042; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE
andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1;
content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!
&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00
00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|";
within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-
decode; sid:3043; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE
unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|";
depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative;
pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-
7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|";
within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2;
distance:-10; metadata:ruleset community; classtype:protocol-command-decode;
sid:3044; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE
unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|";
depth:1; content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR";
byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00
00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|";
within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-
decode; sid:3045; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT
CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1;
content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative;
pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-
7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|";
within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2;
distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-
command-decode; sid:3046; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT
CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|";
depth:1; content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!
&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00
00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|";
within:2; distance:-10; metadata:ruleset community, service netbios-ssn;
classtype:protocol-command-decode; sid:3047; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT
CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|";
depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative;
pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-
7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|";
within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2;
distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-
command-decode; sid:3048; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT
CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|
00|"; depth:1; content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR";
byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00
00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|";
within:2; distance:-10; metadata:ruleset community, service netbios-ssn;
classtype:protocol-command-decode; sid:3049; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE
invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1;
content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative;
pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-
7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|";
within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2;
distance:-10; metadata:ruleset community; classtype:protocol-command-decode;
sid:3050; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE
andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1;
content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!
&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00
00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|";
within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-
decode; sid:3051; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE
unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|";
depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative;
pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-
7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|";
within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2;
distance:-10; metadata:ruleset community; classtype:protocol-command-decode;
sid:3052; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE
unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|";
depth:1; content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR";
byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00
00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|";
within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-
decode; sid:3053; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT
CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1;
content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative;
pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-
7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|";
within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2;
distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-
command-decode; sid:3054; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT
CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|";
depth:1; content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!
&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00
00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|";
within:2; distance:-10; metadata:ruleset community, service netbios-ssn;
classtype:protocol-command-decode; sid:3055; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT
CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|";
depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative;
pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-
7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|";
within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2;
distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-
command-decode; sid:3056; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT
CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|
00|"; depth:1; content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR";
byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00
00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|";
within:2; distance:-10; metadata:ruleset community, service netbios-ssn;
classtype:protocol-command-decode; sid:3057; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP copy literal
overflow attempt"; flow:established,to_server; content:"COPY"; fast_pattern:only;
pcre:"/\sCOPY\s[^\n]*?\{/smi"; byte_test:5,>,1024,0,string,dec,relative;
metadata:ruleset community, service imap; reference:bugtraq,1110;
reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:3058;
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (msg:"APP-DETECT distccd remote
command execution attempt"; flow:to_server,established; content:"DIST00000001";
depth:12; nocase; metadata:ruleset community;
reference:url,distcc.samba.org/security.html; classtype:policy-violation; sid:3061;
rev:5;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
NetScreen SA 5000 delhomepage.cgi access"; flow:to_server,established;
content:"/delhomepage.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,9791; reference:cve,2004-0347;
classtype:web-application-activity; sid:3062; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1020 (msg:"MALWARE-BACKDOOR Vampire 1.2
connection request"; flow:to_server,established; content:"Hello..."; depth:8;
flowbits:set,backdoor.vampire_12.connect; flowbits:noalert; metadata:ruleset
community; classtype:misc-activity; sid:3063; rev:6;)
# alert tcp $HOME_NET 1020 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Vampire 1.2
connection confirmation"; flow:to_client,established;
flowbits:isset,backdoor.vampire_12.connect; content:"Vampire v1.2 Server On-
Line....."; depth:32; metadata:ruleset community; classtype:misc-activity;
sid:3064; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP append literal
overflow attempt"; flow:established,to_server; content:"APPEND"; fast_pattern:only;
pcre:"/\sAPPEND\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative;
metadata:ruleset community, service imap; reference:bugtraq,11775;
reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3065;
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP APPEND overflow
attempt"; flow:established,to_server; content:"APPEND"; nocase;
isdataat:256,relative; content:!"|0D 0A|"; within:256; metadata:policy max-detect-
ips drop, ruleset community, service imap; reference:bugtraq,11775;
reference:bugtraq,21729; reference:cve,2004-1211; reference:cve,2006-6425;
reference:nessus,15867; classtype:misc-attack; sid:3066; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP examine literal
overflow attempt"; flow:established,to_server; content:"EXAMINE";
fast_pattern:only; pcre:"/\sEXAMINE\s[^\n]*?\s\{/smi";
byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap;
reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867;
classtype:misc-attack; sid:3067; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP fetch literal
overflow attempt"; flow:established,to_server; content:"FETCH"; fast_pattern:only;
pcre:"/\sFETCH\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative;
metadata:ruleset community, service imap; reference:bugtraq,11775;
reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3069;
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP fetch overflow
attempt"; flow:established,to_server; content:"FETCH"; nocase;
isdataat:256,relative; pcre:"/\sFETCH\s[^\n]{256}/smi"; metadata:ruleset community,
service imap; reference:bugtraq,11775; reference:cve,2004-1211;
reference:nessus,15867; classtype:misc-attack; sid:3070; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP status literal
overflow attempt"; flow:established,to_server; content:"STATUS"; fast_pattern:only;
pcre:"/\sSTATUS[^\n]*?\{/smi"; byte_test:5,>,256,0,string,dec,relative;
metadata:ruleset community, service imap; reference:bugtraq,11775;
reference:bugtraq,15491; reference:cve,2004-1211; reference:nessus,15867;
classtype:misc-attack; sid:3071; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP STATUS overflow
attempt"; flow:established,to_server; content:"STATUS"; nocase;
isdataat:100,relative; content:!"|0D 0A|"; within:100; metadata:policy max-detect-
ips drop, ruleset community, service imap; reference:bugtraq,11775;
reference:bugtraq,13727; reference:bugtraq,14243; reference:bugtraq,15491;
reference:cve,2004-1211; reference:cve,2005-1256; reference:cve,2005-2278;
reference:cve,2005-3314; reference:cve,2017-1274; reference:nessus,15867;
classtype:misc-attack; sid:3072; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP SUBSCRIBE
literal overflow attempt"; flow:established,to_server; content:"SUBSCRIBE";
fast_pattern:only; pcre:"/^\w+\s+SUBSCRIBE\s[^\n]*?\{/smi";
byte_test:5,>,256,0,relative,string; metadata:policy max-detect-ips drop, ruleset
community, service imap; reference:bugtraq,11775; reference:bugtraq,15488;
reference:bugtraq,23050; reference:bugtraq,26219; reference:cve,2004-1211;
reference:cve,2005-3189; reference:cve,2007-3510; reference:nessus,15867;
classtype:attempted-admin; sid:3073; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP SUBSCRIBE
overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase;
isdataat:100; pcre:"/^\w+\s+SUBSCRIBE\s[^\n]{100}/smi"; metadata:policy max-detect-
ips drop, ruleset community, service imap; reference:bugtraq,11775;
reference:bugtraq,15488; reference:bugtraq,23050; reference:bugtraq,26219;
reference:cve,2004-1211; reference:cve,2005-3189; reference:cve,2007-1579;
reference:cve,2007-3510; reference:nessus,15867; classtype:attempted-admin;
sid:3074; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP unsubscribe
literal overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE";
fast_pattern:only; pcre:"/\sUNSUBSCRIBE\s[^\n]*?\s\{/smi";
byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap;
reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867;
classtype:misc-attack; sid:3075; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP UNSUBSCRIBE
overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase;
isdataat:100; pcre:"/^\w+\s+UNSUBSCRIBE\s[^\n]{100}/smi"; metadata:ruleset
community, service imap; reference:bugtraq,11775; reference:bugtraq,15488;
reference:cve,2004-1211; reference:cve,2005-3189; reference:nessus,15867;
classtype:attempted-admin; sid:3076; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RNFR overflow
attempt"; flow:to_server,established; content:"RNFR"; nocase;
isdataat:200,relative; pcre:"/^RNFR\s[^\n]{200}/smi"; metadata:ruleset community,
service ftp; reference:bugtraq,14339; classtype:attempted-admin; sid:3077; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP Microsoft
Windows SEARCH pattern overflow attempt"; flow:to_server,established;
content:"SEARCH|20|"; depth:7; nocase; isdataat:160,relative; pcre:"/^SEARCH\s+
[^\n]{160}/i"; metadata:ruleset community; reference:cve,2004-0574;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-036;
classtype:attempted-admin; sid:3078; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE
Microsoft Internet Explorer ANI file parsing buffer overflow attempt";
flow:to_client,established; flowbits:isset,file.ani; file_data; content:"RIFF";
depth:4; content:"ACON"; within:4; distance:4; content:"anih"; distance:0; nocase;
byte_test:4,>,36,0,relative,little; metadata:policy max-detect-ips drop, ruleset
community, service ftp-data, service http, service imap, service pop3;
reference:cve,2004-1049; reference:cve,2007-0038; reference:cve,2007-1765;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-002;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-017;
classtype:attempted-user; sid:3079; rev:25;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 7787 (msg:"SERVER-OTHER Unreal
Tournament secure overflow attempt"; flow:to_server; content:"|5C|secure|5C|";
fast_pattern:only; pcre:"/\x5csecure\x5c[^\x00]{50}/smi"; metadata:ruleset
community; reference:bugtraq,10570; reference:cve,2004-0608; classtype:misc-attack;
sid:3080; rev:8;)
alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Y3KRAT 1.5
Connect"; flow:to_client,established; content:"connected"; depth:9;
flowbits:set,backdoor.y3krat_15.connect; flowbits:noalert; metadata:ruleset
community; classtype:misc-activity; sid:3081; rev:13;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5880 (msg:"MALWARE-BACKDOOR Y3KRAT 1.5
Connect Client Response"; flow:to_server,established;
flowbits:isset,backdoor.y3krat_15.connect; content:"getclient"; depth:9;
flowbits:set,backdoor.y3krat_15.client.response; flowbits:noalert; metadata:ruleset
community; classtype:misc-activity; sid:3082; rev:13;)
# alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Y3KRAT 1.5
Connection confirmation"; flow:to_client,established;
flowbits:isset,backdoor.y3krat_15.client.response; content:"client"; depth:7;
metadata:ruleset community; classtype:misc-activity; sid:3083; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6101 (msg:"SERVER-OTHER Veritas backup
overflow attempt"; flow:to_server,established; content:"|02 00|"; depth:2;
content:"|00|"; within:1; distance:1; isdataat:72; content:!"|00|"; depth:66;
offset:6; metadata:policy max-detect-ips drop, ruleset community;
reference:bugtraq,11974; reference:cve,2004-1172; classtype:attempted-admin;
sid:3084; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER AOL
Instant Messenger goaway message buffer overflow attempt";
flow:to_client,established; file_data; content:"aim|3A|goaway?message="; nocase;
isdataat:500,relative; pcre:"/\x22aim\x3Agoaway\x3Fmessage\x3D[^\x22]
{500}|\x27aim\x3Agoaway\x3Fmessage\x3D[^\x27]{500}|
aim\x3Agoaway\x3Fmessage\x3D[^\s]{500}/i"; metadata:ruleset community, service
http; reference:bugtraq,10889; reference:cve,2004-0636; classtype:misc-attack;
sid:3085; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP 3Com
3CRADSL72 ADSL 11g Wireless Router app_sta.stm access attempt";
flow:to_server,established; content:"/app_sta.stm"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,11408;
reference:cve,2004-1596; classtype:web-application-activity; sid:3086; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS w3who.dll
buffer overflow attempt"; flow:to_server,established; content:"/w3who.dll?";
nocase; http_uri; pcre:"/w3who\.dll\x3F[^\r\n]{519}/i"; metadata:policy max-detect-
ips drop, ruleset community, service http; reference:bugtraq,11820;
reference:cve,2004-1134; classtype:attempted-admin; sid:3087; rev:19;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA
Nullsoft Winamp cda file name overflow attempt"; flow:to_client,established;
file_data; content:".cda"; nocase; pcre:"/(\x5c[^\x5c]{16,}|\x2f[^\x2f]
{16,})\.cda$/smi"; metadata:ruleset community, service http;
reference:bugtraq,11730; reference:cve,2004-1119; reference:nessus,15817;
classtype:attempted-user; sid:3088; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"SERVER-OTHER squid WCCP
I_SEE_YOU message overflow attempt"; flow:to_server; content:"|00 00 00 08|";
depth:4; byte_test:4,>,32,16; metadata:ruleset community; reference:bugtraq,12275;
reference:cve,2005-0095; classtype:attempted-user; sid:3089; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-
IP-TCP llsrpc LlsrConnect overflow attempt"; flow:to_server,established;
dce_iface:342cfd40-3c6c-11ce-a893-08002b2e9c6d; dce_opnum:0; dce_stub_data;
byte_test:4,>,52,0,dce; metadata:policy max-detect-ips drop, ruleset community,
service netbios-ssn; reference:bugtraq,12481; reference:cve,2005-0050;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010;
classtype:attempted-admin; sid:3114; rev:19;)
# alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"PUA-OTHER Microsoft MSN
Messenger png overflow"; flow:to_client,established; content:"application/x-
msnmsgrp2p"; nocase; content:"|89|PNG|0D 0A 1A 0A|"; distance:0; content:"IHDR";
within:4; distance:4; content:"|03|"; within:1; distance:9; content:"tRNS";
distance:0; byte_test:4,>,256,-8,relative,big; metadata:ruleset community;
reference:bugtraq,10872; reference:cve,2004-0957;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009;
classtype:attempted-user; sid:3130; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
mailman directory traversal attempt"; flow:to_server,established;
content:"/mailman/"; http_uri; content:".../"; http_raw_uri; metadata:ruleset
community, service http; reference:cve,2005-0202; classtype:web-application-attack;
sid:3131; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE
Microsoft and libpng multiple products PNG large image width overflow attempt";
flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D
0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32767,0,relative;
metadata:ruleset community, service ftp-data, service http, service imap, service
pop3; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244;
reference:cve,2007-5503; reference:url,sourceforge.net/p/png-
mng/mailman/message/33173462/; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS05-009; classtype:attempted-user; sid:3132; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE
Microsoft Multiple Products PNG large image height download attempt";
flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D
0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32767,4,relative;
metadata:ruleset community, service ftp-data, service http, service imap, service
pop3; reference:bugtraq,11481; reference:bugtraq,11523; reference:cve,2004-0599;
reference:cve,2004-0990; reference:cve,2004-1244; reference:cve,2007-5503;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009;
classtype:attempted-user; sid:3133; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE
Microsoft PNG large colour depth download attempt"; flow:to_client,established;
flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR";
within:8; byte_test:1,>,16,8,relative; metadata:ruleset community, service ftp-
data, service http, service imap, service pop3; reference:bugtraq,11523;
reference:cve,2004-0990; reference:cve,2004-1244;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009;
classtype:attempted-user; sid:3134; rev:14;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2
QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1;
content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|07 00|";
within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset
community, service netbios-ssn; classtype:protocol-command-decode; sid:3135;
rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2
QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1;
content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1;
offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29;
flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service
netbios-ssn; classtype:protocol-command-decode; sid:3136; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2
QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1;
content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|07 00|";
within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset
community, service netbios-ssn; classtype:protocol-command-decode; sid:3137;
rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2
QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1;
content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1;
offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29;
flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service
netbios-ssn; classtype:protocol-command-decode; sid:3138; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 FIND_FIRST2
attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2";
within:5; distance:3; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:29;
flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service
netbios-ssn; classtype:protocol-command-decode; sid:3139; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 FIND_FIRST2
andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|
SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR";
content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|";
within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset
community, service netbios-ssn; classtype:protocol-command-decode; sid:3140;
rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2
FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1;
content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|01 00|";
within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset
community, service netbios-ssn; classtype:protocol-command-decode; sid:3141;
rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2
FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1;
content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1;
offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29;
flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service
netbios-ssn; classtype:protocol-command-decode; sid:3142; rev:10;)
# alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft Windows
SMB Trans2 FIND_FIRST2 command response overflow attempt";
flow:to_client,established; flowbits:isset,smb.trans2; content:"|00|"; depth:1;
content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R";
flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; metadata:policy max-
detect-ips drop, ruleset community; reference:bugtraq,12484; reference:cve,2005-
0045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-011;
classtype:protocol-command-decode; sid:3143; rev:17;)
# alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft Windows
SMB Trans2 FIND_FIRST2 response andx overflow attempt"; flow:to_client,established;
flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4;
distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2";
depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2;
byte_test:2,>,15,7,relative,little; metadata:policy max-detect-ips drop, ruleset
community; reference:bugtraq,12484; reference:cve,2005-0045;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-011;
classtype:protocol-command-decode; sid:3144; rev:17;)
# alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft Windows
SMB-DS Trans2 FIND_FIRST2 response overflow attempt"; flow:to_client,established;
flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5;
distance:3; pcre:"/^.{27}/R"; flowbits:unset,smb.trans2;
byte_test:2,>,15,7,relative,little; metadata:policy max-detect-ips drop, ruleset
community, service netbios-ssn; reference:bugtraq,12484; reference:cve,2005-0045;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-011;
classtype:protocol-command-decode; sid:3145; rev:16;)
# alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft Windows
SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt";
flow:to_client,established; flowbits:isset,smb.trans2; content:"|00|"; depth:1;
content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1;
offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2;
byte_test:2,>,15,7,relative,little; metadata:policy max-detect-ips drop, ruleset
community, service netbios-ssn; reference:bugtraq,12484; reference:cve,2005-0045;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-011;
classtype:protocol-command-decode; sid:3146; rev:18;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET login
buffer overflow attempt"; flow:to_server,established; content:"|FF FA|'|00 00|
TTYPROMPT|01|"; fast_pattern:only; rawbytes; flowbits:set,ttyprompt;
metadata:ruleset community, service telnet; reference:bugtraq,3681;
reference:cve,2001-0797; reference:nessus,10827; classtype:attempted-admin;
sid:3147; rev:14;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft
Windows HTML Help hhctrl.ocx clsid access attempt"; flow:to_client,established;
file_data; content:"clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"; fast_pattern:only;
metadata:ruleset community, service http; reference:bugtraq,11467;
reference:bugtraq,4857; reference:bugtraq,5874; reference:cve,2002-0693;
reference:cve,2002-0823; reference:cve,2004-1043;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-055;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-001;
reference:url,www.ngssoftware.com/advisories/ms-winhlp.txt; classtype:attempted-
user; sid:3148; rev:20;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft
Internet Explorer 5/6 object type overflow attempt"; flow:to_client,established;
file_data; content:"<OBJECT"; nocase; pcre:"/<OBJECT\s+
[^>]*type\s*=[\x22\x27]\x2f{32}/smi"; metadata:ruleset community, service http;
reference:cve,2003-0344; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS03-020; classtype:attempted-user; sid:3149; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS SQLXML
content type overflow"; flow:to_server,established; pcre:"/\.x[sm]l/Ui";
content:"contenttype="; http_uri; pcre:"/contenttype=[^\r\n\x3b\x38]{100}/smiU";
metadata:ruleset community, service http; reference:bugtraq,5004;
reference:cve,2002-0186; reference:nessus,11304;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-030;
reference:url,www.westpoint.ltd.uk/advisories/wp-02-0007.txt; classtype:attempted-
admin; sid:3150; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER / execution
attempt"; flow:to_server,established; content:"/"; pcre:"/^\x2f/smi";
metadata:ruleset community; reference:cve,1999-0612; reference:cve,2000-0915;
classtype:attempted-recon; sid:3151; rev:8;)
# alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa brute force failed
login attempt"; flow:to_client,established,no_stream; content:"Login failed for
user 'sa'"; fast_pattern:only; detection_filter:track by_src, count 5, seconds 2;
metadata:ruleset community; reference:bugtraq,4797; reference:cve,2000-1209;
reference:nessus,10673; classtype:unsuccessful-user; sid:3152; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS TCP inverse query
overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4;
isdataat:400; metadata:ruleset community, service dns; reference:bugtraq,134;
reference:cve,1999-0009; classtype:attempted-admin; sid:3153; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS UDP inverse query
overflow"; flow:to_server; isdataat:400; byte_test:1,<,16,2; byte_test:1,&,8,2;
metadata:ruleset community, service dns; reference:bugtraq,134; reference:cve,1999-
0009; classtype:attempted-admin; sid:3154; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"MALWARE-BACKDOOR BackOrifice
2000 Inbound Traffic"; flow:to_server,established; content:"1j|D0 D9|";
metadata:ruleset community; classtype:trojan-activity; sid:3155; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS
DCERPC NCACN-IP-TCP ISystemActivator CoGetInstanceFromFile attempt";
flow:to_server,established; dce_iface:000001a0-0000-0000-c000-000000000046;
dce_opnum:1; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C
00|"; distance:0; byte_test:4,>,256,-8,relative,dce; metadata:ruleset community,
service netbios-ssn; reference:cve,2003-0715;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039;
classtype:protocol-command-decode; sid:3158; rev:17;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC
NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt"; dce_iface:000001a0-
0000-0000-c000-000000000046; dce_opnum:1; dce_stub_data; content:"|01 10 08 00 CC
CC CC CC|"; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,dce;
metadata:ruleset community, service dcerpc; reference:cve,2003-0715;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039;
classtype:protocol-command-decode; sid:3159; rev:16;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC
NCADG-IP-UDP msqueue function 4 overflow attempt"; dce_iface:975201B0-59CA-11D0-
A8D5-00A0C90D8051; dce_opnum:4; dce_stub_data; byte_test:4,>,128,8,dce;
metadata:policy max-detect-ips drop, ruleset community, service dcerpc;
reference:cve,2005-0059; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3171; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft
Windows Media Player directory traversal via Content-Disposition attempt";
flow:to_client,established; content:".wmz"; fast_pattern; nocase; http_header;
content:"Content-Disposition|3A|"; nocase; http_header; content:"filename=";
nocase; http_header;
pcre:"/filename=[^\x3b\x3a\r\n]*(\x25\x2e\x25\x2e\x25\x5c|\x25\x32\x65\x25\x35\x63|
\x2e\x2e\x5c)[^\x3b\x3a\r\n]*\x2ewmz/smiH"; metadata:ruleset community, service
http; reference:bugtraq,7517; reference:cve,2003-0228; reference:nessus,11595;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-017;
classtype:attempted-user; sid:3192; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .cmd
executable file parsing attack"; flow:to_server,established; content:".cmd|22|";
nocase; http_uri; pcre:"/\x2ecmd\x22.*?\x26/smUi"; metadata:ruleset community,
service http; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-
application-attack; sid:3193; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .bat
executable file parsing attack"; flow:to_server,established; content:".bat|22|";
nocase; http_uri; pcre:"/\x2ebat\x22.*?\x26/Usmi"; metadata:ruleset community,
service http; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-
application-attack; sid:3194; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"OS-WINDOWS name query overflow
attempt TCP"; flow:to_server,established; byte_test:1,&,64,2; content:" ";
offset:12; isdataat:56,relative; metadata:ruleset community, service netbios-ns;
reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-006;
classtype:attempted-admin; sid:3195; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"OS-WINDOWS name query overflow
attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative;
metadata:ruleset community, service netbios-ns; reference:bugtraq,9624;
reference:cve,2003-0825; reference:nessus,15912;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-006;
classtype:attempted-admin; sid:3196; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft Windows
WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2;
content:" "; offset:12; isdataat:56,relative; metadata:ruleset community;
reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-006;
classtype:attempted-admin; sid:3199; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft Windows
WINS name query overflow attempt UDP"; flow:to_server; byte_test:1,&,64,2;
content:" "; offset:12; isdataat:56,relative; metadata:ruleset community;
reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-006;
classtype:attempted-admin; sid:3200; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS
httpodbc.dll access - nimda"; flow:to_server,established; content:"/httpodbc.dll";
nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2708;
reference:cve,2001-0333; classtype:web-application-activity; sid:3201; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-
IP-TCP winreg OpenKey overflow attempt"; flow:to_server,established;
dce_iface:338cd001-2244-31f1-aaaa-900038001003; dce_opnum:15; dce_stub_data;
byte_test:2,>,1024,20,dce; metadata:ruleset community, service netbios-ssn;
reference:bugtraq,1331; reference:cve,2000-0377;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040;
classtype:attempted-admin; sid:3218; rev:23;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"OS-WINDOWS Messenger message
little endian overflow attempt"; content:"|04 00|"; depth:2;
byte_test:1,&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6
FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28;
byte_jump:4,18,little,align,relative; byte_jump:4,8,little,align,relative;
byte_test:4,>,1024,8,little,relative; metadata:ruleset community;
reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin;
sid:3234; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"OS-WINDOWS Messenger message
overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,!&,16,2,relative;
content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22;
content:"|00 00|"; within:2; distance:28; byte_jump:4,18,align,relative;
byte_jump:4,8,align,relative; byte_test:4,>,1024,8,relative; metadata:ruleset
community; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-
admin; sid:3235; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"OS-WINDOWS DCERPC
NCACN-IP-TCP irot IrotIsRunning/Revoke overflow attempt";
flow:to_server,established; dce_iface:b9e79e60-3d52-11ce-aaa1-00006901293f;
dce_opnum:1,2; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-
4,relative,align,dce; byte_test:4,>,1024,0,relative,dce; metadata:ruleset
community; reference:bugtraq,6005; reference:cve,2002-1561;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010;
classtype:attempted-admin; sid:3238; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC
NCADG-IP-UDP irot IrotIsRunning/Revoke overflow attempt"; dce_iface:b9e79e60-3d52-
11ce-aaa1-00006901293f; dce_opnum:1,2; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.
{12})/s"; byte_jump:4,-4,relative,align,dce; byte_test:4,>,1024,0,relative,dce;
metadata:ruleset community; reference:bugtraq,6005; reference:cve,2002-1561;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010;
classtype:attempted-admin; sid:3239; rev:14;)
# alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa brute force failed
login unicode attempt"; flow:to_client,established,no_stream; content:"L|00|o|00|g|
00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|
e|00|r|00| |00|'|00|s|00|a|00|'|00|"; detection_filter:track by_src, count 5,
seconds 2; metadata:ruleset community; reference:bugtraq,4797; reference:cve,2000-
1209; reference:nessus,10673; classtype:unsuccessful-user; sid:3273; rev:9;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET login
buffer non-evasive overflow attempt"; flow:to_server,established; content:"|FF
FA|'|00 00|"; rawbytes; pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/RBi";
flowbits:set,ttyprompt; metadata:ruleset community, service telnet;
reference:bugtraq,3681; reference:cve,2001-0797; reference:nessus,10827;
classtype:attempted-admin; sid:3274; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS
DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance attempt";
flow:to_server,established; dce_iface:000001a0-0000-0000-c000-000000000046;
dce_opnum:4; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C
00|"; distance:0; byte_test:4,>,256,-8,relative,dce; metadata:ruleset community,
service netbios-ssn; reference:bugtraq,8205; reference:cve,2003-0352;
reference:cve,2003-0715; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:3397;
rev:17;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC
NCADG-IP-UDP ISystemActivator RemoteCreateInstance attempt"; dce_iface:000001a0-
0000-0000-c000-000000000046; dce_opnum:4; dce_stub_data; content:"|01 10 08 00 CC
CC CC CC|"; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,dce;
metadata:ruleset community, service dcerpc; reference:bugtraq,8205;
reference:cve,2003-0352; reference:cve,2003-0715;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039;
classtype:protocol-command-decode; sid:3398; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS
DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt";
flow:to_server,established; dce_iface:4d9f4ab8-7d1c-11cf-861e-0020af6e7c57;
dce_opnum:0; dce_stub_data; byte_test:4,>,256,52,dce; metadata:ruleset community,
service dcerpc, service netbios-ssn; reference:bugtraq,8205; reference:cve,2003-
0352; reference:cve,2003-0528; reference:cve,2003-0715;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039;
classtype:attempted-admin; sid:3409; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PORT bounce
attempt"; flow:to_server,established; content:"PORT"; nocase; ftpbounce;
pcre:"/^PORT/smi"; metadata:policy max-detect-ips drop, ruleset community, service
ftp; reference:bugtraq,126; reference:cve,1999-0017; reference:nessus,10081;
classtype:misc-attack; sid:3441; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-WINDOWS Microsoft Windows
TCP print service overflow attempt"; flow:to_server,established;
pcre:"/^(\x03|\x04|\x05)/s"; content:"|00|"; within:497; content:"|0A|";
within:497; metadata:ruleset community; reference:bugtraq,1082; reference:cve,2000-
0232; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-021;
classtype:attempted-dos; sid:3442; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"SERVER-OTHER Arkeia client
backup system info probe"; flow:to_server,established; content:"ARKADMIN_GET_";
pcre:"/^(CLIENT|MACHINE)_INFO/Ri"; metadata:policy max-detect-ips drop, ruleset
community; reference:bugtraq,12594; reference:cve,2005-0491; classtype:attempted-
recon; sid:3453; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"SERVER-OTHER Arkeia client
backup generic info probe"; flow:to_server,established; content:"ARKFS|00|root|00|
root"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community;
reference:bugtraq,12594; reference:cve,2005-0491; classtype:attempted-recon;
sid:3454; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5001 (msg:"SERVER-OTHER Bontago Game
Server Nickname buffer overflow"; flow:to_server,established; content:"|FF 01 00 00
00 00 01|"; isdataat:512,relative; metadata:ruleset community;
reference:bugtraq,12603; reference:cve,2005-0501;
reference:url,aluigi.altervista.org/adv/bontagobof-adv.txt; classtype:attempted-
user; sid:3455; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL 4.0 root
login attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:3;
content:"root|00|"; within:5; distance:5; nocase; metadata:ruleset community,
service mysql; classtype:protocol-command-decode; sid:3456; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"SERVER-OTHER Arkeia backup
client type 77 overflow attempt"; flow:to_server,established; content:"|00|M";
depth:2; byte_test:2,>,23,6; metadata:policy max-detect-ips drop, ruleset
community; reference:bugtraq,12594; reference:cve,2005-0491;
reference:nessus,17158; classtype:attempted-user; sid:3457; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"SERVER-OTHER Arkeia backup
client type 84 overflow attempt"; flow:to_server,established; content:"|00|T";
depth:2; byte_test:2,>,255,6; isdataat:263; content:!"|00|"; depth:255; offset:8;
metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,12594;
reference:cve,2005-0491; classtype:attempted-user; sid:3458; rev:8;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 41170 (msg:"PUA-P2P Manolito Search
Query"; flow:to_server; content:"|01 02 00 14|"; depth:4; offset:16;
metadata:ruleset community; reference:url,openlito.sourceforge.net;
reference:url,www.blubster.com; classtype:policy-violation; sid:3459; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP REST with numeric
argument"; flow:to_server,established; content:"REST"; fast_pattern:only;
pcre:"/REST\s+[0-9]+\n/i"; metadata:ruleset community, service ftp;
reference:bugtraq,7825; classtype:attempted-recon; sid:3460; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Content-Type
overflow attempt"; flow:to_server,established; content:"Content-Type"; nocase;
content:"|3A|"; distance:0; pcre:"/^\s*Content-Type\s*\x3A\s*[^\r\n]{300}/mi";
metadata:policy max-detect-ips drop, ruleset community, service smtp;
reference:bugtraq,44732; reference:bugtraq,7419; reference:cve,2003-0113;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-015;
classtype:attempted-admin; sid:3461; rev:18;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft
Internet Explorer Content-Encoding overflow attempt"; flow:to_server,established;
content:"Content-Encoding"; nocase; content:"|3A|"; distance:0; pcre:"/^\s*Content-
Encoding\s*\x3A\s*[^\r\n]{300}/mi"; metadata:ruleset community, service smtp;
reference:bugtraq,7419; reference:cve,2003-0113;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-015;
classtype:attempted-admin; sid:3462; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
awstats access"; flow:to_server,established; content:"/awstats.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,12572; reference:nessus,16456; classtype:web-application-
activity; sid:3463; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
awstats.pl command execution attempt"; flow:to_server,established;
content:"/awstats.pl?"; fast_pattern; nocase; http_uri; content:"update=";
http_uri; pcre:"/update=[^\r\n\x26]+/Ui"; content:"logfile="; nocase; http_uri;
pcre:"/awstats.pl?[^\r\n]*logfile=\x7C/Ui"; metadata:ruleset community, service
http; reference:bugtraq,12572; reference:nessus,16456; classtype:web-application-
attack; sid:3464; rev:12;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE
Microsoft Windows RTF file with embedded object package download attempt";
flow:to_client,established; file_data; content:"{|5C|rt"; nocase; content:"{|5C|
object|5C|objemb{|5C|*|5C|objclass Package}"; distance:0; nocase;
flowbits:set,file.rtf.embed; metadata:policy max-detect-ips alert, ruleset
community, service ftp-data, service http, service imap, service pop3;
reference:cve,2006-4692; reference:url,technet.microsoft.com/en-
us/security/bulletin/ms06-065; classtype:misc-activity; sid:8445; rev:16;)
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP
inbound INVITE message"; flow:to_server; content:"INVITE"; fast_pattern:only;
sip_method:invite; metadata:ruleset community, service sip;
reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode;
sid:11968; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RTF file
download request"; flow:to_server,established; content:".rtf"; fast_pattern:only;
http_uri; pcre:"/\x2ertf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.rtf;
flowbits:noalert; metadata:ruleset community, service http;
reference:url,en.wikipedia.org/wiki/Rich_Text_Format; classtype:misc-activity;
sid:13801; rev:23;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY PDF file
download request"; flow:to_server,established; content:".pdf"; fast_pattern:only;
http_uri; pcre:"/\x2epdf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.pdf;
flowbits:noalert; metadata:ruleset community, service http;
reference:url,en.wikipedia.org/wiki/Pdf; classtype:misc-activity; sid:15013;
rev:20;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft
Office Word file download request"; flow:to_server,established; content:".doc";
fast_pattern:only; http_uri; pcre:"/\x2edoc([\?\x5c\x2f]|$)/smiU";
flowbits:set,file.doc; flowbits:set,file.rtf; flowbits:noalert; metadata:ruleset
community, service http; reference:url,en.wikipedia.org/wiki/Microsoft_word;
classtype:misc-activity; sid:15587; rev:22;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY BMP file
download request"; flow:to_server,established; content:".bmp"; fast_pattern:only;
http_uri; pcre:"/\x2ebmp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.bmp;
flowbits:noalert; metadata:ruleset community, service http;
reference:url,en.wikipedia.org/wiki/BMP_file_format; classtype:misc-activity;
sid:16205; rev:20;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Hydraq
variant outbound connection"; flow:to_server,established; content:"|FF FF FF FF FF
FF 00 00 FE FF FF FF FF FF FF FF FF FF 88 FF|"; depth:20; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl;
reference:url,www.virustotal.com/#/file/9051f618a5a8253a003167e65ce1311fa91a8b70d43
8a384be48b02e73ba855c/detection; classtype:trojan-activity; sid:16368; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file
download request"; flow:to_server,established; content:".jpg"; fast_pattern:only;
http_uri; pcre:"/\x2ejpg([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg;
flowbits:noalert; metadata:ruleset community, service http;
reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16406;
rev:17;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file
download request"; flow:to_server,established; content:".jpeg"; fast_pattern:only;
http_uri; pcre:"/\x2ejpeg([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg;
flowbits:noalert; metadata:ruleset community, service http;
reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16407;
rev:17;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Portable
Executable binary file download request"; flow:to_server,established;
content:".exe"; fast_pattern:only; http_uri; pcre:"/\x2eexe([\?\x5c\x2f]|$)/smiU";
flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert,
ruleset community, service http; reference:url,en.wikipedia.org/wiki/.exe;
classtype:misc-activity; sid:16425; rev:24;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY
Microsoft Compound File Binary v3 file magic detected"; flow:to_client,established;
file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 03 00|"; within:4;
distance:16; flowbits:set,file.ole; flowbits:noalert; metadata:ruleset community,
service ftp-data, service http, service imap, service pop3; classtype:misc-
activity; sid:16474; rev:24;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY
Microsoft Compound File Binary v4 file magic detected"; flow:to_client,established;
file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 04 00|"; within:4;
distance:16; flowbits:set,file.oless.v4; flowbits:noalert; metadata:policy max-
detect-ips alert, ruleset community, service ftp-data, service http, service imap,
service pop3; classtype:misc-activity; sid:16475; rev:18;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file
download request"; flow:to_server,established; content:".pjpeg"; fast_pattern:only;
http_uri; pcre:"/\x2epjpeg([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg;
flowbits:noalert; metadata:ruleset community, service http;
reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16529;
rev:17;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY OLE
document file magic detected"; flow:to_client,established; file_data; content:"|D0
CF 11 E0 A1 B1 1A E1|"; depth:8; flowbits:set,file.ole; flowbits:set,file.fpx;
flowbits:noalert; metadata:ruleset community, service ftp-data, service http,
service imap, service pop3; classtype:misc-activity; sid:17314; rev:24;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY PNG file
download request"; flow:to_server,established; content:".png"; fast_pattern:only;
http_uri; pcre:"/\x2epng([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.png;
flowbits:noalert; metadata:ruleset community, service http; classtype:misc-
activity; sid:17380; rev:20;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XML file
download request"; flow:to_server,established; content:".xml"; fast_pattern:only;
http_uri; pcre:"/\x2exml([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xml;
flowbits:noalert; metadata:ruleset community, service http; classtype:misc-
activity; sid:17733; rev:15;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS SMB TRANS2 Find_First2
request attempt"; flow:to_server,established; content:"|FF|SMB2|00 00 00 00|";
depth:9; offset:4; content:"|00 00|"; within:2; distance:13; content:"|00|";
within:1; distance:18; content:"|00 00|"; within:2; distance:6; content:"|01 00|";
within:2; distance:10; flowbits:set,smb.trans2.findfirst2; flowbits:noalert;
metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode;
sid:17745; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS SMB-DS Trans2
Distributed File System GET_DFS_REFERRAL request"; flow:established,to_server;
content:"|00|"; offset:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 00 00
00|"; within:4; content:"|10 00|"; depth:2; offset:65;
flowbits:set,smb.trans2.get_dfs_referral; flowbits:noalert; metadata:ruleset
community, service netbios-ssn; classtype:protocol-command-decode; sid:19190;
rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY ZIP
archive file download request"; flow:to_server,established; content:".zip";
fast_pattern:only; http_uri; pcre:"/\x2ezip([\?\x5c\x2f]|$)/smiU";
flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service http;
classtype:misc-activity; sid:19211; rev:20;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER multiple
products blacknurse ICMP denial of service attempt"; icode:3; itype:3;
detection_filter:track by_src,count 250,seconds 1; metadata:ruleset community;
reference:cve,2011-1871; reference:url,soc.tdc.dk/blacknurse/blacknurse.pdf;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-064;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-083;
classtype:attempted-dos; sid:19678; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 12080 (msg:"MALWARE-CNC
Win.Trojan.Derusbi.A variant outbound connection"; flow:to_server,established;
content:"|00 00 00 01 00 00 00|"; depth:7; offset:1; content:"|01 00 00 00 68 01 00
00|"; within:8; distance:8; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/6fecd042c3c0b54e7354cd8dfb1975c626acd8df55
f88c4149462e15e77918b0/analysis/;
reference:url,www.virustotal.com/en/file/705404d6bbf6dae254e2d3bc44eca239976be7f0dc
4d49fe93b0fb1d1c2704fe/analysis/; classtype:trojan-activity; sid:20080; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Injector variant outbound connection"; flow:to_server,established;
content:"User-Agent|3A| Opera|5C|9.64|0A|"; fast_pattern:only; http_header;
content:"bb.php?v="; http_uri; content:"id="; distance:0; http_uri; content:"b=";
distance:0; http_uri; content:"tm="; distance:0; http_uri; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/2afb098dfea7d2acd73da520fe26d09acee1449c79
d2c8753f3008a2a8f648b2/analysis/; classtype:trojan-activity; sid:20221; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY SMI file
download request"; flow:to_server,established; content:".smi"; fast_pattern:only;
http_uri; pcre:"/\x2esmi([\?\x5c\x2f]|$)/smiU";
flowbits:set,file.realplayer.playlist; flowbits:set,file.smi;
flowbits:set,file.dmg; flowbits:noalert; metadata:ruleset community, service http;
reference:bugtraq,49149; reference:url,en.wikipedia.org/wiki/SAMI; classtype:misc-
activity; sid:20223; rev:22;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft
Client Agent Helper JAR file download request"; flow:to_server,established;
content:"_helper.jar"; fast_pattern:only; pcre:"/agent_(win|lin|
mac)_helper\.jar$/siU"; flowbits:set,file.jar.agent_helper; flowbits:noalert;
metadata:ruleset community, service http; reference:cve,2011-1969;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-079;
classtype:misc-activity; sid:20260; rev:17;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY
JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|03
04|"; content:!"|14 00 06 00|"; within:4; flowbits:set,file.zip;
flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service ftp-
data, service http, service imap, service pop3; classtype:misc-activity; sid:20463;
rev:23;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY
JAR/ZIP file magic detected"; flow:to_client,established; file_data;
content:"PK00PK|03 04|"; flowbits:set,file.zip; flowbits:set,file.jar;
flowbits:noalert; metadata:ruleset community, service ftp-data, service http,
service imap, service pop3; classtype:misc-activity; sid:20464; rev:22;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY
JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|01
02|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert;
metadata:ruleset community, service ftp-data, service http, service imap, service
pop3; classtype:misc-activity; sid:20465; rev:22;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY
JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|05
06|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert;
metadata:ruleset community, service ftp-data, service http, service imap, service
pop3; classtype:misc-activity; sid:20466; rev:22;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY
JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06
08|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert;
metadata:ruleset community, service ftp-data, service http, service imap, service
pop3; classtype:misc-activity; sid:20467; rev:22;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY
JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06
07|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert;
metadata:ruleset community, service ftp-data, service http, service imap, service
pop3; classtype:misc-activity; sid:20468; rev:22;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY
JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06
06|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert;
metadata:ruleset community, service ftp-data, service http, service imap, service
pop3; classtype:misc-activity; sid:20469; rev:22;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY PNG
file magic detected"; flow:to_client,established; file_data; content:"|89|PNG|0D 0A
1A 0A|"; depth:8; flowbits:set,file.png; flowbits:noalert; metadata:ruleset
community, service ftp-data, service http, service imap, service pop3;
classtype:misc-activity; sid:20478; rev:19;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG
file magic detection"; flow:to_client,established; file_data; content:"|FF D8 FF|";
depth:3; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community,
service ftp-data, service http, service imap, service pop3; classtype:misc-
activity; sid:20480; rev:18;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG
file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF
E0|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset
community, service ftp-data, service http, service imap, service pop3;
classtype:misc-activity; sid:20483; rev:19;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY RTF
file magic detected"; flow:to_client,established; file_data; content:"{|5C|rt";
fast_pattern:only; flowbits:set,file.rtf; flowbits:noalert; metadata:ruleset
community, service ftp-data, service http, service imap, service pop3;
classtype:misc-activity; sid:20486; rev:20;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY PDF
file magic detected"; flow:to_client,established; file_data; content:"%PDF-";
nocase; flowbits:set,file.pdf; flowbits:noalert; metadata:ruleset community,
service ftp-data, service http, service imap, service pop3; classtype:misc-
activity; sid:20494; rev:16;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JAR file
download request"; flow:to_server,established; content:".jar"; fast_pattern:only;
http_uri; pcre:"/\x2ejar([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jar;
flowbits:noalert; metadata:ruleset community, service http; classtype:misc-
activity; sid:20621; rev:15;)
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft
Windows EMF metafile file attachment detected"; flow:to_client,established;
content:".emf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eemf/i";
flowbits:set,file.emf; flowbits:noalert; metadata:policy max-detect-ips alert,
ruleset community, service imap, service pop3; classtype:misc-activity; sid:20850;
rev:17;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft
Windows EMF metafile file attachment detected"; flow:to_server,established;
content:".emf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eemf/i";
flowbits:set,file.emf; flowbits:noalert; metadata:policy max-detect-ips alert,
ruleset community, service smtp; classtype:misc-activity; sid:20851; rev:18;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY DIB file
download request"; flow:to_server,established; content:".dib"; fast_pattern:only;
http_uri; pcre:"/\x2edib([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.bmp;
flowbits:noalert; metadata:ruleset community, service http;
reference:url,en.wikipedia.org/wiki/BMP_file_format; classtype:misc-activity;
sid:20963; rev:13;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY SAMI file
download request"; flow:to_server,established; content:".sami"; fast_pattern:only;
http_uri; pcre:"/\x2esami([\?\x5c\x2f]|$)/smiU";
flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:noalert;
metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/SAMI;
classtype:misc-activity; sid:20964; rev:13;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file
download request"; flow:to_server,established; content:".jpe"; fast_pattern:only;
http_uri; pcre:"/\x2ejpe([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg;
flowbits:noalert; metadata:ruleset community, service http;
reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20965;
rev:11;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file
download request"; flow:to_server,established; content:".jif"; fast_pattern:only;
http_uri; pcre:"/\x2ejif([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg;
flowbits:noalert; metadata:ruleset community, service http;
reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20966;
rev:11;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file
download request"; flow:to_server,established; content:".jfi"; fast_pattern:only;
http_uri; pcre:"/\x2ejfif?([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg;
flowbits:noalert; metadata:ruleset community, service http;
reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20967;
rev:11;)
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY PDF file
attachment detected"; flow:to_client,established; content:".pdf";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epdf/i";
flowbits:set,file.pdf; flowbits:noalert; metadata:ruleset community, service imap,
service pop3; classtype:misc-activity; sid:21035; rev:14;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PDF file
attachment detected"; flow:to_server,established; content:".pdf";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epdf/i";
flowbits:set,file.pdf; flowbits:noalert; metadata:ruleset community, service smtp;
classtype:misc-activity; sid:21036; rev:15;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Betad variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"/login.php"; nocase; http_uri; content:"|C9
97 A2 F3 7E 37 CB 7E 27|"; fast_pattern:only; http_client_body;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/46a87d0818ffd828df5c8fca63b1628f068e50cf3d
20ec0e4e009e1dd547b9e9/analysis/; classtype:trojan-activity; sid:21230; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent
known malicious user-agent string DataCha0s"; flow:to_server, established;
content:"User-Agent|3A 20|DataCha0s"; fast_pattern:only; http_header;
metadata:ruleset community, service http;
reference:url,www.internetofficer.com/web-robot/datacha0s/; classtype:network-scan;
sid:21246; rev:6;)
alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"MALWARE-OTHER known malicious FTP
login banner - 0wns j0"; flow:established,to_client; content:"220|20|"; depth:4;
content:"0wns j0"; distance:0; nocase; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, ruleset community, service ftp;
reference:url,seclists.org/fulldisclosure/2004/Sep/895; reference:url,www.cyber-
ta.org/releases/malware-analysis/public/SOURCES/CLUSTERS-NEW/behavior-summary.html;
classtype:trojan-activity; sid:21255; rev:5;)
alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"MALWARE-OTHER known malicious FTP
quit banner - Goodbye happy r00ting"; flow:established,to_client; content:"221
Goodbye happy r00ting"; fast_pattern:only; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service ftp;
reference:url,taosecurity.blogspot.com/2006/01/nepenthes-discoveries-earlier-today-
i.html; classtype:trojan-activity; sid:21256; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC URI -
known scanner tool muieblackcat"; flow:to_server, established;
content:"/muieblackcat"; nocase; http_uri; pcre:"/\/muieblackcat$/Ui";
metadata:policy security-ips drop, ruleset community, service http;
reference:url,serverfault.com/questions/309309/what-is-muieblackcat;
classtype:network-scan; sid:21257; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent
known malicious user-agent string Morfeus Scanner"; flow:to_server, established;
content:"User|2D|Agent|3A 20|Morfeus|20|Fucking|20|Scanner"; fast_pattern:only;
http_header; metadata:ruleset community, service http; classtype:network-scan;
sid:21266; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER TRENDnet
IP Camera anonymous access attempt"; flow:to_server,established; content:"/anony/";
fast_pattern:only; http_uri; pcre:"/\/anony\/(jpgview\.htm|mjpeg\.cgi|view2\.cgi|
mjpg\.cgi)/Ui"; metadata:ruleset community, service http; reference:url,console-
cowboys.blogspot.com/2012/01/trendnet-cameras-i-always-feel-like.html;
reference:url,www.trendnet.com/press/view.asp?id=1958;
reference:url,www.wired.com/threatlevel/2012/02/home-cameras-exposed/;
classtype:policy-violation; sid:21267; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XSL file
download request"; flow:to_server,established; content:".xsl"; fast_pattern:only;
http_uri; pcre:"/\x2exsl([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xml;
flowbits:noalert; metadata:ruleset community, service http; classtype:misc-
activity; sid:21282; rev:8;)
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XSL file
attachment detected"; flow:to_client,established; content:".xsl";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exsl/i";
flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service imap,
service pop3; classtype:misc-activity; sid:21283; rev:9;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XSL file
attachment detected"; flow:to_server,established; content:".xsl";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exsl/i";
flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service smtp;
classtype:misc-activity; sid:21284; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XSLT file
download request"; flow:to_server,established; content:".xslt"; fast_pattern:only;
http_uri; pcre:"/\x2exslt([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xml;
flowbits:noalert; metadata:ruleset community, service http; classtype:misc-
activity; sid:21285; rev:8;)
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XSLT file
attachment detected"; flow:to_client,established; content:".xslt";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exslt/i";
flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service imap,
service pop3; classtype:misc-activity; sid:21286; rev:9;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XSLT file
attachment detected"; flow:to_server,established; content:".xslt";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exslt/i";
flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service smtp;
classtype:misc-activity; sid:21287; rev:10;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XML
download detected"; flow:to_client,established; content:"Content-Type|3A|"; nocase;
http_header; content:"text/xml"; within:20; fast_pattern; nocase; http_header;
flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service http;
classtype:misc-activity; sid:21288; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent
ASafaWeb Scan"; flow:to_server,established; content:"User-Agent|3A| asafaweb.com";
fast_pattern:only; http_header; metadata:policy balanced-ips alert, policy
security-ips drop, ruleset community, service http; reference:url,asafaweb.com;
classtype:network-scan; sid:21327; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Remote
Execution Backdoor Attempt Against Horde"; flow:to_server,established;
content:"/services/javascript.php"; fast_pattern:only; http_uri; content:"href=";
http_cookie; content:"file=open_calendar.js"; http_client_body; metadata:ruleset
community, service http; reference:cve,2012-0209;
reference:url,dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155;
reference:url,eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/;
reference:url,pastebin.com/U3ADiWrP; classtype:web-application-attack; sid:21375;
rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY paq8o file
download request"; flow:to_server,established; content:".paq8o"; fast_pattern:only;
http_uri; pcre:"/\x2epaq8o([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.zip;
flowbits:noalert; metadata:ruleset community, service http; classtype:misc-
activity; sid:21410; rev:12;)
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY paq8o file
attachment detected"; flow:to_client,established; content:".paq8o";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epaq8o/i";
flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service imap,
service pop3; classtype:misc-activity; sid:21411; rev:13;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY paq8o file
attachment detected"; flow:to_server,established; content:".paq8o";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epaq8o/i";
flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service smtp;
classtype:misc-activity; sid:21412; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF hostile
PDF associated with Laik exploit kit"; flow:to_client,established;
flowbits:isset,file.pdf; file_data; content:"%PDF-1."; content:") /CreationDate
(D:20110405234628)>>"; fast_pattern:only; metadata:ruleset community, service ftp-
data, service http, service imap, service pop3; classtype:trojan-activity;
sid:21417; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole
exploit kit JavaScript carat string splitting with hostile applet";
flow:to_client,established; content:"<html><body><applet|20|code="; nocase;
content:"|20|archive="; distance:0; nocase; content:"display|3A|none|3B|";
distance:0; nocase; pcre:"/([@\x2da-z0-9]+?\x5e){10}/smi"; metadata:impact_flag
red, policy max-detect-ips drop, ruleset community, service http;
reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655;
reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885;
reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544;
reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723;
reference:cve,2012-1889; reference:cve,2012-4681;
reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-
kit.aspx; classtype:trojan-activity; sid:21438; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI
request for known malicious URI - base64 encoded"; flow:to_server,established;
content:"GET http|3A 2F 2F|"; depth:11; base64_decode:relative; base64_data;
content:"clk="; content:"&bid="; distance:0; content:"&aid="; within:5;
distance:40; content:"&sid="; distance:0; content:"&rd="; distance:0;
content:"&x86="; distance:0; metadata:impact_flag red, ruleset community, service
http; reference:url,www.damballa.com/tdl4/; classtype:trojan-activity; sid:21442;
rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.TDSS variant outbound connection"; flow:to_server,established;
content:"User-Agent|3A| Mozilla/4.0 (compatible|3B 20|)"; fast_pattern:only;
http_header; content:"HOST|3A|"; http_header; content:!"X-BlueCoat-Via"; nocase;
http_header; metadata:impact_flag red, ruleset community, service http;
reference:url,about-threats.trendmicro.com/Malware.aspx?language=apac&name=TDSS;
reference:url,www.virustotal.com/file/75e8b49e1d316f28363cccb697cfd2ebca3122dba3dba
321dba6391b49fc757e/analysis/; classtype:trojan-activity; sid:21444; rev:13;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent
known malicious user-agent string core-project"; flow:to_server, established;
content:"User-Agent|3A 20|core-project"; fast_pattern:only; http_header;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community,
service http; classtype:misc-activity; sid:21475; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XML
file magic detected"; flow:to_client,established; file_data; content:"<xml>";
depth:50; nocase; flowbits:set,file.xml; flowbits:set,file.xul; flowbits:noalert;
metadata:ruleset community, service ftp-data, service http, service imap, service
pop3; classtype:misc-activity; sid:21480; rev:13;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT
Blackhole exploit kit landing page with specific structure - prototype catch";
flow:to_client,established; content:"try"; content:"prototype"; within:30;
content:"}catch("; within:30; pcre:"/prototype([^\x7d]{1,3})?\x7dcatch\x28/smi";
metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service
http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659;
reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927;
reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110;
reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507;
reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681;
reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-
kit.aspx; classtype:attempted-user; sid:21492; rev:22;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XML
file magic detected"; flow:to_client,established; file_data; content:"<?xml";
depth:50; nocase; flowbits:set,file.xml; flowbits:set,file.xul; flowbits:noalert;
metadata:ruleset community, service ftp-data, service http, service imap, service
pop3; classtype:misc-activity; sid:21498; rev:13;)
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XML file
attachment detected"; flow:to_client,established; content:".xml";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exml/i";
flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service imap,
service pop3; classtype:misc-activity; sid:21499; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XML file
attachment detected"; flow:to_server,established; content:".xml";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exml/i";
flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service smtp;
classtype:misc-activity; sid:21500; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Bredolab variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|";
http_header; content:"smk="; depth:4; http_client_body; metadata:policy balanced-
ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/file/9384733182a6cbe5236b9b253d1f070570b7f6b6ff31a
a86be253421f4c5c645/analysis/; classtype:trojan-activity; sid:21562; rev:5;)
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY PNG file
attachment detected"; flow:to_client,established; content:".png";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epng/i";
flowbits:set,file.png; flowbits:noalert; metadata:ruleset community, service imap,
service pop3; classtype:misc-activity; sid:21613; rev:13;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PNG file
attachment detected"; flow:to_server,established; content:".png";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epng/i";
flowbits:set,file.png; flowbits:noalert; metadata:ruleset community, service smtp;
classtype:misc-activity; sid:21614; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT
Blackhole exploit kit landing page with specific structure - prototype catch";
flow:to_client,established; file_data; content:"prototype"; content:"}catch(";
distance:0; pcre:"/prototype([^\x7d]{1,3})?\x7dcatch\(\w{3}\)/smi"; metadata:policy
max-detect-ips drop, ruleset community, service ftp-data, service http, service
imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659;
reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927;
reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110;
reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507;
reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681;
reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-
kit.aspx; classtype:attempted-user; sid:21646; rev:16;)
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY SMI file
attachment detected"; flow:to_client,established; content:".smi";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esmi/i";
flowbits:set,file.realplayer.playlist; flowbits:set,file.dmg;
flowbits:set,file.smi; flowbits:noalert; metadata:ruleset community, service imap,
service pop3; classtype:misc-activity; sid:21695; rev:10;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY SMI file
attachment detected"; flow:to_server,established; content:".smi";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esmi/i";
flowbits:set,file.realplayer.playlist; flowbits:set,file.dmg;
flowbits:set,file.smi; flowbits:noalert; metadata:ruleset community, service smtp;
classtype:misc-activity; sid:21696; rev:11;)
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY SAMI file
attachment detected"; flow:to_client,established; content:".sami";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esami/i";
flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:noalert;
metadata:ruleset community, service imap, service pop3; classtype:misc-activity;
sid:21697; rev:10;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY SAMI file
attachment detected"; flow:to_server,established; content:".sami";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esami/i";
flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:noalert;
metadata:ruleset community, service smtp; classtype:misc-activity; sid:21698;
rev:11;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY ANI file
download request"; flow:to_server,established; content:".ani"; fast_pattern:only;
http_uri; pcre:"/\x2eani([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.ani;
flowbits:noalert; metadata:ruleset community, service http; classtype:misc-
activity; sid:21724; rev:10;)
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY ANI file
attachment detected"; flow:to_client,established; content:".ani";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eani/i";
flowbits:set,file.ani; flowbits:noalert; metadata:ruleset community, service imap,
service pop3; classtype:misc-activity; sid:21725; rev:10;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ANI file
attachment detected"; flow:to_server,established; content:".ani";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eani/i";
flowbits:set,file.ani; flowbits:noalert; metadata:ruleset community, service smtp;
classtype:misc-activity; sid:21726; rev:11;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY ANI
file magic detection"; flow:to_client,established; file_data; content:"RIFF";
depth:4; content:"ACON"; within:4; distance:4; flowbits:set,file.ani;
flowbits:noalert; metadata:ruleset community, service ftp-data, service http,
service imap, service pop3; classtype:misc-activity; sid:21727; rev:10;)
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file
attachment detected"; flow:to_client,established; content:".jpg";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpg/i";
flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service imap,
service pop3; classtype:misc-activity; sid:21728; rev:9;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file
attachment detected"; flow:to_server,established; content:".jpg";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpg/i";
flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp;
classtype:misc-activity; sid:21729; rev:10;)
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file
attachment detected"; flow:to_client,established; content:".jpeg";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpeg/i";
flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service imap,
service pop3; classtype:misc-activity; sid:21730; rev:9;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file
attachment detected"; flow:to_server,established; content:".jpeg";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpeg/i";
flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp;
classtype:misc-activity; sid:21731; rev:10;)
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file
attachment detected"; flow:to_client,established; content:".pjpeg";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epjpeg/i";
flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service imap,
service pop3; classtype:misc-activity; sid:21732; rev:9;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file
attachment detected"; flow:to_server,established; content:".pjpeg";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epjpeg/i";
flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp;
classtype:misc-activity; sid:21733; rev:10;)
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file
attachment detected"; flow:to_client,established; content:".jpe";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpe/i";
flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service imap,
service pop3; classtype:misc-activity; sid:21734; rev:9;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file
attachment detected"; flow:to_server,established; content:".jpe";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpe/i";
flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp;
classtype:misc-activity; sid:21735; rev:10;)
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file
attachment detected"; flow:to_client,established; content:".jif";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejif/i";
flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service imap,
service pop3; classtype:misc-activity; sid:21736; rev:9;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file
attachment detected"; flow:to_server,established; content:".jif";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejif/i";
flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp;
classtype:misc-activity; sid:21737; rev:10;)
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file
attachment detected"; flow:to_client,established; content:".jfi";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejfi/i";
flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service imap,
service pop3; classtype:misc-activity; sid:21738; rev:10;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file
attachment detected"; flow:to_server,established; content:".jfi";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejfi/i";
flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp;
classtype:misc-activity; sid:21739; rev:11;)
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY RTF file
attachment detected"; flow:to_client,established; content:".rtf";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ertf/i";
flowbits:set,file.rtf; flowbits:noalert; metadata:ruleset community, service imap,
service pop3; classtype:misc-activity; sid:21746; rev:9;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY RTF file
attachment detected"; flow:to_server,established; content:".rtf";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ertf/i";
flowbits:set,file.rtf; flowbits:noalert; metadata:ruleset community, service smtp;
classtype:misc-activity; sid:21747; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable directory traversal attempt - %ALLUSERSPROFILE%";
flow:to_server,established; content:"%ALLUSERSPROFILE%"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; classtype:attempted-recon;
sid:21818; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable directory traversal attempt - %PROGRAMDATA%"; flow:to_server,established;
content:"%PROGRAMDATA%"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; classtype:attempted-recon; sid:21819; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable directory traversal attempt - %APPDATA%"; flow:to_server,established;
content:"%APPDATA%"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; classtype:attempted-recon; sid:21820; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable directory traversal attempt - %COMMONPROGRAMFILES%";
flow:to_server,established; content:"%COMMONPROGRAMFILES%"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; classtype:attempted-recon;
sid:21821; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable directory traversal attempt - %COMMONPROGRAMFILES - x86%";
flow:to_server,established; content:"%COMMONPROGRAMFILES|40|x86|41|%";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:attempted-recon; sid:21822; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable directory traversal attempt - %COMSPEC%"; flow:to_server,established;
content:"%COMSPEC%"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; classtype:attempted-recon; sid:21823; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable directory traversal attempt - %HOMEDRIVE%"; flow:to_server,established;
content:"%HOMEDRIVE%"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; classtype:attempted-recon; sid:21824; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable directory traversal attempt - %HOMEPATH%"; flow:to_server,established;
content:"%HOMEPATH%"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; classtype:attempted-recon; sid:21825; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable directory traversal attempt - %LOCALAPPDATA%"; flow:to_server,established;
content:"%LOCALAPPDATA%"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; classtype:attempted-recon; sid:21826; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable directory traversal attempt - %PROGRAMFILES%"; flow:to_server,established;
content:"%PROGRAMFILES%"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; classtype:attempted-recon; sid:21827; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable directory traversal attempt - %PROGRAMFILES - X86%";
flow:to_server,established; content:"%PROGRAMFILES|40|X86|41|%"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; classtype:attempted-recon;
sid:21828; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable directory traversal attempt - %SystemDrive%"; flow:to_server,established;
content:"%SystemDrive%"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; classtype:attempted-recon; sid:21829; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable directory traversal attempt - %SystemRoot%"; flow:to_server,established;
content:"%SystemRoot%"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; classtype:attempted-recon; sid:21830; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable directory traversal attempt - %TEMP%"; flow:to_server,established;
content:"%TEMP%"; fast_pattern:only; http_uri; metadata:ruleset community, service
http; classtype:attempted-recon; sid:21831; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable directory traversal attempt - %TMP%"; flow:to_server,established;
content:"%TMP%"; fast_pattern:only; http_uri; metadata:ruleset community, service
http; classtype:attempted-recon; sid:21832; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable directory traversal attempt - %USERDATA%"; flow:to_server,established;
content:"%USERDATA%"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; classtype:attempted-recon; sid:21833; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable directory traversal attempt - %USERNAME%"; flow:to_server,established;
content:"%USERNAME%"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; classtype:attempted-recon; sid:21834; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable directory traversal attempt - %USERPROFILE%"; flow:to_server,established;
content:"%USERPROFILE%"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; classtype:attempted-recon; sid:21835; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable directory traversal attempt - %WINDIR%"; flow:to_server,established;
content:"%WINDIR%"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; classtype:attempted-recon; sid:21836; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable directory traversal attempt - %PUBLIC%"; flow:to_server,established;
content:"%PUBLIC%"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; classtype:attempted-recon; sid:21837; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable directory traversal attempt - %PSModulePath%"; flow:to_server,established;
content:"%PSModulePath%"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; classtype:attempted-recon; sid:21838; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable in URI attempt - %COMPUTERNAME%"; flow:to_server,established;
content:"%COMPUTERNAME%"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; classtype:attempted-recon; sid:21839; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable in URI attempt - %LOGONSERVER%"; flow:to_server,established;
content:"%LOGONSERVER%"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; classtype:attempted-recon; sid:21840; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable in URI attempt - %PATH%"; flow:to_server,established; content:"%PATH%";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:attempted-recon; sid:21841; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable in URI attempt - %PATHEXT%"; flow:to_server,established; content:"%PATHEXT
%"; fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:attempted-recon; sid:21842; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable in URI attempt - %PROMPT%"; flow:to_server,established; content:"%PROMPT
%"; fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:attempted-recon; sid:21843; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System
variable in URI attempt - %USERDOMAIN%"; flow:to_server,established;
content:"%USERDOMAIN%"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; classtype:attempted-recon; sid:21844; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER TDS Sutra
- redirect received"; flow:to_client,established; content:"_0000="; fast_pattern;
content:"SL_"; http_cookie; content:"_0000="; within:8; http_cookie;
metadata:impact_flag red, policy security-ips drop, ruleset community, service
http; reference:url,wepawet.iseclab.org/view.php?
hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js;
reference:url,www.nartv.org/tag/tds/;
reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-
activity; sid:21845; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC TDS Sutra
- request in.cgi"; flow:to_server,established; content:"/in.cgi?"; http_uri;
pcre:"/\x2Fin\.cgi\?(\d{1,2}|default)$/Ui"; metadata:impact_flag red, ruleset
community, service http; reference:url,wepawet.iseclab.org/view.php?
hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js;
reference:url,www.nartv.org/tag/tds/;
reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-
activity; sid:21846; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER TDS
Sutra - page redirecting to a SutraTDS"; flow:to_client,established; file_data;
content:"/in.cgi?"; isdataat:15,relative; content:!"id="; within:3; nocase;
content:!"&"; within:6; content:!"="; within:6; pcre:"/\x2Fin\.cgi\?(\w{1,6}|
default)\b/smi"; metadata:impact_flag red, ruleset community, service http;
reference:url,wepawet.iseclab.org/view.php?
hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js;
reference:url,www.nartv.org/tag/tds/;
reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-
activity; sid:21848; rev:14;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER TDS
Sutra - HTTP header redirecting to a SutraTDS"; flow:to_client,established;
content:"/in.cgi"; http_header; pcre:"/\x2Fin\.cgi\?(\d{1,2}|default)$/Hsmi";
metadata:impact_flag red, ruleset community, service http;
reference:url,wepawet.iseclab.org/view.php?
hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js;
reference:url,www.nartv.org/tag/tds/;
reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-
activity; sid:21849; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER TDS Sutra
- request hi.cgi"; flow:to_server,established; content:"/hi.cgi"; http_uri;
metadata:impact_flag red, policy security-ips drop, ruleset community, service
http; reference:url,wepawet.iseclab.org/view.php?
hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js;
reference:url,www.nartv.org/tag/tds/;
reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-
activity; sid:21850; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER TDS Sutra
- redirect received"; flow:to_client,established; content:"302"; http_stat_code;
content:"=_"; content:"_|5C 3B| domain="; within:11; distance:1; pcre:"/^[a-z]
{5}\d=_\d_/C"; metadata:impact_flag red, policy security-ips drop, ruleset
community, service http; reference:url,wepawet.iseclab.org/view.php?
hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js;
reference:url,www.nartv.org/tag/tds/;
reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-
activity; sid:21851; rev:6;)
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY ZIP file
attachment detected"; flow:to_client,established; content:".zip";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ezip/i";
flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service imap,
service pop3; classtype:misc-activity; sid:21856; rev:10;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ZIP file
attachment detected"; flow:to_server,established; content:".zip";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ezip/i";
flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service smtp;
classtype:misc-activity; sid:21857; rev:11;)
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Portable
Executable file attachment detected"; flow:to_client,established; content:".exe";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eexe/i";
flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert,
ruleset community, service imap, service pop3; classtype:misc-activity; sid:21908;
rev:11;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Portable
Executable file attachment detected"; flow:to_server,established; content:".exe";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eexe/i";
flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert,
ruleset community, service smtp; classtype:misc-activity; sid:21909; rev:12;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY EMF
file magic detected"; flow:to_client,established; file_data; content:"|01 00 00
00|"; depth:4; content:"|20|EMF"; within:4; distance:36; fast_pattern;
flowbits:set,file.emf; flowbits:noalert; metadata:policy max-detect-ips alert,
ruleset community, service ftp-data, service http, service imap, service pop3;
classtype:misc-activity; sid:21940; rev:13;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XM file
download request"; flow:to_server,established; content:".xm"; fast_pattern:only;
http_uri; pcre:"/\x2exm([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xm;
flowbits:noalert; metadata:ruleset community, service http; classtype:misc-
activity; sid:22043; rev:6;)
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XM file
attachment detected"; flow:to_client,established; content:".xm"; fast_pattern:only;
content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase;
pcre:"/filename=[^\n]*\x2exm/i"; flowbits:set,file.xm; flowbits:noalert;
metadata:ruleset community, service imap, service pop3; classtype:misc-activity;
sid:22044; rev:7;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XM file
attachment detected"; flow:to_server,established; content:".xm"; fast_pattern:only;
content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase;
pcre:"/filename=[^\n]*\x2exm/i"; flowbits:set,file.xm; flowbits:noalert;
metadata:ruleset community, service smtp; classtype:misc-activity; sid:22045;
rev:8;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XM
file magic detected"; flow:to_client,established; file_data; content:"Extended
Module:"; fast_pattern:only; flowbits:set,file.xm; flowbits:noalert;
metadata:ruleset community, service ftp-data, service http, service imap, service
pop3; classtype:misc-activity; sid:22046; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Alureon -
Malicious IFRAME load attempt"; flow:to_client,established; file_data;
content:"name=|5C 22|Twitter|5C 22| scrolling=|5C 22|auto|5C 22| frameborder=|5C
22|no|5C 22| align=|5C 22|center|5C 22| height = |5C 22|1px|5C 22| width = |5C 22|
1px|5C 22|>"; fast_pattern:only; metadata:policy balanced-ips alert, policy
security-ips drop, ruleset community, service http; classtype:trojan-activity;
sid:22061; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP-CGI
remote file include attempt"; flow:to_server,established;
content:"auto_prepend_file"; http_uri; metadata:ruleset community, service http;
reference:cve,2012-1823; reference:cve,2012-2311; reference:cve,2012-2335;
reference:cve,2012-2336; classtype:attempted-admin; sid:22063; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE
script before DOCTYPE possible malicious redirect attempt";
flow:to_client,established; file_data; content:"</script><!DOCTYPE";
fast_pattern:only; metadata:ruleset community, service http; classtype:web-
application-attack; sid:23179; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-
OBFUSCATION hex escaped characters in setTimeout call"; flow:established,to_client;
file_data; content:"setTimeout|28|"; nocase; content:"|5C|x"; within:10; nocase;
content:"|5C|x"; within:10; nocase; pcre:"/setTimeout\x28[\x22\x27]
[^\x2C]*?\x5cx[\da-f]{2}[^\x2C]*?[\da-f]{2,}\x5cx[\da-f]{2}/smi"; metadata:ruleset
community, service ftp-data, service http, service imap, service pop3;
classtype:bad-unknown; sid:23481; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-
OBFUSCATION hex escaped characters in addEventListener call";
flow:established,to_client; file_data; content:"addEventListener|28|"; nocase;
content:"|5C|x"; within:10; nocase; content:"|5C|x"; within:10; nocase;
pcre:"/addEventListener\x28[\x22\x27][^\x2C]*?\x5cx[\da-f]{2}[^\x2C]*?[\da-f]
{2,}\x5cx[\da-f]{2}/smi"; metadata:ruleset community, service ftp-data, service
http, service imap, service pop3; classtype:bad-unknown; sid:23482; rev:4;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.ZeroAccess
outbound connection"; flow:to_server; dsize:20; content:"|9E 98|"; depth:2;
offset:6; metadata:policy balanced-ips drop, policy security-ips drop, ruleset
community;
reference:url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407
d9a90703047e7db7ff9/analysis/; classtype:trojan-activity; sid:23492; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-
OBFUSCATION known packer routine with secondary obfuscation";
flow:to_client,established; file_data; content:"eval(function(p,a,c,k,e,r)";
fast_pattern:only; metadata:ruleset community, service ftp-data, service http,
service imap, service pop3; reference:url,dean.edwards.name/packer/;
classtype:misc-activity; sid:23621; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-
OBFUSCATION JavaScript built-in function parseInt appears obfuscated - likely
packer or encoder"; flow:to_client,established; file_data; content:"|5B 27|parse|27
2B 27|Int|27 5D 28|"; fast_pattern:only; metadata:ruleset community, service ftp-
data, service http, service imap, service pop3;
reference:url,snort.org/rule_docs/1-23636; classtype:trojan-activity; sid:23636;
rev:9;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file
magic detected"; flow:to_server,established; file_data; content:"PK|03 04|";
depth:4; content:!"|14 00 06 00|"; within:4; flowbits:set,file.zip;
flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service smtp;
classtype:misc-activity; sid:23651; rev:12;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file
magic detected"; flow:to_server,established; file_data; content:"PK00PK|03 04|";
depth:8; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert;
metadata:ruleset community, service smtp; classtype:misc-activity; sid:23652;
rev:13;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file
magic detected"; flow:to_server,established; file_data; content:"PK|01 02|";
depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert;
metadata:ruleset community, service smtp; classtype:misc-activity; sid:23653;
rev:13;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file
magic detected"; flow:to_server,established; file_data; content:"PK|05 06|";
depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert;
metadata:ruleset community, service smtp; classtype:misc-activity; sid:23654;
rev:13;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file
magic detected"; flow:to_server,established; file_data; content:"PK|06 08|";
depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert;
metadata:ruleset community, service smtp; classtype:misc-activity; sid:23655;
rev:13;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file
magic detected"; flow:to_server,established; file_data; content:"PK|06 07|";
depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert;
metadata:ruleset community, service smtp; classtype:misc-activity; sid:23656;
rev:13;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file
magic detected"; flow:to_server,established; file_data; content:"PK|06 06|";
depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert;
metadata:ruleset community, service smtp; classtype:misc-activity; sid:23657;
rev:13;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PNG file magic
detected"; flow:to_server,established; file_data; content:"|89|PNG|0D 0A 1A 0A|";
depth:8; flowbits:set,file.png; flowbits:noalert; metadata:ruleset community,
service smtp; classtype:misc-activity; sid:23664; rev:14;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG file magic
detected"; flow:to_server,established; file_data; content:"|FF D8 FF E0|"; depth:4;
flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp;
classtype:misc-activity; sid:23667; rev:11;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY RTF file magic
detected"; flow:to_server,established; file_data; content:"{|5C|rt";
fast_pattern:only; flowbits:set,file.rtf; flowbits:noalert; metadata:ruleset
community, service smtp; classtype:misc-activity; sid:23670; rev:11;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PDF file magic
detected"; flow:to_server,established; file_data; content:"%PDF-"; nocase;
flowbits:set,file.pdf; flowbits:noalert; metadata:ruleset community, service smtp;
classtype:misc-activity; sid:23678; rev:11;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft
Compound File Binary v3 file magic detected"; flow:to_server,established;
file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 03 00|"; within:4;
distance:16; flowbits:set,file.ole; flowbits:noalert; metadata:ruleset community,
service smtp; classtype:misc-activity; sid:23707; rev:13;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft
Compound File Binary v4 file magic detected"; flow:to_server,established;
file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 04 00|"; within:4;
distance:16; flowbits:set,file.oless.v4; flowbits:noalert; metadata:policy max-
detect-ips alert, ruleset community, service smtp; classtype:misc-activity;
sid:23708; rev:7;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY OLE Document
file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0
A1 B1 1A E1|"; depth:8; flowbits:set,file.ole; flowbits:set,file.fpx;
flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-
activity; sid:23711; rev:11;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Portable
Executable binary file magic detected"; flow:to_server,established; file_data;
content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4;
distance:-64; flowbits:set,file.exe; metadata:policy balanced-ips alert, policy
connectivity-ips alert, policy max-detect-ips drop, policy security-ips alert,
ruleset community, service smtp; classtype:misc-activity; sid:23725; rev:10;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XML file magic
detected"; flow:to_server,established; file_data; content:"<xml>"; depth:50;
nocase; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community,
service smtp; classtype:misc-activity; sid:23758; rev:7;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XML file magic
detected"; flow:to_server,established; file_data; content:"<?xml"; depth:50;
nocase; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community,
service smtp; classtype:misc-activity; sid:23759; rev:7;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY EMF file magic
detected"; flow:to_server,established; file_data; content:"|01 00 00 00|"; depth:4;
content:"|20|EMF"; within:4; distance:36; fast_pattern; flowbits:set,file.emf;
flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service
smtp; classtype:misc-activity; sid:23766; rev:12;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XM file magic
detected"; flow:to_server,established; file_data; content:"Extended Module:";
fast_pattern:only; flowbits:set,file.xm; flowbits:noalert; metadata:ruleset
community, service smtp; classtype:misc-activity; sid:23773; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Magania
variant outbound connection"; flow:to_server,established; content:"User-Agent:
Google page|0D 0A|"; fast_pattern:only; content:".asp?"; content:"mac="; within:4;
content:"&ver="; distance:0; metadata:impact_flag red, policy balanced-ips drop,
policy max-detect-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,www.seculert.com/blog/2013/06/adversary-arsenal-exposed-part-i-
pinkstats.html;
reference:url,www.virustotal.com/file/6a813f96bb65367a8b5c5ba2937c773785a0a0299032a
6c77b9b0862be8bdb71/analysis/; classtype:trojan-activity; sid:24015; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Possible
malicious redirect - rebots.php"; flow:to_server,established;
content:"/rebots.php"; fast_pattern:only; http_uri; metadata:policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,blog.sucuri.net/2012/08/rebots-php-javascript-malware-being-actively-
injected.html; reference:url,labs.sucuri.net/db/malware/mwjs-include-rebots;
classtype:misc-activity; sid:24017; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER malicious
redirection attempt"; flow:to_server,established; content:"a=YWZmaWQ9MDUyODg";
fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,blog.sucuri.net/2012/09/compromised-websites-hosting-calls-to-java-
exploit.html; classtype:bad-unknown; sid:24225; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE
Android/Fakelash.A!tr.spy trojan command and control channel traffic";
flow:to_server,established; content:"/data.php?action="; nocase; http_uri;
content:"&m="; distance:0; nocase; http_uri; content:"&p="; distance:0; nocase;
http_uri; content:"&n="; distance:0; nocase; http_uri; metadata:ruleset community,
service http; reference:url,blog.fortiguard.com/android-malware-distributed-by-
malicious-sms-in-france/; classtype:trojan-activity; sid:24251; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE
IP only webpage redirect attempt"; flow:to_client,established; file_data;
content:"<html><head><meta http-equiv=|22|refresh";
pcre:"/^[^>]*\x2f\x2f\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/sR"; metadata:ruleset
community, service http; classtype:bad-unknown; sid:24253; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE
IP only webpage redirect attempt"; flow:to_client,established; file_data;
content:"document.location=";
pcre:"/^[^>]*\x2f\x2f\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/sR"; metadata:ruleset
community, service http; classtype:bad-unknown; sid:24254; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 84 (msg:"MALWARE-OTHER Malicious UA
detected on non-standard port"; flow:to_server,established,no_stream;
content:"User-Agent|3A| Mozilla/5.0 |28|Windows|3B| U|3B| MSIE 9.0|3B| Windows NT
9.0|3B| en-US|29|"; detection_filter:track by_src, count 1, seconds 120;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community;
reference:url,anubis.iseclab.org/?
action=result&task_id=1691c3b8835221fa4692960681f39c736&format=html;
classtype:trojan-activity; sid:24265; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft
Windows SMB NTLM NULL session attempt"; flow:to_server,established; content:"|FF|
SMB|73 00 00 00 00|"; depth:9; offset:4; content:"|00 00|"; within:2; distance:13;
content:"|FF|"; within:1; distance:9; content:"NTLMSSP|00 03 00 00 00|";
within:100; content:"|00 00 00 00 48 00 00 00|"; within:8; distance:24;
fast_pattern; flowbits:set,smb.null_session; flowbits:noalert; metadata:ruleset
community, service netbios-ssn; reference:bugtraq,1163; reference:cve,2000-0347;
classtype:attempted-recon; sid:24359; rev:6;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG
file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF
E1|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset
community, service ftp-data, service http, service imap, service pop3;
classtype:misc-activity; sid:24455; rev:9;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG
file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF
EE|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset
community, service ftp-data, service http, service imap, service pop3;
classtype:misc-activity; sid:24456; rev:9;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG file magic
detected"; flow:to_server,established; file_data; content:"|FF D8 FF E1|"; depth:4;
flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp;
classtype:misc-activity; sid:24457; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG file magic
detected"; flow:to_server,established; file_data; content:"|FF D8 FF EE|"; depth:4;
flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp;
classtype:misc-activity; sid:24458; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM 1.usa.gov URL
in email, possible spam redirect"; flow:to_server, established; file_data;
content:"http|3A 2F 2F|1.usa.gov"; pcre:"/http\x3A\x2f\x2f1\.usa\.gov\x2f[a-f0-9]
{6,8}/smi"; metadata:ruleset community, service smtp;
reference:url,www.symantec.com/connect/blogs/spam-gov-urls; classtype:bad-unknown;
sid:24598; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential
Banking Trojan Config File Download"; flow:to_server,established; urilen:11;
content:"|2F|Config|2E|txt"; fast_pattern:only; http_uri; content:"Mozilla|2F|3|2E|
0|20 28|compatible|3B 20|Indy|20|Library|29 0D 0A|"; http_header; metadata:policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/file/2418469245edf860633f791b972e1a8a11e5744c6deb0
cc1a55531cba3d0bd7f/analysis/; classtype:trojan-activity; sid:24885; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Dorkbot variant outbound connection"; flow:to_server,established;
content:".php?ip="; http_uri; content:"&os="; distance:0; http_uri;
content:"&name="; distance:0; http_uri; content:"&id="; distance:0; http_uri;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community,
service http;
reference:url,www.virustotal.com/file/c425af6875dff2c0627421086f66b7e058f51d2293947
8529702d193837c6cfe/analysis/; classtype:trojan-activity; sid:24886; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [139,445] (msg:"NETBIOS SMB Trans2
FIND_FIRST2 find file and directory info request"; flow:established,to_server;
content:"|FF|SMB2|00 00 00 00|"; depth:9; offset:4; byte_test:1,!&,128,0,relative;
content:"|01 00|"; within:2; distance:52; content:"|04 01|"; within:2; distance:11;
flowbits:set,smb.trans2.fileinfo; flowbits:noalert; metadata:ruleset community,
service netbios-ssn; classtype:protocol-command-decode; sid:24972; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zeus variant outbound connection"; flow:to_server,established;
urilen:11<>20; content:"POST"; http_method; content:".php"; http_uri; content:"|3B
20|MSIE|20|"; http_header; content:!"|0D 0A|Accept|2D|Language|3A|"; http_header;
content:!"|0D 0A|Referer|3A|"; http_header; content:!"|0D 0A|Cookie|3A|";
http_header; content:!"Content-Disposition"; http_client_body; content:"Content-
Length: "; nocase; byte_test:8,<,369,0,string,relative; pcre:"/[^\x20-\x7e\x0d\x0a]
{4}/P"; metadata:impact_flag red, policy security-ips drop, ruleset community,
service http; classtype:trojan-activity; sid:25050; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ZeroAccess
Clickserver callback"; flow:to_server,established; urilen:95; content:" HTTP/1.0|0D
0A|Host:"; fast_pattern:only; pcre:"/^\x2f[A-Z\d]{83}\x3d[A-Z\d]{10}$/Ui";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; classtype:trojan-activity; sid:25054; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent
known malicious user agent - NewBrandTest"; flow:to_server,established;
content:"User-Agent|3A 20|NewBrandTest|0D 0A|"; fast_pattern:only; http_header;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community,
service http;
reference:url,www.virustotal.com/file/02b18d0aa415e299515891b56424751e846ca917d3bb5
5b82f07cfb97f62c4e1/analysis/; classtype:trojan-activity; sid:25119; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.ZeroAccess URI and Referer"; flow:to_server,established; urilen:52;
content:"/s/?k="; fast_pattern:only; http_header; pcre:"/^\x2f[a-z0-9]{51}$/Ui";
pcre:"/Referer\x3a\s*?http\x3a\x2f{2}[a-z0-9\x2e\x2d]+\x2fs\x2f\x3fk\x3d/Hi";
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community,
service http; classtype:trojan-activity; sid:25224; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Worm.Gamarue variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; urilen:12; content:"/a/image.php"; fast_pattern:only;
http_uri; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; classtype:trojan-activity; sid:25256; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Skintrim variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"/bin/check.php?cv="; http_uri;
content:"ThIs_Is_tHe_bouNdaRY_$"; fast_pattern; http_header; metadata:policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/file/80e67695fa394f56fd6ddae74b72e9050f651244aad52
ad48ebe6304edff95e2/analysis/1357239259/; classtype:trojan-activity; sid:25257;
rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Rombrast variant outbound connection"; flow:to_server,established;
content:"/file.aspx?file="; fast_pattern:only; http_uri; content:"ksp/WS";
http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset
community, service http;
reference:url,www.virustotal.com/file/af1ffe831112cbb34866fe1a65ed18613578039b002ca
221757b791a5006894d/analysis/; classtype:trojan-activity; sid:25258; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.BancosBanload variant outbound connection"; flow:to_server,established;
content:".gif"; http_uri; content:"|0D 0A|Accept|2D|Encoding|3A 20|gzip|2C|
deflateidentity|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/file/098fa9dbc519669a50fc6f3cdc8d9e4b05a6f0c32d154
f515e403b54d72efff6/analysis/1357138873/; classtype:trojan-activity; sid:25259;
rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Buterat variant outbound connection"; flow:to_server,established;
content:"From|3A|"; http_header; content:"Via|3A|"; http_header; urilen:13;
pcre:"/^\x2f\d{3}\x2f\d{3}\x2ehtml$/U"; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/file/90fb793d1fd7245b841ca4b195e3944a991d97d854090
729062d700fe74553e5/analysis/; classtype:trojan-activity; sid:25269; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Buzus variant outbound connection"; flow:to_server,established;
content:"/default.aspx?ver="; http_uri; content:"&uid="; distance:0; http_uri;
content:"|3B 20|MRA|20|5.10|20|"; http_header; pcre:"/\x26uid\x3d[a-f0-9]{16}
($|\x26)/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset
community, service http; classtype:trojan-activity; sid:25271; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Request
for a non-legit postal receipt"; flow:to_server,established; content:".php?
php=receipt"; fast_pattern:only; http_uri; pcre:"/\x2f[a-z0-9]+\.php\?
php\x3dreceipt$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; reference:url,urlquery.net/search.php?q=.php%3Fphp
%3Dreceipt&type=string; classtype:misc-activity; sid:25277; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web
vulnerability scan attempt"; flow:to_server,established; flowbits:set,acunetix-
scan; content:"Acunetix-"; fast_pattern:only; http_header; metadata:ruleset
community, service http; reference:url,www.acunetix.com; classtype:web-application-
attack; sid:25358; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix
web vulnerability scanner probe attempt"; flow:to_server,established;
content:"/acunetix-wvs-test-for-some-inexistent-file"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:url,www.acunetix.com;
classtype:web-application-attack; sid:25359; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix
web vulnerability scanner authentication attempt"; flow:to_server,established;
content:"password=g00dPa$$w0rD"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:url,www.acunetix.com; classtype:web-application-
attack; sid:25360; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix
web vulnerability scanner RFI attempt"; flow:to_server,established;
content:"src=/testasp.vulnweb.com/"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:url,www.acunetix.com; classtype:web-application-
attack; sid:25361; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix
web vulnerability scanner base64 XSS attempt"; flow:to_server,established;
content:"PHNjcmlwdD"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:url,www.acunetix.com; classtype:web-application-attack;
sid:25362; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix
web vulnerability scanner URI injection attempt"; flow:to_server,established;
content:"http:/www.acunetix.com"; fast_pattern:only; http_uri; content:"Acunetix-";
nocase; http_header; metadata:ruleset community, service http;
reference:url,www.acunetix.com; classtype:web-application-attack; sid:25363;
rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix
web vulnerability scanner prompt XSS attempt"; flow:to_server,established;
content:"<ScRiPt>prompt("; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:url,www.acunetix.com; classtype:web-application-attack;
sid:25364; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix
web vulnerability scanner XSS attempt"; flow:to_server,established; content:">=|5C|
xa2"; fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:url,www.acunetix.com; classtype:web-application-attack; sid:25365;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Pushdo
Spiral Traffic"; flow:to_server,established; content:"POST"; http_method;
urilen:39; content:"/?ptrxcz_"; fast_pattern:only; http_uri;
pcre:"/^\x2f\x3fptrxcz\x5f[a-zA-Z0-9]{30}$/Ui"; metadata:policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,updates.atomicorp.com/channels/rules/delayed/modsec/10_asl_antimalwar
e.conf; classtype:trojan-activity; sid:25471; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Necurs
Rootkit sba.cgi"; flow:to_server,established; content:"POST"; http_method;
urilen:16; content:"/cgi-bin/sba.cgi"; fast_pattern:only; http_uri; pcre:"/
[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/file/b1e6f0cad0ae5c60e9e4fa18fd3b4a045d6db172c10a1
c8e054e22d1aff4c673/analysis/; classtype:trojan-activity; sid:25503; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Necurs
Rootkit op.cgi"; flow:to_server,established; content:"POST"; http_method;
urilen:15; content:"/cgi-bin/op.cgi"; fast_pattern:only; http_uri; pcre:"/
[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/file/b1e6f0cad0ae5c60e9e4fa18fd3b4a045d6db172c10a1
c8e054e22d1aff4c673/analysis/; classtype:trojan-activity; sid:25504; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Symmi
variant outbound connection"; flow:to_server,established; content:"lfstream|26|";
depth:9; offset:8; pcre:"/^POST\x20\x2fg[ao]lfstream\x26/"; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/file/f4c44b5331c30b62beacae5d343d591584715c2d9d6d6
5848216b61efd916ec1/analysis/; classtype:trojan-activity; sid:25511; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY
Portable Executable download detected"; flow:to_client,established;
content:"application/octet-stream"; fast_pattern:only; http_header;
pcre:"/^Content-Type\x3a[\x20\x09]+application\/octet-stream/smiH"; file_data;
content:"MZ"; within:2; flowbits:set,file.exe; flowbits:noalert; metadata:policy
max-detect-ips alert, ruleset community, service ftp-data, service http, service
imap, service pop3; classtype:misc-activity; sid:25513; rev:12;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY
Portable Executable download detected"; flow:to_client,established;
content:"application/x-msdos-program"; fast_pattern:only; http_header;
pcre:"/^Content-Type\x3a[\x20\x09]+application\/x-msdos-program/smiH"; file_data;
content:"MZ"; within:2; flowbits:set,file.exe; flowbits:noalert; metadata:policy
max-detect-ips alert, ruleset community, service ftp-data, service http, service
imap, service pop3; classtype:misc-activity; sid:25514; rev:12;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY
Portable Executable binary file magic detected"; flow:to_client,established;
file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|";
within:4; distance:-64; flowbits:set,file.exe; flowbits:noalert; metadata:policy
max-detect-ips alert, ruleset community, service ftp-data, service http, service
imap, service pop3; classtype:misc-activity; sid:25515; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Apple iPod
User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|";
http_header; content:"iPod"; distance:0; fast_pattern; http_header; pcre:"/^User-
Agent\x3a[^\r\n]*iPod/H"; metadata:ruleset community, service http;
classtype:policy-violation; sid:25518; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Apple iPad
User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|";
http_header; content:"iPad"; distance:0; fast_pattern; http_header; pcre:"/^User-
Agent\x3a[^\r\n]*iPad/H"; metadata:ruleset community, service http;
classtype:policy-violation; sid:25519; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Apple iPhone
User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|";
http_header; content:"iPhone"; distance:0; fast_pattern; http_header; pcre:"/^User-
Agent\x3a[^\r\n]*iPhone/H"; metadata:ruleset community, service http;
classtype:policy-violation; sid:25520; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android
User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|";
http_header; content:"android"; distance:0; fast_pattern; nocase; http_header;
pcre:"/^User-Agent\x3a[^\r\n]*android/iH"; metadata:ruleset community, service
http; classtype:policy-violation; sid:25521; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Nokia User-
Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header;
content:"nokia"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-
Agent\x3a[^\r\n]*nokia/iH"; metadata:ruleset community, service http;
classtype:policy-violation; sid:25522; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Samsung
User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|";
http_header; content:"Samsung"; distance:0; fast_pattern; nocase; http_header;
pcre:"/^User-Agent\x3a[^\r\n]*samsung/iH"; metadata:ruleset community, service
http; classtype:policy-violation; sid:25523; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Kindle User-
Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header;
content:"kindle"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-
Agent\x3a[^\r\n]*kindle/iH"; metadata:ruleset community, service http;
classtype:policy-violation; sid:25524; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-OTHER Nintendo
User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|";
http_header; content:"nintendo"; distance:0; fast_pattern; nocase; http_header;
pcre:"/^User-Agent\x3a[^\r\n]*nintendo/iH"; metadata:ruleset community, service
http; classtype:policy-violation; sid:25525; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Rootkit.Necurs possible URI with encrypted POST"; flow:to_server,established;
content:"POST"; http_method; urilen:15; content:"/admin/host.php";
fast_pattern:only; http_uri; pcre:"/[^\x0d\x0a\x09\x20-\x7e]{4}/P"; metadata:policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/file/98fb9778208cb74c11a71afd065ae64e562ded1ae477a
d42e392fe3711170319/analysis/; classtype:trojan-activity; sid:25577; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake
postal receipt HTTP Response phishing attack"; flow:to_client,established;
content:"|3B 20|filename=PostalReceipt.zip|0D 0A|"; fast_pattern:only; http_header;
file_data; content:"PostalReceipt.exe"; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-
03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25578; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake
bookinginfo HTTP Response phishing attack"; flow:to_client,established; content:"|
3B 20|filename=BookingInfo.zip|0D 0A|"; fast_pattern:only; http_header; file_data;
content:"BookingInfo.exe"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-
03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25579; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake
bookingdetails HTTP Response phishing attack"; flow:to_client,established;
content:"|3B 20|filename=BookingDetails.zip|0D 0A|"; fast_pattern:only;
http_header; file_data; content:"BookingDetails.exe"; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-
01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25580; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER libupnp command
buffer overflow attempt"; flow:to_server; content:"M-SEARCH "; depth:9; content:"|
3A|device|3A|"; isdataat:180,relative; content:!"|3A|"; within:180; metadata:policy
security-ips drop, ruleset community, service ssdp; reference:cve,2012-5958;
reference:cve,2012-5962; classtype:attempted-admin; sid:25589; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"MALWARE-CNC
Win.Trojan.Reventon variant outbound connection"; flow:to_server,established;
dsize:4; content:"|9A 02 00 00|"; fast_pattern:only; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/file/25c690dac0d17f9ba304e5e68c1da2381685b1aa0aa3c
d503589bbc59daf81eb/analysis/; classtype:trojan-activity; sid:25627; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Kryptic variant outbound connection"; flow:to_server,established;
content:"Accept-Language: en-us|3B 0D 0A|"; http_header; content:"wok5VLG.6";
fast_pattern:only; http_client_body; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/file/3ff78086c2e0fb839beeea7e4a209850c00f338005872
e845155341cc30a5db5/analysis/; classtype:trojan-activity; sid:25652; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Medfos variant outbound connection"; flow:to_server,established;
content:"/js/disable.js?type="; fast_pattern:only; http_uri; content:"Accept|3A 20|
application/javascript|2C 20 2A 2F 2A 3B|q=0.8"; http_header; metadata:policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?
Name=Trojan:JS/Medfos.B; classtype:trojan-activity; sid:25660; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC
Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established;
dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B|
Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159;
pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c
9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan Agent
YEH variant outbound connection"; flow:to_server,established; content:"|29 3B 28|b|
3A|3790|3B|c|3A|INT|2D|6760|3B|l|3A|09|29 0D 0A|"; fast_pattern:only; http_header;
pcre:"/\x2f\?ts\x3d[a-f0-9]{40}\x26/Ui"; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-
spyware/Troj~Agent-YEH/detailed-analysis.aspx; classtype:trojan-activity;
sid:25765; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Bancos variant outbound connection"; flow:to_server,established;
content:"/cmd.php?cmd="; http_uri; content:"arq="; distance:0; http_uri;
content:"cmd2="; distance:0; http_uri; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?
Name=Win32%2fBancos; classtype:trojan-activity; sid:25766; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Urausy Botnet variant outbound connection"; flow:to_server,established;
urilen:95<>102; content:"|29 20|Chrome|2F|"; http_header; content:!"|0A|Accept-
Encoding|3A 20|"; http_header; pcre:"/^\x2f[a-z\x2d\x5f]{90,97}\.php$/U";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; reference:url,www.botnets.fr/index.php/Urausy;
classtype:trojan-activity; sid:25807; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan
Banker FTC variant outbound connection"; flow:to_server,established; urilen:18;
content:"/listas/out/si.php"; fast_pattern:only; http_uri; content:"HTTP/1.0|0D
0A|"; depth:10; offset:24; metadata:policy balanced-ips drop, policy security-ips
drop, ruleset community, service http; reference:url,www.sophos.com/en-us/threat-
center/threat-analyses/viruses-and-spyware/Troj~Banker-FTC/detailed-analysis.aspx;
classtype:trojan-activity; sid:25829; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zeus variant outbound connection - MSIE7 No Referer No Cookie";
flow:to_server,established; urilen:1; content:"|2F|"; http_uri;
pcre:"/\r\nHost\x3A\s+[^\r\n]*?[bcdfghjklmnpqrstvwxyz]{5,}
[^\r\n]*?\x2Einfo\r\n/Hi"; content:!"|0A|Referer|3A|"; http_header; content:!"|0A|
Cookie|3A|"; http_header; content:"|3B 20|MSIE|20|7.0|3B 20|"; http_header;
content:"|2E|info|0D 0A|"; fast_pattern; nocase; http_header; metadata:impact_flag
red, policy security-ips drop, ruleset community, service http;
reference:url,en.wikipedia.org/wiki/Zeus_(Trojan_horse); classtype:trojan-activity;
sid:25854; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"APP-DETECT Ammyy remote access
tool"; flow:to_server,established; content:"POST"; http_method; content:"|0A|Host|
3A 20|rl.ammyy.com|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset
community, service http; reference:url,www.ammyy.com; classtype:policy-violation;
sid:25947; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT redirection
to driveby download"; flow:to_client,established; file_data;
content:"/Home/index.php|22| width=1 height=1 scrolling=no></iframe>";
fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; classtype:trojan-activity; sid:25948; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zebrocy outbound data connection"; flow:to_server,established;
content:"POST"; http_method; content:".php"; http_uri; content:"User|2D|Agent|3A
20|Mozilla|2F|3.0|20 28|compatible|3B 20|Indy Library|29 0D 0A|"; http_header;
content:"form-data|3B| name=|22|userfile|22 3B| filename="; fast_pattern:only;
http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-
detect-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/#/file/979c14f993a1cd91f1b890f93a59ab5b14e059e056b
9cf069222f529e50a4d5f/;
reference:url,www.virustotal.com/#/file/ac9aea57da03206b1df12b5c012537c899bf5d67a5e
b8113b4a4d99e0a0eb893/;
reference:url,www.virustotal.com/en/file/04edf40eaf652dfab4e8dc2ca21fbf2e99d3617469
95767071789cc3fa24d2cc/analysis/1361822708/; classtype:trojan-activity; sid:25949;
rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sibhost
exploit kit"; flow:to_server,established;
content:"yoO4TAbn2tpl5DltCfASJIZ2spEJPLSn"; fast_pattern:only; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.malwaresigs.com/2013/02/26/sport-cd-am-sibhost; classtype:trojan-
activity; sid:26020; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zbot variant in.php outbound connection"; flow:to_server,established;
urilen:7; content:"/in.php"; http_uri; content:".ru|0D 0A|User-Agent|3A 20|
Mozilla/4.0|0D 0A|"; fast_pattern:only; http_header; content:"|0A|Content-Length|3A
20|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; reference:url,zeustracker.abuse.ch/monitor.php?
ipaddress=195.22.26.231; classtype:trojan-activity; sid:26023; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Wecod variant outbound connection"; flow:to_server,established;
urilen:20; content:"/b/n/winrar/tudo.rar"; fast_pattern:only; http_uri;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community,
service http;
reference:url,www.virustotal.com/en/file/22e0300501e6bbb7f46c2fb5aed12e4c0d23385cc6
319d430cd4faed5241f362/analysis/; classtype:trojan-activity; sid:26024; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY ZIP
file download detected"; flow:to_client,established; file_data; content:"PK|03 04
14 00 06 00|"; depth:8; flowbits:set,file.zip; flowbits:noalert; metadata:ruleset
community, service ftp-data, service http, service imap, service pop3;
classtype:misc-activity; sid:26057; rev:10;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ZIP file
attachment detected"; flow:to_server,established; file_data; content:"PK|03 04 14
00 06 00|"; depth:8; flowbits:set,file.zip; flowbits:noalert; metadata:ruleset
community, service smtp; classtype:misc-activity; sid:26058; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos
variant outbound connection SQL query POST data"; flow:to_server,established;
content:"a=select CAMPO from PAGINA where CODIGO = "; fast_pattern:only;
http_client_body; metadata:policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/88efcb549a52e3fb6359a3888e72726aac00c730ed
cd5280e0248d11306a645d/analysis/; classtype:trojan-activity; sid:26075; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zeus variant outbound connection"; flow:to_server,established;
content:".php"; http_uri; content:"|3B 20|MSIE|20|"; http_header; content:"|0D 0A|
Accept|2D|Encoding|3A 20|identity|0D 0A|"; distance:0; http_header;
pcre:"/\x0d\x0aContent\x2dLength\x3a\x20(124|132)\x0d\x0a/H";
pcre:"/\x3d?\x3d\r\n$/P"; metadata:policy security-ips drop, ruleset community,
service http; classtype:trojan-activity; sid:26106; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Gupd variant outbound connection"; flow:to_server,established;
content:"cstype="; depth:7; http_client_body; content:"&authname="; within:48;
distance:1; http_client_body; content:"&authpass="; within:48; distance:1;
http_client_body; content:"&hostname="; within:48; distance:1; http_client_body;
content:"&ostype="; within:256; distance:1; http_client_body; content:"&macaddr=";
within:64; distance:16; http_client_body; content:"&owner="; within:48;
distance:17; http_client_body; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/0DD9018A9AF609382FABDA8E4EC86033DA83E42FEC
25499C329DBDCBB00F2AF0/analysis/; classtype:trojan-activity; sid:26203; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Eldorado variant outbound connection"; flow:to_server,established;
urilen:12; content:"/pid/pid.txt"; fast_pattern:only; http_uri;
content:"(compatible|3B 20|Indy Library)|0D 0A 0D 0A|"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/46b01e093493ff14a4f1a43905d4943f5559fb518c
04edde46084d9672d0f20f/analysis/1363359002/; classtype:trojan-activity; sid:26211;
rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Proxyier variant outbound connection"; flow:to_server,established;
content:"GET /?"; depth:6; content:"HTTP/1.1|0D 0A|Host|3A 20|update|2E|";
distance:0; content:"0b8pre|0D 0A|"; fast_pattern:only; http_header; content:!"|0A|
Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-
activity; sid:26212; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG
file magic detected"; flow:to_client,established; file_data; content:"|00 10|JFIF";
flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service ftp-
data, service http, service imap, service pop3; classtype:misc-activity; sid:26251;
rev:9;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake
postal receipt HTTP Response phishing attack"; flow:to_client,established;
content:"|3B 20|filename=Postal-Receipt.zip|0D 0A|"; fast_pattern:only;
http_header; file_data; content:"Postal-Receipt.exe"; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-
01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:26261; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Dapato
banking Trojan variant outbound connection"; flow:to_server,established; urilen:21;
content:"/pics/_vti_cnf/00.inf"; fast_pattern:only; http_uri; metadata:impact_flag
red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/ebcff32473d032041bd69e9599fbff4ad295128003
f76d1f452ba7cb6e2d20d4/analysis/1364314446/; classtype:trojan-activity; sid:26264;
rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DD-WRT
httpd cgi-bin remote command execution attempt"; flow:to_server,established;
content:"/cgi-bin/"; depth:10; nocase; http_uri; content:"${IFS}";
fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-
ips drop, policy security-ips drop, ruleset community, service http;
reference:bugtraq,35742; reference:bugtraq,94819; reference:cve,2009-2765;
reference:cve,2016-6277; classtype:attempted-admin; sid:26275; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys
E1500/E2500 apply.cgi submit_button page redirection attempt";
flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri;
content:"submit_button"; http_client_body; content:"%0"; distance:0;
http_client_body; pcre:"/(^|&)submit_button=[^&]+%0[^&]/Pim"; metadata:ruleset
community, service http; classtype:attempted-admin; sid:26276; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys
E1500/E2500 apply.cgi submit_button page redirection attempt";
flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri;
content:"submit_button"; http_raw_uri; content:"%0"; distance:0; http_raw_uri;
pcre:"/[?&]submit_button=[^&]+%0[^&]/i"; metadata:ruleset community, service http;
classtype:attempted-admin; sid:26277; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys
E1500/E2500 apply.cgi unauthenticated password reset attempt";
flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri;
content:!"Authorization:"; nocase; http_header; content:"action=Apply"; nocase;
http_client_body; content:"PasswdModify=1"; nocase; http_client_body;
content:"http_passwd="; nocase; http_client_body; content:"http_passwdConfirm=";
nocase; http_client_body; metadata:ruleset community, service http;
reference:bugtraq,57760; reference:url,www.s3cur1ty.de/m1adv2013-004;
classtype:attempted-admin; sid:26278; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys
E1500/E2500 apply.cgi unauthenticated password reset attempt";
flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri;
content:!"Authorization:"; nocase; http_header; content:"action=Apply"; nocase;
http_uri; content:"PasswdModify=1"; nocase; http_uri; content:"http_passwd=";
nocase; http_uri; content:"http_passwdConfirm="; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,57760;
reference:url,www.s3cur1ty.de/m1adv2013-004; classtype:attempted-admin; sid:26279;
rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute
Software Computrace outbound connection - search.dnssearch.org";
flow:to_server,established; content:"Host|3A| search.dnssearch.org|0D 0A|";
fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy
security-ips drop, ruleset community, service http;
reference:url,absolute.com/support/consumer/technology_computrace;
reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-
DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:26286; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute
Software Computrace outbound connection - search.namequery.com";
flow:to_server,established; content:"Host|3A| search.namequery.com|0D 0A|";
fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy
security-ips drop, ruleset community, service http;
reference:url,absolute.com/support/consumer/technology_computrace;
reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-
DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:26287; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Brontok Worm
variant outbound connection"; flow:to_server,established; content:"User-Agent|3A|
Brontok.A8 Browser|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,www.securelist.com/en/descriptions/10286064/Email-
Worm.Win32.Brontok.rf?print_mode=1; classtype:trojan-activity; sid:26288; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Daws Trojan
Outbound Plaintext over SSL Port"; flow:to_server,established; content:"POST";
depth:4; pcre:"/^POST\x20\x2f[a-z]+\.[a-z]{3}\x20HTTP\x2f1\.1\r\n/"; content:"|0D
0A|Content|2D|Disposition|3A 20|form|2D|data|3B 20|name|3D 22|"; pcre:"/
[^\x0d\x0a\x09\x20-\x7e]{4}/R"; pcre:"/\d+\x2d{2}\r\n$/R"; metadata:impact_flag
red, policy security-ips drop, ruleset community, service ssl;
reference:url,www.virustotal.com/file/f810c56734a686fdf46eb3ff895db6f3dd0cebb45c1e7
4bcc1c43f8050242d53/analysis/1359999907/; classtype:trojan-activity; sid:26289;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC file path
used as User-Agent - potential Trojan"; flow:to_server,established; content:"User-
Agent|3A 20|C:|5C|"; fast_pattern:only; http_header; pcre:"/\.exe$/iU";
pcre:"/^User\x2dAgent\x3a\x20c\x3a\x5c[^\r\n]*?\.exe\r\n/Him"; metadata:impact_flag
red, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/5dd932e083cf9d910bc43bb998983f5ec35691c1b8
4708a355f7c46b358fa375/analysis/; classtype:trojan-activity; sid:26319; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Scar variant outbound connection"; flow:to_server,established;
content:".php?mac="; fast_pattern:only; http_uri; content:"|0D 0A|Accept-Language|
3A 20|ko|0D 0A|"; http_header; pcre:"/\.php\?mac\x3d([a-f0-9]{2}\x3a){5}[a-f0-9]
{2}$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/171a0b12197c1b1b525e2db1a62adb6f6c3f42ccb5
704c8174944ee8b901abec/analysis/; classtype:trojan-activity; sid:26325; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
OSX.Trojan.Flashfake variant outbound connection"; flow:to_server,established;
content:"|3B 20|sv|3A|"; http_header; content:"|3B 20|id|3A|"; within:5;
distance:1; http_header; pcre:"/^User\x2dAgent\x3a\s[^\r\n]*?\x3b\x20id\x3a[A-F0-9]
{8}\x2d([A-F0-9]{4}\x2d){3}[A-F0-9]{12}\)[^\r\n]*?\r\n/Hm"; metadata:policy
security-ips drop, ruleset community, service http; classtype:trojan-activity;
sid:26327; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC FBI Ransom
Trojan variant outbound connection"; flow:to_server,established;
content:"/nosignal.jpg?"; fast_pattern:only; http_uri;
pcre:"/^\x2fnosignal\.jpg\?\d\.\d+$/U"; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, ruleset community, service http;
classtype:trojan-activity; sid:26335; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE
IP address check to dyndns.org detected"; flow:to_server,established;
content:"Host|3A 20|checkip.dyndns.org"; fast_pattern:only; http_header;
metadata:ruleset community, service http; classtype:misc-activity; sid:26353;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Bancos variant outbound connection - ksa.txt";
flow:to_server,established; urilen:8; content:"/ksa.txt"; fast_pattern:only;
http_uri; content:"User-Agent|3A 20|Mozilla/3.0 (compatible|3B| Indy Library)";
http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0b
a99f41551ca59374c6a3ec/analysis/1365436849/; classtype:trojan-activity; sid:26370;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Bancos variant outbound connection - op POST";
flow:to_server,established; content:"op="; depth:3; http_client_body;
content:"&nmpc="; fast_pattern:only; http_client_body; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0b
a99f41551ca59374c6a3ec/analysis/1365436849/; classtype:trojan-activity; sid:26371;
rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER UTF-8 BOM in
zip file attachment detected"; flow:to_server,established; file_data; content:"|EF
BB BF 50 4B 03 04|"; depth:7; metadata:policy security-ips drop, ruleset community,
service smtp; classtype:trojan-activity; sid:26380; rev:3;)
# alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"MALWARE-OTHER UTF-8 BOM
in zip file attachment detected"; flow:to_client,established; file_data; content:"|
EF BB BF 50 4B 03 04|"; depth:7; metadata:policy security-ips drop, ruleset
community, service ftp-data, service imap, service pop3; classtype:trojan-activity;
sid:26381; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER UTF-8
BOM in zip file attachment detected"; flow:to_client,established; file_data;
content:"|EF BB BF 50 4B 03 04|"; depth:7; metadata:policy security-ips drop,
ruleset community, service http; classtype:trojan-activity; sid:26382; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Ufasoft
bitcoin miner possible data upload"; flow:to_server,established; content:"User-
Agent|3A| Ufasoft"; fast_pattern:only; http_header; metadata:ruleset community,
service http; reference:url,ufasoft.com/open/bitcoin/; classtype:policy-violation;
sid:26395; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Gamarue variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"panel1/gate.php"; content:" HTTP/1.1|0D 0A|
Cache-Control: no-cache|0D 0A|Connection|3A|"; fast_pattern:only; content:"+";
depth:15; http_client_body; metadata:impact_flag red, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/b34f23afc2f6ca093b2923f0aa12d942a5960cf484
75272df5b60edf556e4299/analysis/; classtype:trojan-activity; sid:26398; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE
IP address check to j.maxmind.com detected"; flow:to_server,established;
content:"/app/geoip.js"; http_uri; content:"Host|3A 20|j.maxmind.com";
fast_pattern:only; http_header; metadata:ruleset community, service http;
classtype:misc-activity; sid:26410; rev:4;)
# alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Worm.Dorkbot folder
snkb0ptz creation attempt SMB"; flow:to_server,established; content:"|73 00 6E 00
6B 00 62 00 30 00 70 00 74 00 7A 00|"; fast_pattern:only; metadata:ruleset
community, service netbios-ssn; classtype:trojan-activity; sid:26411; rev:2;)
# alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Worm.Dorkbot
executable snkb0ptz.exe creation attempt SMB"; flow:to_server,established;
content:"|73 00 6E 00 6B 00 62 00 30 00 70 00 74 00 7A 00|"; fast_pattern:only;
content:".exe"; metadata:ruleset community, service netbios-ssn; classtype:trojan-
activity; sid:26412; rev:2;)
# alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Worm.Dorkbot
Desktop.ini snkb0ptz.exe creation attempt SMB"; flow:to_server,established;
content:"|73 00 6E 00 6B 00 62 00 30 00 70 00 74 00 7A 00|"; content:"|5C|";
within:1; content:"|00 44 00 65 00 73 00 6B 00 74 00 6F 00 70 00 2E 00 69 00 6E 00
69 00|"; distance:0; metadata:ruleset community, service netbios-ssn;
classtype:trojan-activity; sid:26413; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Magic variant inbound connection"; flow:to_client,established;
file_data; content:"some_magic_code1"; depth:36; metadata:policy security-ips drop,
ruleset community, service http; reference:url,www.seculert.com/blog/2013/04/magic-
persistent-threat.html; classtype:trojan-activity; sid:26467; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-ORACLE Oracle WebCenter
FatWire Satellite Server header injection on blobheadername2 attempt";
flow:to_server,established; content:"blobheadername2=Location"; fast_pattern:only;
content:"blobheadervalue2="; nocase; metadata:ruleset community, service http;
reference:cve,2013-1509;
reference:url,www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html;
classtype:web-application-attack; sid:26468; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-ORACLE Oracle WebCenter
FatWire Satellite Server header injection on blobheadername2 attempt";
flow:to_server,established; content:"blobheadername2=Refresh"; fast_pattern:only;
content:"blobheadervalue2="; nocase; metadata:ruleset community, service http;
reference:cve,2013-1509;
reference:url,www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html;
classtype:web-application-attack; sid:26469; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware
download"; flow:to_client,established; content:"-2013.zip|0D 0A|";
fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1;
distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1;
distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef66658
1ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zbot fake PNG config file download without User-Agent";
flow:to_server,established; content:"Accept:
application/xml,application/xhtml+xml,text/html|3B|q=0.9,text/plain|3B|
q=0.8,image/png,*/*|3B|q=0.5|0D 0A|"; fast_pattern:only; http_header;
pcre:"/\.png$/Ui"; content:!"User-Agent:"; nocase; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; classtype:trojan-activity; sid:26480; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unknown
Thinner Encrypted POST botnet C&C"; flow:to_server,established;
content:"/thinner/thumb?img="; fast_pattern:only; http_uri; pcre:"/
[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:impact_flag red, policy security-ips drop,
ruleset community, service http; reference:url,support.clean-mx.de/clean-
mx/viruses.php?sort=firstseen%20desc&review=95.57.120.111; classtype:trojan-
activity; sid:26482; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
JavaScript tag in User-Agent field possible XSS attempt";
flow:to_server,established; content:"User-Agent|3A| <SCRIPT>"; fast_pattern:only;
http_header; metadata:ruleset community, service http;
reference:url,blog.spiderlabs.com/2012/11/honeypot-alert-referer-field-xss-
attacks.html; classtype:web-application-attack; sid:26483; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC User-Agent known
malicious user agent NOKIAN95/WEB"; flow:to_server,established; content:"User-
Agent|3A| NOKIAN95|2F|WEB"; fast_pattern:only; metadata:policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-
campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:26522;
rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT
Portable Executable downloaded with bad DOS stub"; flow:to_client,established;
file_data; content:"MZ"; depth:2; content:"|2F 2A 14 20|"; distance:0;
metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips
drop, ruleset community, service ftp-data, service http, service imap, service
pop3; reference:cve,2013-2423; reference:url,www.invincea.com/2013/04/k-i-a-java-
cve-2013-2423-via-new-and-improved-cool-ek/; classtype:trojan-activity; sid:26526;
rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE
Unix.Backdoor.Cdorked redirect attempt"; flow:to_client,established;
content:"0aW1lP"; fast_pattern; http_header; content:"/index.php?"; distance:-50;
http_header; base64_decode:bytes 150, offset 10, relative; base64_data;
content:"time="; content:"&src="; distance:0; content:"&surl="; distance:0;
metadata:impact_flag red, ruleset community, service http;
reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-
servers.html;
reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd
53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26528; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unknown
malware - Incorrect headers - Referer HTTP/1.0"; flow:to_server,established;
content:"Referer: HTTP/1.0|0D 0A|"; fast_pattern:only; http_header; metadata:policy
security-ips drop, ruleset community, service http; classtype:trojan-activity;
sid:26533; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp
exploit kit portable executable download"; flow:to_server,established;
content:"/elections.php?"; fast_pattern:only; http_uri; content:" Java/1.";
http_header; pcre:"/\/elections\.php\?([a-z0-9]+\x3d\d{1,3}\&){9}[a-z0-
9]+\x3d\d{1,3}$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips
alert, policy max-detect-ips alert, policy security-ips drop, ruleset community,
service http; reference:cve,2013-0431; classtype:trojan-activity; sid:26534;
rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-ADWARE
Win.Adware.BProtector browser hijacker dll list download attempt";
flow:to_server,established; content:"GET"; http_method; content:"/builds/"; nocase;
http_uri; content:"fflists.txt"; nocase; http_uri; metadata:ruleset community,
service http; classtype:misc-activity; sid:26553; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent
known Malicious user agent Brutus AET"; flow:to_server,established;
content:"Mozilla|2F|3.0 |28|Compatible|29 3B|Brutus|2F|AET"; fast_pattern:only;
http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http; reference:url,sectools.org/tool/brutus;
classtype:misc-activity; sid:26558; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Bancos variant outbound connection - getcomando POST data";
flow:to_server,established; content:"tipo=getcomando&"; fast_pattern:only;
http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset
community, service http;
reference:url,www.virustotal.com/en/file/a8f162a9c7347e485db374664227884b16112e2983
923d0888c8b80661f25e44/analysis/1367267173/; classtype:trojan-activity; sid:26560;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zeus variant outbound connection"; flow:to_server,established;
content:"&sk1="; fast_pattern:only; http_client_body; content:"bn1="; depth:4;
http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset
community, service http; classtype:trojan-activity; sid:26561; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear
exploit kit Spoofed Host Header .com- requests"; flow:to_server,established;
content:".com-"; http_header; pcre:"/\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\x2d[a-
z0-9\x2d\x2e]+(\x3a\d{1,5})?\r\n/Hi"; content:"|0D 0A|Accept|3A 20|text/html,
image/gif, image/jpeg, *|3B| q=.2, */*|3B| q=.2|0D 0A|"; fast_pattern:only;
http_header; metadata:impact_flag red, ruleset community, service http;
classtype:trojan-activity; sid:26562; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Harakit
botnet traffic"; flow:to_server,established; urilen:10; content:"sousi.extasix.com|
0D 0A|"; fast_pattern:only; http_header; content:"/genst.htm"; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.symantec.com/security_response/attacksignatures/detail.jsp?
asid=23239;
reference:url,www.virustotal.com/en/file/3df72fe102fddc74de2da518ea16948bd2c8c0e910
c28c4358367e10723ba21f/analysis/; classtype:trojan-activity; sid:26563; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential
hostile executable served from compromised or malicious WordPress site attempt";
flow:to_server,established; content:"/wp-content"; fast_pattern:only; http_uri;
pcre:"/(exe|dll|scr|rar|ps1|bat)$/Ui"; metadata:impact_flag red, policy security-
ips drop, ruleset community, service http;
reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-
malware; classtype:trojan-activity; sid:26576; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent
known malicious user agent Opera 10"; flow:to_server,established;
content:"Opera/10|20|"; fast_pattern:only; http_header; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s
irefef-malware; reference:url,dev.opera.com/articles/view/opera-ua-string-changes;
classtype:trojan-activity; sid:26577; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Kazy/FakeAV Checkin with IE6 User-Agent"; flow:to_server,established;
content:"/images/m.php?id="; fast_pattern:only; http_uri; content:"|3B 20|MSIE 6.0|
3B 20|"; http_header; content:!"Referer|3A 20|"; http_header; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/b288d6eadc9d4bca710f73e850a0901cf5fe62c775
350c9a30ebaf9a05097a0f/analysis/1367713929/; classtype:trojan-activity; sid:26578;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Kazy/FakeAV Checkin with IE6 User-Agent"; flow:to_server,established;
content:"/ccbill/m.php?id="; fast_pattern:only; http_uri; content:"|3B 20|MSIE 6.0|
3B 20|"; http_header; content:!"Referer|3A 20|"; http_header; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/b288d6eadc9d4bca710f73e850a0901cf5fe62c775
350c9a30ebaf9a05097a0f/analysis/1367713929/; classtype:trojan-activity; sid:26579;
rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE
config.inc.php in iframe"; flow:to_client,established; file_data;
content:"<iframe"; content:"config.inc.php"; within:100; content:"</iframe>";
distance:0; metadata:ruleset community, service http;
reference:url,blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploit-
kit-following-the-cookie-trail.html; classtype:trojan-activity; sid:26585; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Medfos
Trojan variant outbound connection"; flow:to_server,established; content:"/feed?
req=http"; fast_pattern:only; http_uri; content:"|3B| MSIE "; http_header;
content:!"|0D 0A|Accept-Language:"; http_header; content:!"|0D 0A|Referer:";
http_header; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r?\n/Hsmi";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/5bad5a2e4497f866291813aed264b5dc3c9fad4e56
796306842c7b50b553ae11/analysis/; classtype:trojan-activity; sid:26613; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR
Win.Backdoor.PCRat data upload"; flow:to_server,established; content:"PCRatd";
depth:6; metadata:policy balanced-ips drop, policy security-ips drop, ruleset
community, service http;
reference:url,www.virustotal.com/en/file/669DF9DED24D56997D7B1EA6249BB704226DADA092
30DC285AE66CA0C9B7247B/analysis/; classtype:misc-activity; sid:26655; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Travnet Botnet data upload"; flow:to_server,established;
content:"hostid="; http_uri; content:"|26|hostname="; http_uri; content:"|26|
hostip="; http_uri; metadata:policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/F7E9A1A4FC4766ABD799B517AD70CD5FA234C8ACC1
0D96CA51ECF9CF227B94E8/analysis/; classtype:trojan-activity; sid:26656; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Shiz variant outbound connection"; flow:to_server,established;
content:"GET"; http_method; content:"/login.php"; depth:10; http_uri;
content:"Referer|3A| http://www.google.com"; http_header; content:"User-Agent|3A|
Mozilla/4.0 |28|compatible|3B| MSIE 2.0|3B|"; fast_pattern:only; http_header;
pkt_data; content:"HTTP/1.0|0D 0A|"; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,camas.comodo.com/cgi-bin/submit?
file=58963fd6a567513990ec6be52dc036bc5b728bb6528fca61227b22681ac838e6;
reference:url,www.virustotal.com/en/file/58963fd6a567513990ec6be52dc036bc5b728bb652
8fca61227b22681ac838e6/analysis/1368563326/; classtype:trojan-activity; sid:26657;
rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-WEBKIT
Possible Google Chrome Plugin install from non-trusted source";
flow:to_server,established; content:!"googleusercontent"; http_header;
content:!"google.com"; http_header; content:"|2F|crx|2F|blobs"; http_uri;
content:!"gvt1.com"; http_header; metadata:ruleset community, service http;
reference:url,blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-
hijacks-facebook-profiles.aspx; classtype:bad-unknown; sid:26658; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-FIREFOX
Possible Mozilla Firefox Plugin install from non-Mozilla source";
flow:to_server,established; content:!"mozilla"; http_header; content:".xpi";
nocase; http_uri; pcre:"/\.xpi$/Ui"; metadata:ruleset community, service http;
reference:url,research.zscaler.com/2012/09/how-to-install-silently-malicious.html;
classtype:bad-unknown; sid:26659; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake
delivery information phishing attack"; flow:to_client,established; content:"|3B|
filename="; http_header; content:"Delivery_Information_ID-"; fast_pattern:only;
http_header; file_data; content:"Delivery_Information_ID-"; content:".exe";
within:50; metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http; classtype:trojan-activity; sid:26660;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Namihno variant outbound request"; flow:to_server,established;
content:"/windows/update/search?hl="; http_uri; content:"&q="; distance:0;
http_uri; content:"&meta="; distance:0; http_uri; content:"&id="; distance:0;
http_uri; metadata:policy balanced-ips alert, policy security-ips drop, ruleset
community, service http; classtype:trojan-activity; sid:26695; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Cbeplay
Ransomware variant outbound connection - Abnormal HTTP Headers";
flow:to_server,established; content:"POST /index.php HTTP/1.1|0D 0A|Content-Type:
multipart/form-data|3B| boundary="; depth:70; content:"|0D 0A|Connection: close|0D
0A|Cache-Control: no-cache|0D 0A|Content-Length: "; http_header; content:"|3B|
name=|22|data|22 3B| filename=|22|"; fast_pattern:only; http_client_body;
metadata:impact_flag red, policy balanced-ips alert, policy security-ips drop,
ruleset community, service http;
reference:url,malware.dontneedcoffee.com/2013/02/cbeplayp-now-target-australia-and-
moved.html; classtype:trojan-activity; sid:26696; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Cbeplay
Ransomware variant outbound connection - POST Body"; flow:to_server,established;
content:"index.php"; http_uri; content:"|3B| name=|22|data|22 3B| filename=|22|";
fast_pattern:only; http_client_body; content:"--"; depth:2; http_client_body;
pcre:"/filename=\x22\d+\x22\r\n/P"; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,malware.dontneedcoffee.com/2013/02/cbeplayp-now-target-australia-and-
moved.html; classtype:trojan-activity; sid:26697; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
Compromised Website response - leads to Exploit Kit"; flow:to_client,established;
file_data; content:"<!--ded509-->"; content:"<!--/ded509-->"; distance:0;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community,
service http; reference:url,www.jsunpack.jeek.org/?
report=c94ca7cda909cf93ae95db22a27bb5d711c2ae8f; classtype:trojan-activity;
sid:26698; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Kazy Trojan
check-in"; flow:to_server,established; content:"User-Agent: Opera/11 |28|Windows NT
5.1|3B 20 3B| x86|29|"; fast_pattern:only; http_header; content:"/count.php?page=";
depth:16; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,camas.comodo.com/cgi-bin/submit?
file=6d823488b26533f5151c3bab93c2a8ba832c9320e612d58d1134740abe3ca157;
classtype:trojan-activity; sid:26712; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.BlackRev rev 1 outbound traffic"; flow:to_server,established;
content:"gate.php|3F|reg="; http_uri; content:"User-Agent|3A| Mozilla/4.0
(compatible|3B| Synapse)|0D 0A|"; fast_pattern:only; http_header;
pcre:"/gate\x2ephp\x3freg=[a-z]{10}/U"; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26713; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.BlackRev rev 2 outbound traffic"; flow:to_server,established;
content:"gate.php|3F|reg="; http_uri; pcre:"/gate\x2ephp\x3freg=[a-zA-Z]{15}/U";
content:"User-Agent|3A| Mozilla/4.0 (SEObot)|0D 0A|"; fast_pattern:only;
http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset
community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-
revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26714; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.BlackRev rev 3 outbound traffic"; flow:to_server,established;
content:"gate.php|3F|id="; http_uri; content:"User-Agent|3A| Mozilla/4.0
(compatible|3B| SEObot)|0D 0A|"; fast_pattern:only; http_header;
pcre:"/gate\x2ephp\x3fid=[a-z]{15}/U"; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26715; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Kbot variant outbound connection"; flow:to_server,established;
content:"s_alive.php?id="; fast_pattern:only; http_uri; metadata:policy balanced-
ips drop, policy security-ips drop, ruleset community, service http;
reference:url,blog.avast.com/2013/05/22/grum-lives/; classtype:trojan-activity;
sid:26719; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Kbot variant outbound connection"; flow:to_server,established;
content:"s_task.php?id="; fast_pattern:only; http_uri; metadata:policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,blog.avast.com/2013/05/22/grum-lives/; classtype:trojan-activity;
sid:26720; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake
JPG encrypted config file download"; flow:to_server,established; content:".com.br|
0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri;
content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.
[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]
+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http; classtype:trojan-activity;
sid:26722; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan
Downloader7"; flow:to_server,established; content:".lavaibrasilok.com|0D 0A 0D
0A|"; fast_pattern:only; content:"|3B| MSIE "; http_header; content:!"Accept-
Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.drwebhk.com/en/virus_techinfo/Trojan.DownLoader7.25647.html;
classtype:trojan-activity; sid:26723; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc http command"; flow:to_client,established; file_data;
content:"http|7C|"; depth:5; pcre:"/^http\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]
{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26725; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc stop command"; flow:to_client,established; file_data;
content:"stop|7C|"; depth:5; pcre:"/^stop\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]
{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26726; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc die command"; flow:to_client,established; file_data;
content:"die|7C|"; depth:4; pcre:"/^die\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]
{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26727; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc sleep command"; flow:to_client,established; file_data;
content:"sleep|7C|"; depth:6; pcre:"/^sleep\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]
{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26728; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc simple command"; flow:to_client,established; file_data;
content:"simple|7C|"; depth:7; pcre:"/^simple\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]
{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26729; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc loginpost command"; flow:to_client,established; file_data;
content:"loginpost|7C|"; depth:10; pcre:"/^loginpost\x7c\d+\x7c\d+\x7C[a-z0-
9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26730; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc datapost command"; flow:to_client,established; file_data;
content:"datapost|7C|"; depth:9; pcre:"/^datapost\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-
z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26731; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc syn command"; flow:to_client,established; file_data;
content:"syn|7C|"; depth:4; pcre:"/^syn\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]
{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26732; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc udp command"; flow:to_client,established; file_data;
content:"udp|7C|"; depth:4; pcre:"/^udp\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]
{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26733; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc udpdata command"; flow:to_client,established; file_data;
content:"udpdata|7C|"; depth:8; pcre:"/^udpdata\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]
{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26734; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc data command"; flow:to_client,established; file_data;
content:"data|7C|"; depth:5; pcre:"/^data\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]
{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26735; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc icmp command"; flow:to_client,established; file_data;
content:"icmp|7C|"; depth:5; pcre:"/^icmp\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]
{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26736; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc tcpdata command"; flow:to_client,established; file_data;
content:"tcpdata|7C|"; depth:8; pcre:"/^tcpdata\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]
{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26737; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc dataget command"; flow:to_client,established; file_data;
content:"dataget|7C|"; depth:8; pcre:"/^dataget\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]
{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26738; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc connect command"; flow:to_client,established; file_data;
content:"connect|7C|"; depth:8; pcre:"/^connect\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]
{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26739; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc dns command"; flow:to_client,established; file_data;
content:"dns|7C|"; depth:4; pcre:"/^dns\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]
{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26740; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc exec command"; flow:to_client,established; file_data;
content:"exec|7C|"; depth:5; isdataat:!200; pcre:"/^exec\x7c\d+\x7c\d+\x7C[a-z0-
9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26741; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc resolve command"; flow:to_client,established; file_data;
content:"resolve|7C|"; depth:8; pcre:"/^resolve\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]
{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26742; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc antiddos command"; flow:to_client,established; file_data;
content:"antiddos|7C|"; depth:9; pcre:"/^antiddos\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-
z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26743; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc range command"; flow:to_client,established; file_data;
content:"range|7C|"; depth:6; pcre:"/^range\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]
{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26744; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc ftp command"; flow:to_client,established; file_data;
content:"ftp|7C|"; depth:4; pcre:"/^ftp\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]
{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26745; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc download command"; flow:to_client,established; file_data;
content:"download|7C|"; depth:9; pcre:"/^download\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-
z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26746; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc fastddos command"; flow:to_client,established; file_data;
content:"fastddos|7C|"; depth:9; pcre:"/^fastddos\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-
z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26747; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc slowhttp command"; flow:to_client,established; file_data;
content:"slowhttp|7C|"; depth:9; pcre:"/^slowhttp\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-
z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26748; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc allhttp command"; flow:to_client,established; file_data;
content:"allhttp|7C|"; depth:8; pcre:"/^allhttp\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]
{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26749; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc full command"; flow:to_client,established; file_data;
content:"full|7C|"; depth:5; pcre:"/^full\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]
{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-
delphi; classtype:trojan-activity; sid:26750; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Worm.Luder variant outbound connection"; flow:to_server,established;
content:"/loader.cpl"; fast_pattern:only; http_uri; pcre:"/\/loader\.cpl$/U";
content:"|3B 20|MSIE|20|"; http_header; content:!"|0D 0A|Accept-Language:";
http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/6077fd6cbb44c78a16d66fedb10492c7776127dc76
ee071b051970971212bae8/analysis/; classtype:trojan-activity; sid:26774; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Blocker variant outbound connection HTTP Header Structure";
flow:to_server,established; urilen:11; content:"GET"; http_method;
content:"/index.html"; http_uri; content:".info|0D 0A|Cache-Control: no-cache|0D 0A
0D 0A|"; fast_pattern:only; pcre:"/HTTP\/1.[01]\r\nUser\x2dAgent\x3a\x20[ -~]
+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.info\r\n/"; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/c157a06965bf9edc101350c6122d108ccb1d99600c
bb6967ef41dfed255f2009/analysis/; classtype:trojan-activity; sid:26775; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Blocker variant outbound connection POST"; flow:to_server,established;
content:"POST"; http_method; content:"cmd=gravar&dados="; fast_pattern:only;
http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/c157a06965bf9edc101350c6122d108ccb1d99600c
bb6967ef41dfed255f2009/analysis/; classtype:trojan-activity; sid:26776; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Cridex encrypted POST check-in"; flow:to_server,established;
content:"/cos3q/in"; fast_pattern:only; http_uri; content:".exe"; nocase;
http_client_body; pcre:"/\x5f\w{24}\.exe/Pi"; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5
a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26779;
rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC cridex HTTP
Response - default0.js"; flow:to_client,established; file_data; content:"|00|
<script type=|22|text/javascript|22| src=|22|/scripts/default0.js|22|></script>|
00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5
a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26780;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC XP Fake
Antivirus Payment Page Request"; flow:to_server,established; urilen:23;
content:"/content/img/awards.jpg"; fast_pattern:only; http_uri;
pcre:"/\r\nReferer\x3A\x20http\x3A\x2F\x2f[a-z0-9\x2d\x2e]
+\x2F\x3Fdo\x3Dpayment\x26ver\x3D\d+\x26sid\x3D\d+\x26sn\x3D\d+\r\n/H";
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community,
service http; reference:url,camas.comodo.com/cgi-bin/submit?
file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8;
classtype:trojan-activity; sid:26811; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC XP Fake
Antivirus Check-in"; flow:to_server,established; urilen:11; content:"|3B| MSIE 6.0|
3B| Windows NT 5.1)|0D 0A|Accept: */*|0D 0A|"; fast_pattern:only; http_header;
pcre:"/^\x2F\d{10}$/U"; metadata:policy balanced-ips drop, policy security-ips
drop, ruleset community, service http; reference:url,camas.comodo.com/cgi-
bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8;
classtype:trojan-activity; sid:26812; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT
Blackholev2 exploit kit Initial Gate from Linked-In Mailing Campaign";
flow:to_server,established; urilen:17,norm; content:"/linkendorse.html";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:trojan-activity; sid:26814; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sweet Orange
exploit kit landing page in.php base64 uri"; flow:to_server,established;
urilen:<75; content:"/in.php"; http_uri; content:"&q="; distance:0; http_uri;
content:"=="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips
drop, policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-
0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681;
reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity;
sid:26834; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RDN Banker
POST variant outbound connection"; flow:to_server,established; content:"POST";
http_method; content:"op=IncluirAvisos&"; fast_pattern:only; http_client_body;
content:"HostBD="; depth:7; offset:17; http_client_body; metadata:impact_flag red,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/1a23f27b046af92b7dd2c4a8f8349c9fd9582ad91b
5a61556470c58b15af3b26/analysis/1369251144/; classtype:trojan-activity; sid:26835;
rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RDN Banker
Strange Google Traffic"; flow:to_server,established; urilen:30; content:"User-
Agent: Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)";
fast_pattern:only; http_header; content:"Host: www.google.com"; http_header;
metadata:impact_flag red, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/1a23f27b046af92b7dd2c4a8f8349c9fd9582ad91b
5a61556470c58b15af3b26/analysis/1369251144/; classtype:trojan-activity; sid:26836;
rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC BitBot Idle
C2 response"; flow:to_client,established; file_data; content:"<|5C||5C||5C|>IDLE<|
5C||5C||5C|>"; depth:18; metadata:policy balanced-ips drop, policy security-ips
drop, ruleset community, service http; classtype:trojan-activity; sid:26837;
rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT
Blackholev2 exploit kit Initial Gate from NatPay Mailing Campaign";
flow:to_server,established; content:"/natpay.html?"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; classtype:trojan-activity; sid:26838;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR
Win.Backdoor.Boda Malware Checkin"; flow:to_server,established; content:"macName=";
depth:60; http_client_body; content:"&macOS="; within:100; http_client_body;
content:"&macMac="; within:200; http_client_body; metadata:policy balanced-ips
drop, policy security-ips drop, ruleset community, service http; classtype:trojan-
activity; sid:26842; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ZeroAccess
Encrypted 128-byte POST No Accept Headers"; flow:to_server,established;
content:"POST"; http_method; content:"Content-Length: 128|0D 0A|";
fast_pattern:only; http_header; content:" HTTP/1."; content:"|0D 0A|User-Agent: ";
within:14; distance:1; content:!"|0D 0A|Accept"; http_header; pcre:"/[^ -~\x0d\x0a]
{4}/P"; metadata:ruleset community, service http; classtype:trojan-activity;
sid:26910; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Rombrast Trojan outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"/info.php?act="; fast_pattern:only; http_uri;
pcre:"/^\/info\.php\?act\x3d(list|online)/U"; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d3
31c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26911; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Rombrast Trojan outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"<|7C|>"; fast_pattern:only; http_client_body;
content:"data="; depth:5; http_client_body; content:"<|7C|>"; within:3;
distance:31; http_client_body; content:"<|7C|>"; distance:0; http_client_body;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d3
31c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26912; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zeus variant outbound connection"; flow:to_server,established;
content:"/images/"; http_uri; content:".php?id="; distance:1; http_uri;
pcre:"/\/images\/[a-zA-Z]\.php\?id\=[0-9]{2,3}(\.\d)?$/Ui"; metadata:policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
classtype:trojan-activity; sid:26923; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential
Gozi Trojan HTTP Header Structure"; flow:to_server,established; urilen:255<>260;
content:"= HTTP/1."; fast_pattern:only; content:".php?"; http_uri;
content:!"Accept"; http_header; pcre:"/^\/[a-z]{2,20}\.php\?[a-z]{2,10}\x3d[a-zA-
Z0-9\x2f\x2b]+\x3d$/I"; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http; classtype:trojan-activity;
sid:26924; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL generic convert
injection attempt - GET parameter"; flow:to_server,established; content:"convert|
28|"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-
application-attack; sid:26925; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT
DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download";
flow:to_client,established; content:"filename=atom.jar"; fast_pattern:only;
http_header; metadata:policy max-detect-ips drop, ruleset community, service http;
reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013;
classtype:trojan-activity; sid:26947; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT
DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download";
flow:to_client,established; content:"filename=site.jar"; fast_pattern:only;
http_header; metadata:policy max-detect-ips drop, ruleset community, service http;
reference:cve,2013-1493; reference:url,www.basemont.com/new_exploit_kit_june_2013;
classtype:trojan-activity; sid:26948; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT
DotkaChef/Rmayana/DotCache exploit kit landing page"; flow:to_client,established;
file_data; content:"<applet width="; content:"0"; within:1; distance:1; content:"
height="; within:8; distance:1; content:"0"; within:1; distance:1; content:"
code="; within:6; distance:1; content:"site.avi"; within:8; distance:1; nocase;
content:" archive="; within:9; distance:1; metadata:policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-
activity; sid:26949; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT
DotkaChef/Rmayana/DotCache exploit kit Malvertising Campaign URI request";
flow:to_server,established; content:"/.cache/?f="; fast_pattern; http_uri;
content:".jar"; http_uri; pcre:"/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$/U";
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community,
service http; reference:url,research.zscaler.com/2013/06/openxadvertisingcom-mass-
malvertising.html; classtype:trojan-activity; sid:26951; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Win32 Facebook Secure Cryptor C2"; flow:to_server,established;
content:"/forum/search.php?email="; http_uri; content:"&method="; distance:0;
http_uri; content:!"Referer"; http_header; content:!"Accept-"; http_header;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community,
service http; reference:url,blog.avast.com/2013/06/18/your-facebook-connection-is-
now-secured; classtype:trojan-activity; sid:26965; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win32/Autorun.JN variant outbound connection"; flow:to_server,established;
dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri;
content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?
Name=Worm%3AWin32%2FAutorun.JN;
reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29e
a3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Gozi Data Theft POST Data"; flow:to_server,established; content:"POST";
http_method; content:"data.php"; http_uri; content:"|0D 0A|URL: ";
fast_pattern:only; http_client_body; content:"Content-Disposition: form-data|3B|
name="; http_client_body; metadata:impact_flag red, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac
12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:26968; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Gozi Trojan Data Theft POST URL"; flow:to_server,established;
content:"POST"; http_method; content:".php?version="; http_uri; content:"&user=";
distance:0; http_uri; content:"&server="; distance:0; http_uri; content:"&name=";
distance:0; http_uri; metadata:impact_flag red, policy security-ips drop, ruleset
community, service http;
reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac
12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:26969; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Pirminay variant outbound connection"; flow:to_server,established;
content:"Cookie: cache=cc2="; fast_pattern:only; content:"cache=cc2="; http_cookie;
pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r\n/H"; metadata:impact_flag
red, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/97f97c2126ed6ffc447a5f8c72d504679129a38f8a
62e4678321f9a8057c3307/analysis/; classtype:trojan-activity; sid:26970; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Injector Info Stealer Trojan variant outbound connection";
flow:to_server,established; content:"/xgi-bin/"; depth:9; http_uri;
content:".php?"; within:5; distance:1; http_uri; content:"|3B| MSIE "; http_header;
content:!"Accept-Language:"; http_header; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/4BAF26D033E17F0171AB27291649EEAE19EE33BD02
46F17BC921E3ADB7F36F42/analysis/; classtype:trojan-activity; sid:26984; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rawin
exploit kit outbound java retrieval"; flow:to_server,established;
content:"rawin.php?b="; http_uri; content:"&v=1."; distance:0; http_uri;
pcre:"/\.php\?b=[A-F0-9]+&v=1\./U"; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service http; classtype:trojan-activity;
sid:26985; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Dapato variant inbound response connection"; flow:to_client,established;
content:"Content-Length: 150|0D 0A|"; fast_pattern:only; http_header; file_data;
content:"|0D 0A|"; depth:2; offset:4; content:"|0D 0A|"; within:2; distance:4;
content:"|0D 0A|"; within:2; distance:4; pcre:"/^([A-F0-9]{4})\r\n\1\r\n\1\r\n([A-
F0-9]{26})\r\n[A-F0-9]{48}\r\n\2\r\n\2$/"; metadata:impact_flag red, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/111ffe389dc8fa802b8aff3b4e02a2f59d1b649276
3f9dc5a20a84f4da46932a/analysis/; classtype:trojan-activity; sid:27017; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.OnlineGameHack variant outbound connection"; flow:to_server,established;
content:"/get.asp?mac="; http_uri; content:"&os="; within:36; http_uri;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community,
service http;
reference:url,image.ahnlab.com/global/upload/download/asecreport/ASEC_Report_Vol.39
_Eng.pdf; classtype:trojan-activity; sid:27039; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit
kit plugin detection connection jorg"; flow:to_server,established;
content:"/jorg.html"; fast_pattern:only; http_uri; pcre:"/\/jorg\.html$/U";
metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips
drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-
0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723;
reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422;
reference:cve,2013-2423; classtype:trojan-activity; sid:27040; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit
kit plugin detection connection jlnp"; flow:to_server,established;
content:"/jlnp.html"; fast_pattern:only; http_uri; pcre:"/\/jlnp\.html$/U";
metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips
drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-
0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723;
reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422;
reference:cve,2013-2423; classtype:trojan-activity; sid:27041; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit
kit plugin detection connection jovf"; flow:to_server,established;
content:"/jovf.html"; fast_pattern:only; http_uri; pcre:"/\/jovf\.html$/U";
metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips
drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-
0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723;
reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422;
reference:cve,2013-2423; classtype:trojan-activity; sid:27042; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent
known malicious user-agent string pb - Htbot"; flow:to_server,established;
content:"User-Agent: pb|0D 0A|"; fast_pattern:only; http_header;
metadata:impact_flag red, policy security-ips drop, ruleset community, service
http;
reference:url,malwr.com/analysis/MTNlMDg4ZTQwZjU2NDUxM2EwZDNlYzllNjZkMjRkNDI/;
reference:url,www.virustotal.com/en/file/36802c72d1d5addc87d16688dcb37b680fd48f832f
a7b93c15cf4f426aa3f0a7/analysis/; classtype:trojan-activity; sid:27044; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Blocker Download"; flow:to_client,established; flowbits:isset,file.exe;
content:"filename="; http_header; content:"security_cleaner.exe";
fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/6d4d93f68aaf783a2526d920fa3c070d061fd56853
669a72a10b2c2232008582/analysis/1372086855/; classtype:trojan-activity; sid:27045;
rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE
Unknown ?1 redirect"; flow:to_server,established; content:"GET /?1 HTTP/1.1";
fast_pattern:only; metadata:ruleset community, service http; classtype:bad-unknown;
sid:27047; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Unknown
Malvertising exploit kit Hostile Jar pipe.class"; flow:to_client,established;
flowbits:isset,file.jar; file_data; content:"PK"; content:"|00|pipe.class";
distance:0; content:"|00|inc.class"; distance:0; content:"|00|fdp.class";
distance:0; fast_pattern; metadata:policy balanced-ips drop, policy security-ips
drop, ruleset community, service http; classtype:trojan-activity; sid:27085;
rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Unknown
Malvertising exploit kit stage-1 redirect"; flow:to_client,established;
content:"<html><body><script>|0A|var "; fast_pattern;
content:"document.createElement("; within:80; content:".setAttribute(|22|archive|
22|, "; within:65; content:".setAttribute(|22|codebase|22|, "; within:65;
content:".setAttribute(|22|id|22|, "; within:65; content:".setAttribute(|22|code|
22|, "; within:65; content:"|22|)|3B 0A|document.body.appendChild("; within:65;
content:"</script>|0A|</body>|0A|</html>|0A 0A|"; metadata:policy balanced-ips
drop, policy security-ips drop, ruleset community, service http; classtype:trojan-
activity; sid:27086; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT
Blackholev2/Cool exploit kit outbound portable executable request";
flow:to_server,established; content:"php?sf="; http_uri; content:"&Ze=";
distance:0; http_uri; content:"&m="; distance:0; http_uri; pcre:"/php\?
sf=\d+\&Ze=\d+\&m=\d+/U"; flowbits:set,file.exploit_kit.pe; metadata:policy
balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset
community, service http; classtype:trojan-activity; sid:27110; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT
DotkaChef/Rmayana/DotCache exploit kit Zeroaccess download attempt";
flow:to_server,established; content:"/?f=a"; http_uri; content:"&k="; distance:0;
http_uri; pcre:"/\&k=\d+($|\&h=)/U"; flowbits:set,file.exploit_kit.jar;
metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips
drop, ruleset community, service http; reference:cve,2013-1493; reference:cve,2013-
2423; reference:url,www.basemont.com/new_exploit_kit_june_2013;
reference:url,www.malwaresigs.com/2013/06/14/dotcachef/; classtype:trojan-activity;
sid:27113; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Private
exploit kit outbound traffic"; flow:to_server,established; content:".php?";
http_uri; content:"content-type: application/"; http_header; content:" Java/1";
http_header; pcre:"/\x2ephp\x3f[a-z]+=[a-fA-Z0-9]+&[a-z]+=[0-9]+$/iU";
metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips
drop, ruleset community, service http; reference:cve,2006-0003; reference:cve,2010-
0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493;
reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-
well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-
new-bep.html; reference:url,www.malwaresigs.com/2013/07/03/another-unknown-ek;
classtype:trojan-activity; sid:27144; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Meredrop variant outbound connection GET Request";
flow:to_server,established; content:"/?"; depth:2; http_uri; content:"h=NT";
fast_pattern:only; http_uri; pcre:"/\.[A-Z\d]{8}\x2d[A-Z\d]{6}\x2d[A-Z\d]{6}\x2d[A-
Z\d]{8}/U"; metadata:impact_flag red, policy security-ips drop, ruleset community,
service http;
reference:url,www.virustotal.com/en/file/dfb0050cb7fd6c879027cbecda703613b8d9fb2b2a
5682478dbcd0518172302c/analysis/1373576492/; classtype:trojan-activity; sid:27199;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Meredrop variant outbound connection POST Request";
flow:to_server,established; content:"POST"; content:"|3B 20|MSIE 28|3B 20|";
fast_pattern:only; http_header; content:"User-Agent"; http_header;
pcre:"/User\x2dAgent\x3a\x20[ -~]*?\.[A-Z\d]{8}\x2d[A-Z\d]{6}\x2d[A-Z\d]{6}\x2d[A-
Z\d]{8}\x3b[ -~]*?\r\n/H"; metadata:impact_flag red, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/dfb0050cb7fd6c879027cbecda703613b8d9fb2b2a
5682478dbcd0518172302c/analysis/1373576492/; classtype:trojan-activity; sid:27200;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Neurevt variant outbound connection"; flow:to_server,established;
content:"ps0="; depth:4; http_client_body; content:"ps1="; distance:0;
http_client_body; content:"cs1="; distance:0; http_client_body; content:"cs2=";
distance:0; http_client_body; content:"cs3="; distance:0; http_client_body;
pcre:"/ps0=[A-F0-9]*&ps1=[A-F0-9]*&cs1=[A-F0-9]*&cs2=[A-F0-9]*&cs3=[A-F0-9]*/P";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; classtype:trojan-activity; sid:27201; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE
Apache auto_prepend_file a.control.bin C2 traffic"; flow:to_server,established;
content:"User-Agent|3A| SEX|2F|1"; fast_pattern:only; http_header; metadata:ruleset
community, service http; reference:url,blog.sucuri.net/2013/06/apache-php-
injection-to-javascript-files.html; classtype:trojan-activity; sid:27203; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Potential
Bancos Brazilian Banking Trojan Browser Proxy Autoconfig File";
flow:to_client,established; file_data; content:"return |22|DIRECT|22|";
fast_pattern:only; content:".com.br"; nocase; pcre:"/\x22[a-z\d\x2e\x2d]
{1,10}\x22\s{0,3}\+\s{0,3}\x22[a-z\d\x2e\x2d]{1,10}\x22\s{0,3}\+\s{0,3}\x22[a-
z\d\x2e\x2d]{1,10}\x22/i"; metadata:impact_flag red, ruleset community, service
http; classtype:trojan-activity; sid:27204; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Mac OSX
FBI ransomware"; flow:to_client,established; file_data; content:"<iframe src=|22|
YOUR|25|20BROWSER|25|20HAS|25|20BEEN|25|20LOCKED"; fast_pattern:only;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-
targeting-apples-mac-os-x-users/; classtype:trojan-activity; sid:27246; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Gamarue - Mozi1la User-Agent"; flow:to_server,established;
content:"User-Agent|3A| Mozi1la/4.0|0D 0A|"; fast_pattern:only; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/03103b40b95070e4d14803e949dc754ca02bcea25e
8b3a4194f7d248f15ca515/analysis/; classtype:trojan-activity; sid:27248; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.ZeroAccess 111-byte URL variant outbound connection";
flow:to_server,established; urilen:111; content:"=="; depth:2; offset:103;
content:" HTTP/1.0|0D 0A|Host:"; within:16; distance:10; pcre:"/^\/[a-z\d]
{98}\x3d{2}[a-z\d]{10}$/Ui"; content:!"Accept:"; http_header; metadata:impact_flag
red, policy security-ips drop, ruleset community, service http; classtype:trojan-
activity; sid:27252; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Cridex Encrypted POST w/ URL Pattern"; flow:to_server,established;
urilen:<34; content:"POST"; http_method; content:"U|3B| MSIE "; http_header;
content:"|0D 0A|Connection|3A| Keep-Alive|0D 0A|Cache-Control|3A| no-cache";
fast_pattern:only; http_header; content:!"Accept-Language:"; http_header;
pcre:"/\x2f[A-Za-z0-9\x2b\x2f\x3d]{1,10}\x2f[A-Za-z0-9\x2b\x2f\x3d]{1,10}\x2f[A-Za-
z0-9\x2b\x2f\x3d]{1,10}\x2f([A-Za-z0-9\x2b\x2f\x3d]{1,10})?(\x2f[A-Za-z0-
9\x2b\x2f\x3d]{1,10})?/U"; pcre:"/[^ -~\x0d\x0a]{4}/P"; metadata:impact_flag red,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/cd0cdc216e456b34dc2e4c6db6bacbbba20122489e
6751621f921ca53cc7e421/analysis/; classtype:trojan-activity; sid:27253; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Yakes
Trojan HTTP Header Structure"; flow:to_server,established; content:"POST";
http_method; content:".php HTTP/1.1|0D 0A|Cache-Control: "; fast_pattern:only;
content:".php HTTP/1.1"; nocase; content:"|0D 0A|Cache-Control: no-cache|0D 0A|
Connection: close|0D 0A|Pragma: no-cache|0D 0A|Content-Type: application/x-www-
form-urlencoded|0D 0A|"; within:113; pcre:"/coded\r\nUser\x2dAgent\x3a\x20[ -~]
+\r\nContent\x2dLength\x3a\x20[2-9][02468]\r\nHost\x3a\x20[a-z0-9\x2d\x2e]
+\r\n\r\n[a-zA-Z0-9\x2f\x2b\x3d]{20,}$/"; pcre:"/[\x2f\x2b\x3d]/P";
metadata:impact_flag red, ruleset community, service http;
reference:url,www.virustotal.com/en/file/980c4ed3dd130c9313a35434e0b102a6b8b038c987
35814834334ccc03e4da3c/analysis/; classtype:trojan-activity; sid:27254; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE
All Numbers .EXE file name from abnormally ordered HTTP headers - Potential Yakes
Trojan Download"; flow:to_server,established; content:"GET"; http_method;
content:".exe HTTP/1.1|0D 0A|Cache-Control: "; fast_pattern:only; content:".exe
HTTP/1.1"; nocase; content:"|0D 0A|Cache-Control: no-cache|0D 0A|Connection: close|
0D 0A|Pragma: no-cache|0D 0A|User-Agent: "; within:76; content:"|3A 20|";
distance:0; content:!"|3A 20|"; distance:0; pcre:"/\x2f\d+\.exe$/Ui";
metadata:impact_flag red, ruleset community, service http;
reference:url,www.virustotal.com/en/file/980c4ed3dd130c9313a35434e0b102a6b8b038c987
35814834334ccc03e4da3c/analysis/; classtype:trojan-activity; sid:27255; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Kryptik Drive-by Download Malware"; flow:to_server,established;
content:"GET"; http_method; content:".php?id="; offset:6; fast_pattern; http_uri;
content:" HTTP/1."; within:11; distance:1; http_header; content:"|0D 0A|User-Agent:
Mozilla/"; within:22; distance:1; http_header; pcre:"/\)\r\nHost\x3a\x20[a-z0-
9\x2d\x2e]+\r\n(Cache\x2dControl|Pragma)\x3a\x20no-cache\r\n\r\n$/H";
metadata:impact_flag red, policy security-ips drop, ruleset community, service
http; reference:url,threatpost.com/nsa-whistleblower-article-redirects-to-malware;
reference:url,www.virustotal.com/en/file/5d7b09613c03cb3b54b9ab7a886558bba38861a899
638f4318c09eaa56401821/analysis/1373466967/; classtype:trojan-activity; sid:27256;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Kryptic 7-byte URI Invalid Firefox Headers - no Accept-Language";
flow:to_server,established; urilen:7; content:"GET"; http_method;
content:"Firefox/3."; fast_pattern:only; http_header; pcre:"/^\/[A-Z]{6}$/U";
content:!"Accept-Language:"; http_header; content:!"Referer:"; http_header;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community,
service http;
reference:url,www.virustotal.com/en/file/8c1ff08a25b93da66921c75d0d21a9c08c5d3d36b9
5f9eaf113ecd84fa452944/analysis/1374505566/; classtype:trojan-activity; sid:27257;
rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential
Win.Trojan.Kraziomel Download - 000.jpg"; flow:to_server,established; urilen:8;
content:"/000.jpg"; fast_pattern:only; http_uri; content:"HTTP/1.0|0D 0A|Host: ";
content:!"|3A 20|"; distance:0; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/33525f8cf5ca951095d4af7376e026821b81557526
d4846916805387fb9c5bb2/analysis/; classtype:trojan-activity; sid:27533; rev:3;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-OTHER self-signed SSL
certificate with default MyCompany Ltd organization name";
flow:established,to_client; ssl_state:server_hello; content:"|55 04 0A|";
content:"|0E|MyCompany Ltd"; within:14; distance:1; metadata:impact_flag red,
ruleset community, service ssl; reference:url,en.wikipedia.org/wiki/Self-
signed_certificate; reference:url,security.ncsa.illinois.edu/research/grid-
howtos/usefulopenssl.html; classtype:policy-violation; sid:27538; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
HideMeBetter spam injection variant"; flow:to_client,established; file_data;
content:"<div id=|22|HideMeBetter|22|>"; fast_pattern:only; content:"if(document|
2E|getElementById(|22|HideMeBetter|22|)|20 21 3D 20|null)"; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,blog.sucuri.net/2013/07/hidemebetter-spam-injection-
variant.html; classtype:trojan-activity; sid:27565; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Rovnix malicious download request"; flow:to_server,established;
content:"/ld.aspx"; nocase; http_uri; content:"User-Agent|3A 20|FWVersionTestAgent|
0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, ruleset community, service http;
reference:url,blog.didierstevens.com/2013/08/04/quickpost-rovnix-pcap;
reference:url,blogs.technet.com/b/mmpc/archive/2013/07/25/the-evolution-of-ronvix-
private-tcp-ip-stacks.aspx; classtype:trojan-activity; sid:27567; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Redyms variant outbound connection"; flow:to_server,established;
content:"&intip="; fast_pattern:only; http_uri; content:"?id="; http_uri;
content:"&port="; distance:0; http_uri; content:"&bid="; distance:0; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/1c61afd792257cbc72dc3221deb3d0093f0fc1abf2
c3f2816e041e37769137a4/analysis/1375189147/; classtype:trojan-activity; sid:27596;
rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Fort Disco
Registration variant outbound connection"; flow:to_server,established;
content:"/cmd.php"; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B|
Synapse)"; fast_pattern:only; http_header; metadata:policy balanced-ips drop,
policy security-ips drop, ruleset community, service http; reference:url,www.net-
security.org/secworld.php?id=15370; classtype:trojan-activity; sid:27599; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Backdoor.Aumlib variant outbound connection"; flow:to_server,established;
content:"/tomcat-docs/index.jsp?/"; http_uri; content:"User-Agent|3A| Mozilla/4.0 |
28|compatible|3B| MSIE 5.01|3B| Windows NT 5.0|29|"; fast_pattern:only;
http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http; classtype:trojan-activity; sid:27629;
rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.Aumlib
variant outbound connection"; flow:to_server,established;
content:"/bbs/search.asp"; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B|
MSIE 5.0|3B| Windows NT 5.0|29|"; fast_pattern:only; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http; classtype:trojan-activity; sid:27630; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.Aumlib
variant outbound connection"; flow:to_server,established; content:"/buy-
sell/search.asp?newsid="; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B|
MSIE 5.0|3B| Windows NT 5.0|29|"; fast_pattern:only; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http; classtype:trojan-activity; sid:27631; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Worm.Silly
variant outbound connection"; flow:to_server,established; urilen:7;
content:"/ul.htm"; fast_pattern:only; http_uri; content:"|3B| MSIE 6.0|3B 20|";
http_header; content:!"Accept-Language: "; http_header; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/0ddd3488b618b17437413a9d579aa111f0a2ba3022
62d0a9b0d2832718a93524/analysis/; classtype:trojan-activity; sid:27633; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.SpyBanker.ZSL variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"valor="; depth:6; http_client_body;
content:"]branco["; fast_pattern:only; http_client_body; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/709fa674b301e9123fc2c01e817da21cb29cdfb5a4
2634a793e27c9533d335b1/analysis/1375811416/; classtype:trojan-activity; sid:27648;
rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Brazilian
Banking Trojan data theft"; flow:to_server,established; content:"POST";
http_method; content:"remetente="; depth:10; http_client_body;
content:"&destinatario="; distance:0; http_client_body; content:"&assunto=";
distance:0; http_client_body; content:"&mensagem="; distance:0; http_client_body;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; classtype:trojan-activity; sid:27649; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.ZeroAccess variant outbound connection"; flow:to_server,established;
urilen:>95; content:".php HTTP/1.1|0D 0A|User-Agent: Opera/"; fast_pattern:only;
pcre:"/(?=^[a-z\x2d\x5f\x2f]{95,}\.php$).*?[a-z]{2,48}\x2d[a-z]{2,48}\x2d[a-z]
{2,48}\x2d[a-z]{2,48}\x2d?\.php$/U"; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http; classtype:trojan-
activity; sid:27680; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Ransomware.Urausy outbound connection"; flow:to_server,established;
urilen:>145,norm; content:".html"; http_uri; content:"|0D 0A|User-Agent|3A|
Mozilla/5.0 |28|compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0";
fast_pattern:only; content:!"Cookie:"; http_header; content:!"X-BlueCoat-Via:";
http_header; content:!"Referer"; http_header; pcre:"/\x2f[a-z-_]{80,}\x2ehtml$/U";
metadata:impact_flag red, ruleset community, service http;
reference:url,www.virustotal.com/en/file/f53a483befed8d1494827a3f2444cfe638d3f7e595
d72b722eab92d1aca9ede3/analysis/1376847283/; classtype:trojan-activity; sid:27708;
rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Orbit
Downloader denial of service update"; flow:to_server,established;
content:"/update/ido.ipl"; fast_pattern:only; http_uri; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,www.welivesecurity.com/2013/08/21/orbital-decay-the-dark-side-
of-a-popular-file-downloading-tool; classtype:trojan-activity; sid:27726; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Orbit
Downloader denial of service update"; flow:to_server,established;
content:"/update/myinfo.php"; fast_pattern:only; http_uri; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,www.welivesecurity.com/2013/08/21/orbital-decay-the-dark-side-
of-a-popular-file-downloading-tool; classtype:trojan-activity; sid:27727; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Orbit
Downloader denial of service update"; flow:to_server,established;
content:"/update/param.php?"; fast_pattern:only; http_uri; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,www.welivesecurity.com/2013/08/21/orbital-decay-the-dark-side-
of-a-popular-file-downloading-tool; classtype:trojan-activity; sid:27728; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RDN Banker
Data Exfiltration"; flow:to_server,established; content:"POST"; http_method;
content:"|3B| name=|22|arquivo|22 3B| filename=|22|C:|5C|"; fast_pattern:only;
http_client_body; content:"_.log|22 0D 0A|"; http_client_body; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
http; classtype:trojan-activity; sid:27774; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Fareit variant outbound connection"; flow:to_server,established;
content:"GET"; http_method; content:".htm"; http_uri; content:!"Accept";
http_header; content:"|0A|Content-Length: 164|0D 0A|User-Agent: ";
fast_pattern:only; http_header; content:"host|3A|"; nocase; http_header; content:"|
2E|"; within:5; http_header; content:"|2E|"; within:4; http_header; content:"|2E|";
within:4; http_header; content:"|6C 55 55 45|"; depth:4; offset:4;
http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http; classtype:trojan-activity;
sid:27775; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.PRISM variant outbound connection"; flow:to_server,established;
content:"/page/index_htm_files2/"; nocase; http_uri; content:".png"; within:4;
distance:3; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53f
ddc0dc153f1034d3c52c58/analysis/1377785686/; classtype:trojan-activity; sid:27802;
rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.PRISM variant outbound connection"; flow:to_server,established;
content:"/form.php"; depth:9; http_uri; content:"RcpTfdsvoD9KB9O";
fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53f
ddc0dc153f1034d3c52c58/analysis/1377785686/; classtype:trojan-activity; sid:27803;
rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.PRISM variant outbound connection"; flow:to_server,established;
content:"/page/index.php"; nocase; http_uri; content:"foo="; http_cookie;
content:"data=RcpTfdssoD9KB9O"; depth:20; fast_pattern; http_client_body;
metadata:impact_flag red, ruleset community, service http;
reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53f
ddc0dc153f1034d3c52c58/analysis/1377785686/; classtype:trojan-activity; sid:27804;
rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Bisonha
variant outbound connection"; flow:to_server,established; content:"GET /3001";
fast_pattern; isdataat:260,relative; content:"0000000000000000000000000";
pcre:"/\/3001[0-9A-F]{262,304}/"; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service ssl;
reference:url,bl0g.cedricpernet.net/post/2013/08/29/APT-More-on-G20Summit-
Espionage-Operation;
reference:url,www.virustotal.com/en/file/f0d8834fb0e2d3c6e7c1fde7c6bcf9171e5deca119
338e4fac21568e0bb70ab7/analysis/; classtype:trojan-activity; sid:27805; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT
Blackholev2/Darkleech exploit kit landing page request";
flow:to_server,established; urilen:>32; content:".php"; fast_pattern:only;
http_uri; content:"GET"; http_method; pcre:"/^\/[a-f0-9]{32}\/[a-z]{1,15}-[a-z]
{1,15}\.php/U"; content:!"PacketShaper"; http_header; content:!"siteadvisor.com";
http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-
ips drop, policy security-ips drop, ruleset community, service http;
reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity;
sid:27865; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT
Blackholev2/Darkleech exploit kit landing page"; flow:to_client,established;
file_data; content:"<body><b></b><style>div{overflow|3A|hidden|3B|width|3A|1px|3B|
height|3A|1px}</style><div>"; fast_pattern:only; flowbits:set,file.exploit_kit.jar;
metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips
drop, ruleset community, service http; classtype:trojan-activity; sid:27866;
rev:2;)
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP
Possible SIP OPTIONS service information gathering attempt"; flow:to_server;
sip_method:options; content:"SIP/2.0"; fast_pattern:only; detection_filter:track
by_src, count 100, seconds 25; metadata:ruleset community, service sip;
reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html;
classtype:attempted-recon; sid:27899; rev:3;)
# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP
Excessive number of SIP 4xx responses potential user or password guessing attempt";
flow:to_client; sip_stat_code:4; content:"SIP/2.0"; fast_pattern:only;
detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community,
service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-
snort.html; classtype:attempted-recon; sid:27900; rev:3;)
# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Ghost
call attack attempt"; flow:to_client; sip_stat_code:180; content:"SIP/2.0";
fast_pattern:only; detection_filter:track by_src, count 100, seconds 25;
metadata:ruleset community, service sip;
reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html;
classtype:attempted-recon; sid:27901; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP
Possible SIP OPTIONS service information gathering attempt";
flow:to_server,established,only_stream; sip_method:options; content:"SIP/2.0";
fast_pattern:only; detection_filter:track by_src, count 100, seconds 25;
metadata:ruleset community, service sip;
reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html;
classtype:attempted-recon; sid:27902; rev:2;)
# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Ghost
call attack attempt"; flow:to_client,established,only_stream; sip_stat_code:180;
content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100,
seconds 25; metadata:ruleset community, service sip;
reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html;
classtype:attempted-recon; sid:27903; rev:2;)
# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP
Excessive number of SIP 4xx responses potential user or password guessing attempt";
flow:to_client,established,only_stream; sip_stat_code:4; content:"SIP/2.0";
fast_pattern:only; detection_filter:track by_src, count 100, seconds 25;
metadata:ruleset community, service sip;
reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html;
classtype:attempted-recon; sid:27904; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT
Blackholev2/Cool exploit kit payload download attempt"; flow:to_server,established;
urilen:50<>150; content:"GET"; http_method; content:" Java/1."; fast_pattern:only;
http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}[_-][a-z]
{2,16}([_-][a-z]{2,16})*?|closest\/[a-z0-9]{15,25})\.php\?[\(\)\!\*\w-]+=[\
(\)\!\*\w-]+&[\(\)\*\!\w-]+=[\(\)\!\*\w-]+$/U"; metadata:ruleset community, service
http; classtype:trojan-activity; sid:27907; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vittalia
adware - get ads"; flow:to_server,established; content:"/afr.php?zoneid=";
http_uri; content:"/ads/ox.html"; http_header; metadata:ruleset community, service
http;
reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f74
2a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27913;
rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vittalia
adware - post install"; flow:to_server,established; content:"/report.php?key=";
http_uri; content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)"; fast_pattern:only;
http_header; metadata:ruleset community, service http;
reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f74
2a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27914;
rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vittalia
adware outbound connection - pre install"; flow:to_server,established;
content:"/instapi.php?idMk="; http_uri; content:"&state="; distance:0; http_uri;
content:"&idTime="; distance:0; http_uri; content:"&idA2="; distance:0; http_uri;
content:"&xVal="; distance:0; http_uri; content:"User-Agent|3A| NSIS_ToolkitOffers
(Mozilla)"; fast_pattern:only; http_header; metadata:ruleset community, service
http;
reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f74
2a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27915;
rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Vittalia
adware outbound connection - Eazel toolbar install"; flow:to_server,established;
content:"/utilsbar/EazelBar.exe"; http_uri; content:"User-Agent|3A|
NSIS_ToolkitOffers (Mozilla)"; fast_pattern:only; http_header; metadata:ruleset
community, service http;
reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f74
2a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27916;
rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Vittalia
adware outbound connection - offers"; flow:to_server,established;
content:"/listener.php"; http_uri; content:"User-Agent|3A| NSIS_ToolkitOffers
(Mozilla)"; fast_pattern:only; http_header; metadata:ruleset community, service
http;
reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f74
2a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27917;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zeus variant outbound connection"; flow:to_server,established;
content:".exe HTTP/1.0|0D 0A|Host:"; fast_pattern:only; content:"Accept-Encoding:
identity, *|3B|q=0|0D 0A|"; http_header; content:"|3B| MSIE "; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/8825abfca1a6d843ce5670858886cb63bb1317ddbb
92f91ffd46cfdcaba9ac00/analysis/; classtype:trojan-activity; sid:27918; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zeus encrypted POST Data exfiltration"; flow:to_server,established;
content:"Accept-Encoding|3A| identity, *|3B|q=0|0D 0A|"; fast_pattern:only;
http_header; content:"|3B| MSIE "; http_header; pcre:"/[^ -~\r\n]{4}/P";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/8825abfca1a6d843ce5670858886cb63bb1317ddbb
92f91ffd46cfdcaba9ac00/analysis/; classtype:trojan-activity; sid:27919; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Gh0st
variant outbound connection"; flow:to_server,established; content:"Gh0st"; depth:5;
content:"|00 00 00|"; within:3; distance:1; content:"|00 00 78 9C|"; within:4;
distance:2; metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community;
reference:url,virustotal.com/en/file/a4fd37b8b9eabd0bfda7293acbb1b6c9f97f8cc3042f3f
78ad2b11816e1f9a59/analysis/1425053730/; classtype:trojan-activity; sid:27964;
rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Eupuds variant connection"; flow:to_client,established; file_data;
content:"insert into avs (id, pc,data,ref,country , id_user, mostrar)values(";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/09f4611c05dcff55d4471b90d41b0fd3e6d3289f71
321301751008dab75ded4d/analysis/; classtype:trojan-activity; sid:27965; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-
Forwarded-For"; nocase; http_header; content:"=Response"; nocase; http_client_body;
content:"FromBase64String"; nocase; http_client_body; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-
webshell.html;
reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41B
EC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:27966; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-
Forwarded-For"; nocase; http_header; content:"caidao="; fast_pattern:only;
http_client_body; pcre:"/caidao\s?=\s?(Response|Write|Execute)/Pmi";
metadata:impact_flag red, ruleset community, service http;
reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-
webshell.html;
reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41B
EC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:27967; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-
Forwarded-For"; nocase; http_header; content:"=Execute"; nocase; http_client_body;
content:"On+Error+Resume+Next:"; fast_pattern:only; http_client_body;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-
webshell.html;
reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41B
EC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:27968; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Kuluoz outbound command"; flow:to_server,established,only_stream;
content:"/index.php?"; http_uri; content:"-dsafe_mode"; distance:0; http_uri;
content:"-ddisable_functions"; distance:0; http_uri; content:"-dallow_url_fopen";
distance:0; http_uri; content:"-dallow_url_include"; distance:0; http_uri;
content:"-dauto_prepend_file"; distance:0; http_uri; content:"echo.txt";
detection_filter:track by_src, count 20, seconds 60; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/2d134b69c41fadc5d3a28c90e452323f1c54dd1aa2
0ac5f5e897feac8d86755a/analysis/; classtype:trojan-activity; sid:28005; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER
Win.Trojan.Kuluoz outbound download request"; flow:to_server,established;
content:"?message="; fast_pattern:only; http_uri; pcre:"/(info|
app)\x2ephp\x3fmessage\x3d/U"; metadata:impact_flag red, policy security-ips drop,
ruleset community, service http;
reference:url,malwaremustdie.blogspot.com/2013/09/302-redirector-new-cushion-
attempt-to.html; classtype:trojan-activity; sid:28006; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BLYPT
installer startupkey outbound traffic"; flow:to_server,established;
content:"/index.aspx?info=startupkey_"; fast_pattern:only; http_uri;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community,
service http; reference:url,blog.trendmicro.com/trendlabs-security-
intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit;
classtype:trojan-activity; sid:28007; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BLYPT
installer reuse outbound traffic"; flow:to_server,established;
content:"/index.aspx?info=reuse"; fast_pattern:only; http_uri; metadata:policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-
backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:28008;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BLYPT
installer configkey outbound traffic"; flow:to_server,established;
content:"/index.aspx?info=configkey"; fast_pattern:only; http_uri; metadata:policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-
backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:28009;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BLYPT
installer tserror outbound traffic"; flow:to_server,established;
content:"/index.aspx?info=tserror_"; fast_pattern:only; http_uri; metadata:policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-
backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:28010;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BLYPT
installer createproc outbound traffic"; flow:to_server,established;
content:"/index.aspx?info=createproc_"; fast_pattern:only; http_uri;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community,
service http; reference:url,blog.trendmicro.com/trendlabs-security-
intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit;
classtype:trojan-activity; sid:28011; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Bancos variant outbound connection"; flow:to_server,established;
content:"from=%20Nome..:"; depth:15; http_client_body; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0b
a99f41551ca59374c6a3ec/analysis/1365436849/; classtype:trojan-activity; sid:28012;
rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT
Blackholev2 exploit kit landing page"; flow:to_client,established; file_data;
content:"</div><i></i><style>div{overflow|3A|hidden|3B|width|3A|1px|3B|";
fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-
activity; sid:28026; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT
Blackholev2/Cool exploit kit exploit download attempt"; flow:to_server,established;
urilen:50<>250; content:"GET"; http_method; content:" Java/1."; fast_pattern:only;
http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}[_-][a-z]
{2,16}([_-][a-z]{2,16})*?|closest\/[a-z0-9]{15,25})\.php\?[\(\)\!\*\w-]+=[\
(\)\!\*\w-]+&[\(\)\*\!\w-]+=[\(\)\!\*\w-]+&[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\
(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\!\*\w-]+=[\(\)\!\*\w-]+$/U"; metadata:ruleset
community, service http; classtype:trojan-activity; sid:28028; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Ransomware.Urausy variant outbound connection"; flow:to_server,established;
urilen:>95,norm; content:"User-Agent|3A| Opera/10.80 |28|Windows NT 5.1|3B| U|3B|
Edition Yx|3B| en|29| Presto/2.9.168 Version/11.52|0D 0A|"; fast_pattern:only;
pcre:"/\x2f[a-z-_]{90,}\x2e(html|php)$/U"; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/e74e0b2f3efbe8edadeaeef501fe268e2ff7c8a8bc
8550de7924f77f2a612941/analysis/1378636986/; classtype:trojan-activity; sid:28033;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Caphaw variant outbound connection"; flow:to_server,established;
content:"/ping.html?r="; fast_pattern:only; http_uri; content:!"/utils/"; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; reference:url,research.zscaler.com/2013/09/a-new-
wave-of-win32caphaw-attacks.html; classtype:trojan-activity; sid:28042; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.CryptoLocker variant connection"; flow:to_server,established;
content:"/crypt_1_sell"; fast_pattern:only; http_uri;
pcre:"/\/crypt_1_sell\d\d-\d\d.exe$/Ui"; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/d4b16269c9849c33a7bb2fdc782173a00e99db12a5
85689618dde3f4c6fcb101/analysis; classtype:trojan-activity; sid:28044; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Napolar variant outbound connection"; flow:to_server, established;
content:"POST"; http_method; content:"v="; http_client_body; content:"|26|u=";
within:3; distance:3; http_client_body; content:"|26|c="; distance:0;
http_client_body; content:"|26|s={"; distance:0; http_client_body; content:"}|26|
w="; within:4; distance:36; http_client_body; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/463d39dcbf19b5c4c9e314e5ce77bf8a51848b8c7d
64e4f0a6656b9d28941e2e/analysis/; classtype:trojan-activity; sid:28079; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Napolar data theft"; flow:to_server,established; content:".exe&h=";
fast_pattern:only; http_client_body; content:"p="; depth:2; http_client_body;
metadata:impact_flag red, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/12781be5908ecc3dbf4a459e4cbc7bedb654b50236
f7a961e85f3af5e2275ddf/analysis/; classtype:trojan-activity; sid:28080; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Banload variant outbound connection"; flow:to_server,established;
content:"/v22/mutabixa/"; fast_pattern:only; http_uri; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,www.nyxbone.com/malware/banload.html; classtype:trojan-
activity; sid:28105; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Banload information upload"; flow:to_server,established;
content:"/v22/mutabixa/1nf3ct/"; http_uri; content:"chave="; distance:0; http_uri;
content:"&url="; distance:0; http_uri; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.nyxbone.com/malware/banload.html; classtype:trojan-activity;
sid:28106; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Banload download"; flow:to_server,established; content:".jpg"; http_uri;
content:"User-Agent|3A| runddll32.exe"; fast_pattern:only; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.nyxbone.com/malware/banload.html; classtype:trojan-activity;
sid:28107; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Fareit variant outbound connection - /default.htm GET Encrypted
Payload"; flow:to_server,established; urilen:12; content:"GET"; http_method;
content:"/default.htm"; fast_pattern:only; http_uri; content:!"Referer";
http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P";
metadata:policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb
22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28114; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Fareit variant outbound connection - /file.htm GET Encrypted Payload";
flow:to_server,established; urilen:9; content:"GET"; http_method;
content:"/file.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header;
content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb
22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28115; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Fareit variant outbound connection - /home.htm GET Encrypted Payload";
flow:to_server,established; urilen:9; content:"GET"; http_method;
content:"/home.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header;
content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb
22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28116; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Fareit variant outbound connection - /install.htm GET Encrypted
Payload"; flow:to_server,established; urilen:12; content:"GET"; http_method;
content:"/install.htm"; fast_pattern:only; http_uri; content:!"Referer";
http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P";
metadata:policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb
22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28117; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Fareit variant outbound connection - /login.htm GET Encrypted Payload";
flow:to_server,established; urilen:10; content:"GET"; http_method;
content:"/login.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header;
content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb
22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28118; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Fareit variant outbound connection - /search.htm GET Encrypted Payload";
flow:to_server,established; urilen:11; content:"GET"; http_method;
content:"/search.htm"; fast_pattern:only; http_uri; content:!"Referer";
http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P";
metadata:policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb
22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28119; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Fareit variant outbound connection - /start.htm GET Encrypted Payload";
flow:to_server,established; urilen:10; content:"GET"; http_method;
content:"/start.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header;
content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb
22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28120; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Fareit variant outbound connection - /welcome.htm GET Encrypted
Payload"; flow:to_server,established; urilen:12; content:"GET"; http_method;
content:"/welcome.htm"; fast_pattern:only; http_uri; content:!"Referer";
http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P";
metadata:policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb
22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28121; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Fareit variant outbound connection - /index.htm GET Encrypted Payload";
flow:to_server,established; urilen:10; content:"GET"; http_method;
content:"/index.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header;
content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb
22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28122; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Fareit variant outbound connection - /setup.htm GET Encrypted Payload";
flow:to_server,established; urilen:10; content:"GET"; http_method;
content:"/setup.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header;
content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb
22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28123; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Conficker variant outbound connection"; flow:to_server,established;
urilen:11; content:"/search?q="; fast_pattern:only; http_uri; content:"User-Agent:
Mozilla/4.0 (compatible|3B| MSIE "; http_header; content:": no-cache|0D 0A 0D 0A|";
http_header; content:!"Accept"; http_header; content:!"Referer"; http_header;
pcre:"/^\/search\?q=[0-9]$/Umi"; metadata:impact_flag red, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/57212e057db0d45d94d08cd47dec85f0d85a20a7f4
d3824559c81a50999cc2a5/analysis/; classtype:trojan-activity; sid:28147; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Mevade variant outbound connection"; flow:to_server,established;
content:"|0D 0A|uuid: "; fast_pattern:only; http_header; content:!"User-Agent:";
http_header; pcre:"/[^\n -~\r]{4}/P"; content:"Content-Type|3A| binary/octet-
stream|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/526fe8eee74dc51a23e458115179dcda4027277b69
6b6a06889ed52751b39f54/analysis/; classtype:trojan-activity; sid:28148; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Foreign variant outbound connection - /html2/";
flow:to_server,established; urilen:7; content:"POST"; http_method;
content:"/html2/"; fast_pattern:only; http_uri; content:!"Accept-Language:";
http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset
community, service http;
reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf2342
9d9735c7258d43c101b71f/analysis/; classtype:trojan-activity; sid:28153; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Foreign variant outbound connection - MSIE 7.1";
flow:to_server,established; content:"POST"; http_method; content:"|3B| MSIE 7.1|3B
20|"; fast_pattern:only; http_header; content:!"Accept-Language:"; http_header;
pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community,
service http;
reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf2342
9d9735c7258d43c101b71f/analysis/; classtype:trojan-activity; sid:28154; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Foreign variant outbound connection - MSIE 7.2";
flow:to_server,established; content:"POST"; http_method; content:"|3B| MSIE 7.2|3B
20|"; fast_pattern:only; http_header; content:!"Accept-Language:"; http_header;
pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community,
service http;
reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf2342
9d9735c7258d43c101b71f/analysis/; classtype:trojan-activity; sid:28155; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Linkury
outbound time check"; flow:to_server,established; dsize:72; urilen:8;
content:"/utc/now HTTP/1.1|0D 0A|Host: www.timeapi.org|0D 0A|Connection: Keep-
Alive|0D 0A 0D 0A|"; fast_pattern:only; metadata:ruleset community, service http;
reference:url,www.virustotal.com/en/file/a2c4e162624ddb169542e12e148a3be6bfe79a1fed
4adfb28ad1a308a0d1bade/analysis/1380219003/; classtype:trojan-activity; sid:28156;
rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Kuluoz Potential Phishing URL"; flow:to_server,established;
content:"/info.php?message="; fast_pattern:only; http_uri; content:!"Referer:";
http_header; metadata:impact_flag red, policy security-ips drop, ruleset community,
service http; reference:url,urlquery.net/report.php?id=5117077;
reference:url,www.soleranetworks.com/blogs/kuluoz-spam-uses-a-lot-of-stolen-web-
servers/; classtype:trojan-activity; sid:28192; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
vBulletin upgrade.php exploit attempt"; flow:to_server, established;
content:"install/upgrade.php"; fast_pattern:only; http_uri;
content:"firstrun=false"; http_client_body; content:"&customerid=";
http_client_body; content:"username%5d="; http_client_body; content:"password%5d=";
http_client_body; metadata:ruleset community, service http; reference:url,www.net-
security.org/secworld.php?id=15743; classtype:attempted-admin; sid:28215; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT
Blackholev2/Cool exploit kit payload download attempt"; flow:to_server,established;
urilen:50<>150; content:" Java/1."; fast_pattern:only; http_header;
content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}|closest\/[a-z0-9]
{15,25})\.php\?[ab10]+=[ab10]+&[ab10]+=[ab10]+$/U"; metadata:ruleset community,
service http; classtype:trojan-activity; sid:28233; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.KanKan variant connection"; flow:to_server,established; content:"/?u=";
depth:4; http_uri; content:"&u2="; http_uri; content:"&u5=inststart"; http_uri;
content:"NSIS_Inetc (Mozilla)"; fast_pattern:only; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/db31bdf400dd0d28487a0d298bc383a4a291256613
0ea512b25639b3f95e94c4/analysis/; classtype:trojan-activity; sid:28242; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Kuluoz Potential phishing URL"; flow:to_server,established;
content:"/get.php?invite="; fast_pattern:only; http_uri; content:"Accept-Encoding:
gzip"; http_header; pcre:"/^\/get.php\?invite=.*?=$/mU"; content:!"Referer:";
http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?
q=get.php%3Finvite%3D&type=string&start=2013-10-01&end=2013-10-16&max=50;
reference:url,www.virustotal.com/en/file/93a40a83977ca24df6e12d7d6f19a9b9d92cb3ea31
74ea9d4398ad2048205c42/analysis/; classtype:trojan-activity; sid:28255; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.hdog connectivity check-in version 2"; flow:to_server,established;
content:"/?gws_rd=cr"; fast_pattern:only; http_uri; content:"|0D 0A|Connection:
Close|0D 0A 0D 0A|"; content:"|3B 20|MSIE|20|"; http_header; content:!"Accept-
Encoding: "; http_header; metadata:policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/ca1bc54e33064eb08163a17a56dcb1d0d811fc694c
05af1d9ea768ef992cb489/analysis/1381870348/;
reference:url,www.virustotal.com/en/file/d4b16269c9849c33a7bb2fdc782173a00e99db12a5
85689618dde3f4c6fcb101/analysis/; classtype:trojan-activity; sid:28285; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT
Blackholev2/Cool exploit kit exploit download attempt"; flow:to_server,established;
urilen:50<>150; content:" Java/1."; fast_pattern:only; http_header;
content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}|closest\/[a-z0-9]
{15,25})\.php\?
[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+
$/U"; metadata:ruleset community, service http; classtype:trojan-activity;
sid:28291; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Agent variant connection"; flow:to_server,established;
content:"/status/?&cmp="; fast_pattern; http_uri; content:"&src="; distance:0;
http_uri; content:"&status=start"; distance:0; http_uri; content:!"User-Agent: ";
http_uri; content:!"Accept"; http_uri; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/e21a7333f5e6fe6de87b0b4ef928202724680d46ee
3524983ec6962b4061813c/analysis/1381409595/; classtype:trojan-activity; sid:28300;
rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-
Forwarded-For"; nocase; http_header; content:"FromBase64String"; http_client_body;
content:"z"; within:200; nocase; http_client_body; pcre:"/z\d{1,3}/Pi";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-
webshell.html;
reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41B
EC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:28323; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE FakeAV
runtime detection"; flow:to_server,established; content:"&affid=";
fast_pattern:only; http_uri; content:"/api/"; nocase; http_uri; content:"?ts=";
nocase; http_uri; content:"&token="; nocase; http_uri; content:"&group="; nocase;
http_uri; content:"&nid="; nocase; http_uri; content:"&lid="; nocase; http_uri;
content:"&ver="; nocase; http_uri; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service http; classtype:trojan-activity;
sid:28324; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION
large number of calls to chr function - possible sql injection obfuscation";
flow:established,to_server; content:"GET"; http_method; content:"CHR("; nocase;
http_uri; content:"CHR("; distance:0; nocase; http_uri; content:"CHR("; distance:0;
nocase; http_uri; content:"CHR("; distance:0; nocase; http_uri; content:"CHR(";
distance:0; nocase; http_uri; metadata:ruleset community, service http;
reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-
attack; sid:28344; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION
Javascript obfuscation - split - seen in IFRAMEr Tool attack";
flow:to_client,established; file_data; content:"ps=|22|split|22 3B|asd=function()";
fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http; classtype:trojan-
activity; sid:28345; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION
Javascript obfuscation - seen in IFRAMEr Tool attack"; flow:to_client,established;
file_data; content:"aq=|22|0x|22 3B|ff=String|3B|"; fast_pattern:only;
metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips
drop, ruleset community, service http; classtype:trojan-activity; sid:28346;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Kazy variant outbound connection"; flow:to_server,established;
urilen:>90; content:"/p.ashx?prd="; fast_pattern; http_uri; content:"&pixGuid=";
distance:0; http_uri; content:"&ver="; distance:0; http_uri; content:"&rnd=";
distance:0; http_uri; content:!"Accept"; http_header; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e56941238
8084f5c391722c98660763/analysis/; classtype:trojan-activity; sid:28405; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Kazy variant outbound connection"; flow:to_server,established;
content:".exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|
3B| MSIE "; http_header; content:!"Accept"; http_header; content:"|29 0D 0A|Host:
"; distance:0; http_header; pcre:"/^GET\x20\x2f[a-z]
{1,12}\.exe\x20HTTP\x2f1\.1\r\nUser\x2dAgent\x3a\x20Mozilla\x2f[\x20-\x7e]
{10,100}\)\r\nHost\x3a\x20[a-z0-9\x2e\x2d]
{6,32}\r\nConnection\x3a\x20Keep\x2dAlive\r\n\r\n$/"; metadata:impact_flag red,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e56941238
8084f5c391722c98660763/analysis/; classtype:trojan-activity; sid:28406; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION
Javascript obfuscation - createElement - seen in IFRAMEr Tool attack";
flow:to_client,established; file_data; content:"|22|c|22|+|22|r|22 3A|2+|22|e|22|+|
22|a|22|+|22|t|22|+|22|e|22|+|22|E|22|+|22|l|22|+|22|e|22|+|22|m|22|+((f)?|22|e|22|
+|22|n|22|+|22|t|22 3A 22 22|"; fast_pattern:only; metadata:policy balanced-ips
drop, policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http; classtype:trojan-activity; sid:28420; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION
Javascript obfuscation - fromCharCode - seen in IFRAMEr Tool attack";
flow:to_client,established; file_data; content:"|22|fr|22|+|22|omCh|22|+|22|arCo|
22|+|22|de|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-
detect-ips drop, policy security-ips drop, ruleset community, service http;
classtype:trojan-activity; sid:28421; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Glazunov
exploit kit landing page"; flow:to_client,established; file_data; content:"= |22|
applet|22 3B 20|"; content:"= |22|object|22 3B 20|"; within:50; content:"=|27|
param|27 3B 20|"; within:50; content:".zip|27 3B| </script>"; distance:0;
pcre:"/\/\d+\/\d\.zip\x27\x3b/"; metadata:policy balanced-ips drop, policy max-
detect-ips drop, policy security-ips drop, ruleset community, service http;
reference:cve,2013-2471; reference:url,nakedsecurity.sophos.com/2013/07/02/the-
four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/;
classtype:trojan-activity; sid:28428; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Glazunov
exploit kit outbound jnlp download attempt"; flow:to_server,established; urilen:15;
content:".jnlp"; fast_pattern; http_uri; content:" Java/1."; http_header; pcre:"/\/
[a-z0-9]{9}\.jnlp$/U"; metadata:policy balanced-ips drop, policy max-detect-ips
drop, policy security-ips drop, ruleset community, service http;
reference:cve,2013-2471; reference:url,nakedsecurity.sophos.com/2013/07/02/the-
four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/;
classtype:trojan-activity; sid:28429; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Glazunov
exploit kit zip file download"; flow:to_server,established; content:".zip";
fast_pattern; http_uri; content:" Java/1."; http_header;
pcre:"/^\/\d+\/\d\.zip$/U"; metadata:policy balanced-ips drop, policy max-detect-
ips drop, policy security-ips drop, ruleset community, service http;
reference:cve,2013-2471; reference:url,nakedsecurity.sophos.com/2013/07/02/the-
four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/;
classtype:trojan-activity; sid:28430; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1039 (msg:"MALWARE-CNC Win.Trojan.Symmi
variant SQL check-in"; flow:to_server,established; content:"s|00|e|00|l|00|e|00|c|
00|t|00| |00|v|00|e|00|r|00|i|00|f|00|i|00|c|00|a|00|n|00|d|00|o|00| |00|f|00|r|00|
o|00|m|00| |00|v|00|e|00|r|00|i|00|f|00|i|00|c|00|a|00|n|00|d|00|o|00| |00|w|00|h|
00|e|00|r|00|e|00| |00|i|00|d|00|_|00|p|00|c|00|=|00|"; fast_pattern:only;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community;
reference:url,www.virustotal.com/en/file/47c71ff0eb61b371e967b93b6909bb05f2aab973e3
214ea2d5ed246884dd045e/analysis/; classtype:trojan-activity; sid:28446; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sakura
exploit kit exploit payload retrieve attempt"; flow:to_server,established;
urilen:<25; content:".ld"; fast_pattern:only; http_uri; content:" Java/1.";
http_header; pcre:"/^\/\d+\.ld$/U"; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service http; classtype:trojan-activity;
sid:28450; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC DeputyDog
diskless method outbound connection"; flow:to_server,established; content:"User-
Agent: lynx|0D 0A|"; fast_pattern:only; http_header; content:"POST"; http_method;
pcre:"/^\x2f[0-9a-f]+$/iU"; metadata:impact_flag red, policy balanced-ips drop,
policy max-detect-ips drop, policy security-ips drop, ruleset community, service
http; reference:cve,2013-3918; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS13-090; classtype:trojan-activity; sid:28493; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"MALWARE-CNC
Win.Trojan.Asprox/Kuluoz variant connection"; flow:to_server,established;
content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:23.0)
Gecko/20100101 Firefox/23.0"; content:"Content-Disposition: form-data|3B| name=|22|
key|22 3B| filename=|22|key.bin|22|"; fast_pattern:only; content:"Content-
Disposition: form-data|3B| name=|22|data|22 3B| filename=|22|data.bin|22|";
content:"Content-Type: multipart/form-data|3B| boundary="; pcre:"/POST\s\/[A-F0-9]
{42}\s/"; metadata:impact_flag red, policy security-ips drop, ruleset community,
service http; reference:url,stopmalvertising.com/malware-reports/analysis-of-
asprox-and-its-new-encryption-scheme.html;
reference:url,www.virustotal.com/en/file/929b62b673db55f443a36fa2de184a2be03788bbe7
14fc586b82a19444727a54/analysis/; classtype:trojan-activity; sid:28538; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.ZeroAccess Download Headers"; flow:to_server,established; urilen:5<>14;
content:"|0D 0A|Accept: */*|0D 0A|Accept-Encoding: identity, *|3B|q=0|0D 0A|
Connection: close|0D 0A|User-Agent: "; fast_pattern:only; http_header;
content:".exe HTTP/1.0|0D 0A|Host: "; pcre:"/^\x2f[a-z\d]{1,8}\.exe$/Ui";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/#/file/eeaeb1506d805271b5147ce911df9c264d63e4d229d
e4464ef879a83fb225a40/detection; classtype:trojan-activity; sid:28541; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker
variant outbound connection"; flow:to_server,established; dsize:146; urilen:1;
content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B|
Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control:
no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php;
classtype:trojan-activity; sid:28542; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker
variant outbound connection"; flow:to_server,established; dsize:139; urilen:1;
content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B|
Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-
cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php;
classtype:trojan-activity; sid:28543; rev:1;)
# alert udp $EXTERNAL_NET 2425 -> $HOME_NET 2425 (msg:"INDICATOR-SCAN inbound
probing for IPTUX messenger port "; flow:to_server; content:"iptux"; depth:5;
offset:2; content:"lws|3A|lws"; within:7; distance:9; metadata:ruleset community;
reference:url,github.com/iptux-src/iptux; classtype:misc-activity; sid:28552;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Fareit variant outbound connection - /main.htm GET Encrypted Payload";
flow:to_server,established; urilen:9; content:"GET"; http_method;
content:"/main.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header;
content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:impact_flag red,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb
22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28553; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Fareit variant outbound connection - /online.htm GET Encrypted Payload";
flow:to_server,established; urilen:11; content:"GET"; http_method;
content:"/online.htm"; fast_pattern:only; http_uri; content:!"Referer";
http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P";
metadata:impact_flag red, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb
22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28554; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MALWARE-OTHER SQL Slammer
worm propagation attempt inbound"; flow:to_server; content:"|04|"; depth:1;
content:"Qh.dll"; fast_pattern:only; content:"sock"; content:"send";
metadata:impact_flag red, ruleset community; reference:bugtraq,5310;
reference:bugtraq,5311; reference:cve,2002-0649; classtype:trojan-activity;
sid:28555; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS DNS query
amplification attempt"; flow:to_server; content:"|00 01|"; depth:2; offset:4;
content:"|00 01|"; within:2; distance:4; byte_test:1,!&,0xF8,2; content:"|00 00 FF
00 01 00 00 29|"; byte_test:2,>,0x7FFF,0,relative; metadata:policy max-detect-ips
drop, policy security-ips drop, ruleset community, service dns;
reference:url,www.us-cert.gov/ncas/alerts/TA13-088A; classtype:attempted-dos;
sid:28556; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS Malformed DNS
query with HTTP content"; flow:to_server; content:"|54 20|"; fast_pattern:only;
content:"GET |2F| HTTP"; metadata:policy max-detect-ips drop, policy security-ips
drop, ruleset community, service dns; reference:url,www.ietf.org/rfc/rfc2616.txt;
classtype:misc-activity; sid:28557; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear
exploit kit payload request"; flow:to_server,established; urilen:24<>26,norm;
content:"/f/"; fast_pattern:only; http_uri; pcre:"/^\/f\/1\d{9}\/\d{9,10}(\/\d)+
$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy
max-detect-ips alert, policy security-ips drop, ruleset community, service http;
classtype:trojan-activity; sid:28596; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT
Goon/Infinity exploit kit payload download attempt"; flow:to_server,established;
urilen:<30; content:".mp3"; fast_pattern:only; http_uri; content:" Java/1.";
http_header; pcre:"/\/\d+\.mp3$/U"; flowbits:set,file.exploit_kit.pe;
metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips
drop, ruleset community, service http; reference:cve,2012-0507;
reference:url,blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-
now.html; classtype:trojan-activity; sid:28795; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Zeus
outbound connection"; flow:to_server,established; urilen:1; content:"GET /
HTTP/1.1|0D 0A|Accept: */*|0D 0A|Accept-Language:"; depth:45; content:"|0D 0A|
Connection: Close|0D 0A 0D 0A|"; fast_pattern; content:"google.com|0D 0A|";
http_header; content:"|3B 20|MSIE|20|"; http_header; content:!"Accept-Encoding: ";
http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/d4b16269c9849c33a7bb2fdc782173a00e99db12a5
85689618dde3f4c6fcb101/analysis/; classtype:trojan-activity; sid:28800; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Bancos outbound connection"; flow:to_server,established; urilen:17<>27;
content:"ip-who-is.com|0D 0A|"; fast_pattern:only; http_header; content:"/locate-
ip/"; depth:11; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy
Library)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/26c60976776d212aefc9863efde914059dd2847291
084c158ce51655fc1e48d0/analysis/1382620137/; classtype:trojan-activity; sid:28802;
rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Injector inbound connection"; flow:to_client,established; file_data;
content:"UPDATE|7C|"; depth:7; pcre:"/^UPDATE\|[0-9]\.[0-9]\.[0-9]\|[A-F0-9]{48}\|
{3}$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/253b2cb7f6eacaaaca5053f73445defce5df2cd4a5
564ebc0721e0323a6c3557/analysis/1383139183/; classtype:trojan-activity; sid:28803;
rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Injector outbound connection"; flow:to_server,established; content:"|0D
0A 0D 0A|&nome="; fast_pattern:only; http_client_body; content:"conteudo=";
depth:9; http_client_body; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/253b2cb7f6eacaaaca5053f73445defce5df2cd4a5
564ebc0721e0323a6c3557/analysis/1383139183/; classtype:trojan-activity; sid:28804;
rev:3;)
alert udp $HOME_NET any -> $EXTERNAL_NET 2090 (msg:"MALWARE-CNC Win.Trojan.Palevo
outbound connection"; flow:to_server; dsize:21; content:"|00 00|"; depth:2;
offset:19; metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community; reference:url,palevotracker.abuse.ch/?
ipaddress=209.222.14.3; reference:url,palevotracker.abuse.ch/?
ipaddress=31.170.179.179; classtype:trojan-activity; sid:28805; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE
potential malware download - single digit .exe file download";
flow:to_server,established; urilen:6; content:".exe"; fast_pattern:only; pcre:"/\/
[a-z0-9]\.exe$/Ui"; metadata:impact_flag red, policy max-detect-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,urlquery.net/search.php?q=%5C%2F%5Ba-zA-Z%5D%5C.%5BEe%5D%5BXx%5D%5BEe
%5D%24&type=regexp&start=2013-09-07&end=2013-12-06&max=400; classtype:trojan-
activity; sid:28806; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Injector variant outbound connection"; flow:to_server,established;
urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/";
fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host:
"; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe
%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400;
reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff19
9e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Dofoil inbound connection"; flow:to_client,established; content:"|3B 20|
filename=exe.exe|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/2325492f457a8b7d3df48a570210f65f3a094fe892
5278451713768d938bec86/analysis/; classtype:trojan-activity; sid:28809; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zeus variant outbound connection - MSIE7 No Referer No Cookie";
flow:to_server,established; urilen:1; content:"|2F|"; http_uri;
pcre:"/\r\nHost\x3A\s+[^\r\n]*?[bcdfghjklmnpqrstvwxyz]{5,}[^\r\n]*?\x2Ebiz\r\n/Hi";
content:!"|0A|Referer|3A|"; http_header; content:!"|0A|Cookie|3A|"; http_header;
content:"|3B 20|MSIE|20|7.0|3B 20|"; http_header; content:"|2E|biz|0D 0A|";
fast_pattern; nocase; http_header; metadata:impact_flag red, policy security-ips
drop, ruleset community, service http;
reference:url,en.wikipedia.org/wiki/Zeus_(Trojan_horse); classtype:trojan-activity;
sid:28810; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Gozi/Neverquest variant outbound connection";
flow:to_server,established; content:"/post.aspx?forumID="; fast_pattern:only;
http_uri; content:"|0D 0A|URL: http"; depth:11; offset:17; http_client_body;
content:!"Accept"; http_header; pcre:"/^(?!\d{17}|[A-F]{17})[A-F0-9]{17}/P";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac
12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:28814; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Gozi/Neverquest variant outbound connection";
flow:to_server,established; content:"forumdisplay.php?fid="; fast_pattern:only;
http_uri; content:"id="; depth:3; http_client_body; content:!"Accept"; http_header;
pcre:"/^id\x3d[A-F\d]{32}(\x26info\x3d[A-F\d]{24})?$/P"; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac
12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:28815; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Backdoor.Iniduoh variant outbound connection"; flow:to_server,established;
content:"/is-ready"; fast_pattern:only; http_uri; content:"User|2D|Agent|3A 20|";
http_header; content:"|3C 7C 3E|"; within:3; distance:8; http_header; content:"|3C
7C 3E|"; within:18; http_header; content:"|3C 7C 3E|Microsoft Windows"; within:84;
http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-
ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/220b551d9381fb56b48511b622a0bbc15482378396
b3e83f708379f460f3347a/analysis/;
reference:url,www.virustotal.com/en/file/be442a5f8be3bf720236f71a613a534b8aa82b16b0
daf8ff84a59bcb92e19e7d/analysis/; classtype:trojan-activity; sid:28817; rev:4;)
alert tcp any any -> any $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious
user-agent string - Linux.Trojan.Zollard"; flow:to_server,established;
content:"User-Agent|3A| Zollard|0D 0A|"; fast_pattern:only; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/d757aa51974806e5402fb8a5c930518bf9ba0b2fd6
2f74e0f4c33d85bce08ada/analysis/; classtype:trojan-activity; sid:28852; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent
known malicious user-agent z00sAgent - Win.Trojan.Zbot";
flow:to_server,established; content:"User-Agent|3A| z00sAgent"; fast_pattern:only;
http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/0220b1071c8a0093e673d836ae436cb468b8cd1bd5
873dad08351309e13af9e5/analysis/1383673331/; classtype:trojan-activity; sid:28859;
rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 58455 (msg:"MALWARE-BACKDOOR Zollard
variant outbound connection attempt"; flow:to_server,established;
content:".zollard/"; fast_pattern:only; metadata:impact_flag red, ruleset
community, service telnet; reference:url,www.deependresearch.org/2013/12/hey-
zollard-leave-my-internet-of-things.html; classtype:trojan-activity; sid:28913;
rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Symmi
variant network connectivity check"; flow:to_server,established; content:"Host:
bit.ly|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-
Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; fast_pattern:only; http_header;
metadata:impact_flag red, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/47c71ff0eb61b371e967b93b6909bb05f2aab973e3
214ea2d5ed246884dd045e/analysis/; classtype:trojan-activity; sid:28918; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Symmi
variant network connectivity check"; flow:to_server,established; content:"Host:
bitly.com|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-
Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; fast_pattern:only; http_header;
metadata:impact_flag red, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/084455c1de5d9440eb95edd2e6868aab1ce3dd674c
2e3ba481254edc65b30b89/analysis/; classtype:trojan-activity; sid:28919; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Fakeav variant outbound data connection"; flow:to_server,established;
urilen:>150; content:"/?"; depth:2; http_uri; content:"Firefox/4.0b8pre|0D 0A|";
fast_pattern:only; http_header; pcre:"/^\/\?[a-z0-9]{2}\=[a-z1-9]{100}/siU";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; classtype:trojan-activity; sid:28930; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Rovnix malicious download"; flow:to_server,established;
content:"/config.php?"; fast_pattern:only; http_uri; content:"version="; http_uri;
content:"user="; http_uri; content:"server="; http_uri; content:"id="; http_uri;
content:"crc="; http_uri; content:"id="; http_uri; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,isc.sans.edu/forums/diary/Suspected+Active+Rovnix+Botnet+Controller/1
7180; reference:url,www.welivesecurity.com/2012/02/22/rovnix-reloaded-new-step-of-
evolution/; classtype:trojan-activity; sid:28940; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE
exe.exe download"; flow:to_server,established; urilen:>7; content:"/exe.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:url,urlquery.net/search.php?q=%5C%2F%5BEe%5D%5BXx%5D%5BEe%5D%5C.%5BEe%5D
%5BXx%5D%5BEe%5D%24&type=regexp&start=2013-11-21&end=2013-12-06&max=400;
classtype:trojan-activity; sid:28945; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Alurewo outbound connection"; flow:to_server,established; content:"/cmd?
version="; fast_pattern:only; http_uri; content:"&aid="; http_uri; content:"&id=";
distance:0; http_uri; content:"&os="; within:4; distance:36; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; reference:url,www.sophos.com/ja-jp/threat-
center/threat-analyses/viruses-and-spyware/Troj~Agent-AFDE/detailed-analysis.aspx;
reference:url,www.virustotal.com/en/file/9171bd76d3fa26a78225cb7c9d5112635fa84e8bdf
3388577f22da9178871161/analysis/; classtype:trojan-activity; sid:28960; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT HiMan
exploit kit outbound payload retreival - specific string";
flow:to_server,established; content:"/tx.exe"; fast_pattern:only; http_uri;
flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-
detect-ips alert, policy security-ips drop, ruleset community, service http;
classtype:trojan-activity; sid:28969; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Agent.DF - Data Exfiltration"; flow:to_server,established; content:"|3B|
name=|22|arquivo|22 3B| filename=|22|C:|5C|"; fast_pattern:only; http_client_body;
content:"|0D 0A|TP="; http_client_body; content:"|0D 0A|LGSN="; distance:0;
http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/b9587fc86f1459ccf7b096b6bf68b4fcc165946a86
f3ed9ce84c61907aa99dae/analysis/1386599712/; classtype:trojan-activity; sid:28976;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Agent.DF - User-Agent Missing Bracket"; flow:to_server,established;
content:"|3B 20|Windows NT 5.0|0D 0A|Host:"; fast_pattern:only; http_header;
content:" HTTP/1.1|0D 0A|Connection: Keep-Alive|0D 0A|Accept: */*|0D 0A|User-Agent:
Mozilla/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/b9587fc86f1459ccf7b096b6bf68b4fcc165946a86
f3ed9ce84c61907aa99dae/analysis/1386599712/; classtype:trojan-activity; sid:28977;
rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Worm.Steckt
IRCbot requesting URL through IRC"; flow:to_client,established; content:"JOIN |3A|
#"; content:"!dl http://"; fast_pattern:only; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service irc;
reference:url,www.virustotal.com/en/file/411e93206a7750c8df25730349bf9756ddba52c1bc
780eaac4bba2b3872bc037/analysis/; classtype:trojan-activity; sid:28982; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Steckt IRCbot executable download"; flow:to_server,established;
content:"User-Agent|3A| Mozilla/4.0 |28|compatible|29 0D 0A|"; fast_pattern:only;
http_header; content:"/launch.php"; http_uri; content:"?f="; http_uri;
content:"&s="; distance:0; http_uri; content:"&is_direct="; distance:0; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/411e93206a7750c8df25730349bf9756ddba52c1bc
780eaac4bba2b3872bc037/analysis/; classtype:trojan-activity; sid:28983; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Worm.Steckt IRCbot executable download"; flow:to_server,established;
content:"User-Agent|3A| Mozilla/4.0 |28|compatible|29 0D 0A|"; fast_pattern:only;
http_header; content:"/direct.php"; http_uri; content:"?f="; http_uri;
content:"&s="; http_uri; pcre:"/\x2Fdirect\.php\x3Ff=[0-9]{8}\x26s=[a-z0-9]{3}\.[a-
z]{1,4}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/411e93206a7750c8df25730349bf9756ddba52c1bc
780eaac4bba2b3872bc037/analysis/; classtype:trojan-activity; sid:28984; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Worm.Steckt IRCbot executable download"; flow:to_server,established;
content:"/site2/"; http_uri; content:!"Referer|3A| "; http_header; content:"60gp=";
http_cookie; content:"60gpBAK="; http_cookie; metadata:impact_flag red, ruleset
community, service http;
reference:url,www.virustotal.com/en/file/411e93206a7750c8df25730349bf9756ddba52c1bc
780eaac4bba2b3872bc037/analysis/; classtype:trojan-activity; sid:28985; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Worm.Neeris
IRCbot variant outbound connection"; flow:to_server,established; content:"JOIN #biz
abc|0D 0A|"; depth:15; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service irc;
reference:url,www.virustotal.com/en/file/0a8f320fc7535f164bbd9d0e462fd459c55ff448cf
5e84dc2115f2f4aa800e6b/analysis/1387176826/; classtype:trojan-activity; sid:28986;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Worm.Steckt
IRCbot variant outbound connection"; flow:to_server,established; content:"JOIN #n
jobs|0D 0A|"; depth:14; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service irc;
reference:url,www.virustotal.com/en/file/480eb4aa76a55ad7b0db128138113615ca834f9e6c
62f798f54c8ac0759657fe/analysis/1387177714/;
reference:url,www.virustotal.com/en/file/5b1d04b7504a3ac1befe4408fd4f9cd877b92661db
47a75f197924cb660551d3/analysis/1387178129/; classtype:trojan-activity; sid:28987;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Worm.Steckt
IRCbot variant outbound connection"; flow:to_server,established; content:"JOIN
#test1|20 7C 0D 0A|JOIN #test2|20 7C 0D 0A|JOIN #test3 (null)|0D 0A|"; depth:50;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service irc;
reference:url,www.virustotal.com/en/file/480eb4aa76a55ad7b0db128138113615ca834f9e6c
62f798f54c8ac0759657fe/analysis/1387177714/;
reference:url,www.virustotal.com/en/file/5b1d04b7504a3ac1befe4408fd4f9cd877b92661db
47a75f197924cb660551d3/analysis/1387178129/; classtype:trojan-activity; sid:28988;
rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Banload variant inbound connection"; flow:to_client,established;
content:"/avcheck.exe|0D 0A 0D 0A|"; fast_pattern:only; http_header; content:"|0D
0A|Location: https://dl.dropboxusercontent.com/"; http_header;
pcre:"/\r\nLocation\x3a\x20https\x3a\x2f{2}dl\.dropboxusercontent\.com\/[a-zA-
Z\d\x2f]{5,32}\/avcheck\.exe\r\n\r\n$/H"; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/30032d2b7fd928392837eeb814cf1e2add0d80b0e1
7b8dbfec2e2c3be9164cf6/analysis/; classtype:trojan-activity; sid:29031; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zeus variant outbound connection"; flow:to_server,established;
urilen:13,norm; content:"/webstat/?i="; depth:12; fast_pattern; http_uri;
content:"User-Agent: Mozilla/7"; http_header; content:"|3B 20|MSIE|20|";
distance:0; http_header; content:!"Accept-Encoding:"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; classtype:trojan-activity; sid:29127; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX
exploit kit payload download attempt"; flow:to_server,established;
content:"/loadmsie.php?id="; fast_pattern:only; http_uri;
flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert, policy max-
detect-ips alert, policy security-ips drop, ruleset community, service http;
classtype:trojan-activity; sid:29166; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX
exploit kit payload download attempt"; flow:to_client,established; content:".exe|0D
0A|"; fast_pattern:only; http_header; content:"filename="; http_header;
content:".exe|0D 0A|"; within:6; distance:24; http_header; pcre:"/filename=(?![a-f]
{24}|\d{24})[a-f\d]{24}\.exe\r\n/H"; flowbits:set,file.exploit_kit.pe;
metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-
ips drop, ruleset community, service http; classtype:trojan-activity; sid:29167;
rev:4;)
alert tcp any any -> any $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious
user-agent string fortis"; flow:to_server,established; content:"User-Agent: fortis|
0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/92614908e7842e0dfa72ecfee868b06017b5cc445f
201874776583f754b137a3/analysis/; classtype:trojan-activity; sid:29174; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude
exploit kit Microsoft Internet Explorer Payload request";
flow:to_server,established; urilen:34; content:"/?"; depth:2; fast_pattern;
http_uri; pcre:"/^\/\?[a-f0-9]{32}$/U"; content:" MSIE "; http_header;
content:!"Referer|3A|"; http_header; flowbits:set,file.exploit_kit.pe;
metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-
ips drop, ruleset community, service http; classtype:trojan-activity; sid:29189;
rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Androm variant outbound connection"; flow:to_server,established;
content:"/se/gate.php"; http_uri; content:"HTTP/1.1|0D 0A|Cache-Control: no-cache|
0D 0A|Connection: close|0D 0A|Pragma: no-cache|0D 0A|Content-Type: application/x-
www-form-urlencoded|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Content-Length: ";
fast_pattern:only; pcre:"/\x3d\x0a$/P"; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/0baf3197bdb2c665fea0a84db91d3f65171cf6cf9a
732fd394ff9f707ddaf682/analysis/; classtype:trojan-activity; sid:29216; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Strictor variant outbound connection"; flow:to_server,established;
urilen:19,norm; content:"/mod/lookfashon.jpg"; fast_pattern:only; http_uri;
content:!"Accept-Language:"; http_header; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/0fe413704c85751b060546ebfd428d57726d8fd002
ca95ec8deb76f5f37ed9c4/analysis/1389125202/; classtype:trojan-activity; sid:29220;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Graftor variant outbound connection"; flow:to_server,established;
content:"/chamjavanv.inf?aapf/login.jsp?="; fast_pattern:only; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/a46c3fee842f1ded35b6a4e003c0e6ea62ee66d354
d4b826b4c3e5aa9310b3ba/analysis/; classtype:trojan-activity; sid:29259; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Graftor variant outbound connection"; flow:to_server,established;
content:"/novredir_inf.php?apt/login.jsp?="; fast_pattern:only; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/a46c3fee842f1ded35b6a4e003c0e6ea62ee66d354
d4b826b4c3e5aa9310b3ba/analysis/; classtype:trojan-activity; sid:29260; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Dropper variant outbound connection"; flow:to_server,established;
urilen:19,norm; content:"/FileToDownload.exe"; fast_pattern:only; http_uri;
content:"Host: dl.dropbox.com|0D 0A|"; http_header; content:!"Accept"; http_header;
content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,file-analyzer.net/analysis/1087/5386/0/html;
reference:url,www.virustotal.com/en/file/913cc54750e8bb6b88d5ccbfc988e0107f80ad14ba
4d052a3f3db11ccfd8ce4a/analysis/; classtype:trojan-activity; sid:29261; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Graftor variant inbound connection"; flow:to_client,established;
content:"|3B 20|filename=CostcoForm.zip|0D 0A|"; fast_pattern:only; http_header;
file_data; content:"CostcoForm.exe"; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/b20fcfe7d851dfe1f835e60072e53b0a3c54e14d0f
c94814ce841be4740f295c/analysis; classtype:trojan-activity; sid:29300; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zusy variant outbound connection"; flow:to_server,established;
content:"rotina=UPDATE&tip=stat&nome="; depth:28; fast_pattern; http_client_body;
content:"&tmp="; distance:0; http_client_body; content:"&stat="; distance:0;
http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/6fdd7c0630ea89a58cdc1f3fb74bf5a99732bd5649
a39411868bf71e90cfdc84/analysis/1389362066/; classtype:trojan-activity; sid:29349;
rev:1;)
# alert tcp $EXTERNAL_NET [777,778] -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Dropper inbound encrypted traffic"; flow:to_client,established;
dsize:10<>20; content:"|05 29 00 00 00 05 29 00 00 00|"; fast_pattern:only;
metadata:ruleset community;
reference:url,www.virustotal.com/en/file/20b49af8b750a1899117827476402ccaf7095fb5b7
aad2e96c8109290da453cb/analysis/;
reference:url,www.virustotal.com/en/file/559e8dbe388c8c103996b208eb5532e295da717f84
b4a7ddf5c9885de8115606/analysis/; classtype:trojan-activity; sid:29378; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [777,778] (msg:"MALWARE-CNC
Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration";
flow:to_server,established; dsize:>1440; content:"|03 2B 82 86 02 A0 05|";
fast_pattern:only; metadata:ruleset community;
reference:url,www.virustotal.com/en/file/20b49af8b750a1899117827476402ccaf7095fb5b7
aad2e96c8109290da453cb/analysis/;
reference:url,www.virustotal.com/en/file/559e8dbe388c8c103996b208eb5532e295da717f84
b4a7ddf5c9885de8115606/analysis/; classtype:trojan-activity; sid:29379; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [777,778] (msg:"MALWARE-CNC
Win.Trojan.Dropper outbound encrypted traffic"; flow:to_server,established;
dsize:5; content:"|05 29 00 00 00|"; fast_pattern:only; metadata:ruleset community;
reference:url,www.virustotal.com/en/file/20b49af8b750a1899117827476402ccaf7095fb5b7
aad2e96c8109290da453cb/analysis/;
reference:url,www.virustotal.com/en/file/559e8dbe388c8c103996b208eb5532e295da717f84
b4a7ddf5c9885de8115606/analysis/; classtype:trojan-activity; sid:29380; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Adobe AIR
file download request"; flow:to_server,established; content:".air";
fast_pattern:only; http_uri; pcre:"/\x2eair([\?\x5c\x2f]|$)/smiU";
flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service http;
classtype:misc-activity; sid:29384; rev:11;)
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe AIR
file attachment detected"; flow:to_client,established; content:".air";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eair/i";
flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service imap,
service pop3; classtype:misc-activity; sid:29385; rev:12;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY Adobe AIR file
attachment detected"; flow:to_server,established; content:".air";
fast_pattern:only; content:"Content-Disposition: attachment|3B|";
content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eair/i";
flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service smtp;
classtype:misc-activity; sid:29386; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Zeus
variant outbound connection"; flow:to_server,established; urilen:6; content:"/webhp
HTTP/1.1|0D 0A|Accept: */*|0D 0A|Connection: Close|0D 0A|User-Agent: Mozilla/4.0
("; fast_pattern:only; content:"|3B| MSIE "; http_header; content:"google.";
http_header; content:!"Accept-"; http_header; content:"NID="; depth:4; http_cookie;
metadata:impact_flag red, ruleset community, service http;
reference:url,www.virustotal.com/en/file/ef4e0ccc49decb41f213a20f61d92374c3b9749710
5d7c20e7284f65055d2ccb/analysis/; classtype:trojan-activity; sid:29395; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM Potential
phishing attack - .zip receipt filename download with .exe name within .zip the
same"; flow:to_client,established; content:"Receipt"; fast_pattern:only;
http_header; content:".zip"; http_header; pcre:"/\sfilename=[a-z0-9]
{0,20}receipt[a-z0-9]{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2;
content:".exe"; within:50; metadata:ruleset community, service http;
classtype:trojan-activity; sid:29396; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM Potential
phishing attack - .zip shipping filename download with .exe name within .zip the
same"; flow:to_client,established; content:"Shipping"; fast_pattern:only;
http_header; content:".zip"; http_header; pcre:"/\sfilename=[a-z0-9]
{0,20}shipping[a-z0-9]{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2;
content:".exe"; within:50; metadata:ruleset community, service http;
classtype:trojan-activity; sid:29397; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM Potential
phishing attack - .zip voicemail filename download with .exe name within .zip the
same"; flow:to_client,established; content:"voicemail"; fast_pattern:only;
http_header; content:".zip"; http_header; pcre:"/\sfilename=[a-z0-9]
{0,20}voicemail[a-z0-9]{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2;
content:".exe"; within:50; metadata:ruleset community, service http;
classtype:trojan-activity; sid:29398; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM Potential
phishing attack - .zip statement filename download with .exe name within .zip the
same"; flow:to_client,established; content:"statement"; fast_pattern:only;
http_header; content:".zip"; http_header; pcre:"/\sfilename=[a-z0-9]
{0,20}statement[a-z0-9]{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2;
content:".exe"; within:50; metadata:ruleset community, service http;
classtype:trojan-activity; sid:29399; rev:1;)
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Unusual
L3retriever Ping detected"; icode:0; itype:8; dsize:>32;
content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; metadata:ruleset community;
reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-
ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-
intrusion-malware/; classtype:successful-recon-limited; sid:29454; rev:1;)
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Unusual
Microsoft Windows Ping detected"; icode:0; itype:8; dsize:>32;
content:"0123456789abcdefghijklmnopqrstuv"; depth:32; metadata:ruleset community;
reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-
ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-
intrusion-malware/; classtype:successful-recon-limited; sid:29455; rev:1;)
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Unusual PING
detected"; icode:0; itype:8; fragbits:!M;
content:!"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32;
content:!"0123456789abcdefghijklmnopqrstuv"; depth:32;
content:!"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"; depth:36; content:!"WANG2";
content:!"cacti-monitoring-system"; depth:65; content:!"SolarWinds"; depth:72;
metadata:ruleset community; reference:url,krebsonsecurity.com/2014/01/a-closer-
look-at-the-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-
first-look-at-the-target-intrusion-malware/; classtype:successful-recon-limited;
sid:29456; rev:2;)
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Unusual
Microsoft Windows 7 Ping detected"; icode:0; itype:8; dsize:>32;
content:"abcdefghijklmnopqrstuvwabcdefghi"; depth:32; metadata:ruleset community;
reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-
ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-
intrusion-malware/; classtype:successful-recon-limited; sid:29457; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Fexel
variant outbound connection"; flow:to_server,established; content:"|0A|Agtid|3A
20|"; content:"08x|0D 0A|"; within:5; distance:8; metadata:impact_flag red, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/b33ffbec01b43301edd9db42a59dcd33dd45f63873
3e2f92f0cb5bfe86714734/analysis/; classtype:trojan-activity; sid:29459; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Linux.Backdoor.Shellbot outbound connection"; flow:to_server,established;
content:"JOIN|20|#vnc|0A|"; depth:10; content:"PRIVMSG|20|#vnc|20 3A|"; within:14;
content:"status checking program online"; within:30; distance:7; nocase;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service irc;
reference:url,www.virustotal.com/en/file/8eb6c4a844cbfe98db78aef08a634c460c7c9f7d57
6b62444114306effb4023d/analysis/1390763713/; classtype:trojan-activity; sid:29569;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.DomaIQ variant outbound connection"; flow:to_server,established;
content:"/trace/Start HTTP/1.1|0D 0A|Host: "; fast_pattern:only;
content:"/debug/Version/"; depth:15; http_uri; content:!"Accept"; http_header;
content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,file-analyzer.net/analysis/1546/6325/0/html#network;
reference:url,www.virustotal.com/en/file/59795540fc058979c6be02351507330fce8a8d3c6f
10cbcd4ee21ab0144b9a7f/analysis/1390421409/; classtype:trojan-activity; sid:29664;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Graftor variant outbound connection"; flow:to_server,established;
content:"&bolausado"; fast_pattern:only; http_client_body; content:"rotina=";
depth:7; http_client_body; content:"&casa="; distance:0; http_client_body;
content:"&idcliente"; distance:0; http_client_body; content:"&outro="; distance:0;
http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/9ce3d15cbb5bc8cd42570f44ab4eb8f6332c5d0f28
291d295883bf2923c01d4b/analysis/; classtype:trojan-activity; sid:29665; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Linkup outbound connection"; flow:to_server,established; urilen:20;
content:"POST"; http_method; content:"/uplink.php?logo.jpg"; fast_pattern:only;
http_uri; content:"User-Agent: Mozilla/5.0"; http_header; content:"token=";
depth:6; http_client_body; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,blog.emsisoft.com/2014/02/03/malware-analysis-ransomware-linkup-
blocks-dns-and-mines-bitcoins/; classtype:trojan-activity; sid:29666; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent
known malicious user-agent string MSIE 4.01 - Win.Trojan.Careto";
flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| MSIE 4.01|3B|
Windows NT|29 0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3
d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29760; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Careto outbound connection"; flow:to_server,established; content:"Group|
3D|"; http_uri; content:"Install|3D|"; http_uri; content:"Ver|3D|"; http_uri;
content:"Ask|3D|"; http_uri; content:"Bn|3D|"; http_uri; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3
d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29788; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Careto plugin download"; flow:to_server,established;
content:"/ag/plugin.crx"; fast_pattern:only; http_uri; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3
d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29789; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Careto plugin download"; flow:to_server,established;
content:"/l/af_l_addon.xpi"; fast_pattern:only; http_uri; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3
d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29790; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Careto plugin download"; flow:to_server,established;
content:"/m/f_l_addon.xpi"; fast_pattern:only; http_uri; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3
d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29791; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Jackpos outbound connection"; flow:to_server, established;
content:"/post"; http_uri; content:"User-Agent: something"; fast_pattern:only;
http_header; content:"mac="; http_client_body; content:"&t1="; distance:0;
http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6
fab8e15cd4cf590f1abdf1/analysis; classtype:trojan-activity; sid:29816; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Jackpos outbound connection"; flow:to_server, established; urilen:10;
content:"/post/echo"; fast_pattern:only; http_uri; content:!"User-Agent:";
http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6
fab8e15cd4cf590f1abdf1/analysis; classtype:trojan-activity; sid:29817; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent
known malicious user agent - TixDll - Win.Trojan.Adload.dyhq";
flow:to_server,established; content:"User-Agent: TixDll|0D 0A|"; fast_pattern:only;
http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/f5fbdc74afc209f2648490e077a2fcddc402cbc57a
babbc2f735aaecde95681b/analysis/; classtype:trojan-activity; sid:29824; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Adload.dyhq variant outbound connection"; flow:to_server,established;
content:"/get/?ver="; depth:10; http_uri; content:"&aid="; distance:0; http_uri;
content:"&hid="; distance:0; http_uri; content:"&rid="; distance:0; http_uri;
content:"&data="; distance:0; http_uri; content:!"Referer:"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/f5fbdc74afc209f2648490e077a2fcddc402cbc57a
babbc2f735aaecde95681b/analysis/; classtype:trojan-activity; sid:29828; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HNAP
remote code execution attempt"; flow:established,to_server; urilen:6;
content:"/HNAP1"; fast_pattern:only; http_uri; content:"Authorization: Basic
YWRtaW46"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary
%3A+What+we+know+so+far/17633; classtype:attempted-admin; sid:29829; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-
series HNAP TheMoon remote code execution attempt"; flow:established,to_server;
content:"/tmUnblock.cgi"; fast_pattern:only; http_uri; content:"%74%74%63%70%5f
%69%70"; http_client_body; pcre:"/%74%74%63%70%5f%69%70%3d.*?([\x60\x3b\x7c]|
[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy
balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset
community, service http; reference:url,isc.sans.edu/diary/Linksys+Worm+
%28%22TheMoon%22%29+Captured/17630; classtype:attempted-admin; sid:29830; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-
series HNAP TheMoon remote code execution attempt"; flow:established,to_server;
content:"/tmUnblock.cgi"; fast_pattern:only; http_uri; content:"ttcp_ip";
http_client_body; pcre:"/ttcp_ip=.*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|
%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy balanced-ips drop, policy max-
detect-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,isc.sans.edu/diary/Linksys+Worm+%28%22TheMoon%22%29+Captured/17630;
classtype:attempted-admin; sid:29831; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Pirminay variant outbout connection"; flow:to_client,established;
content:"filename=|22|full__setup.zip|22 0D 0A|"; fast_pattern:only; http_header;
file_data; content:"full__setup.exe"; depth:200; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/5e1a615ddf73b27390d7a3c87a28932761fc1c843e
01cd68253e873270bef69d/analysis/1392222514/; classtype:trojan-activity; sid:29862;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Pirminay variant outbound connection"; flow:to_server,established;
urilen:33; content:"/read/swf/searchProductResult.jsp"; fast_pattern:only;
http_uri; content:"cache=cc2="; depth:10; http_cookie; content:"|3B| core=";
distance:0; http_cookie; metadata:impact_flag red, ruleset community, service http;
reference:url,www.virustotal.com/en/file/5e1a615ddf73b27390d7a3c87a28932761fc1c843e
01cd68253e873270bef69d/analysis/1392222514/; classtype:trojan-activity; sid:29863;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit
exploit kit payload request"; flow:to_server,established; content:"/download.asp?
p="; nocase; http_uri; content:" Java/1."; fast_pattern:only; http_header;
pcre:"/\/download\.asp\?p\=\d$/Ui"; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.invincea.com/2014/02/ekia-citadel-a-k-a-the-malware-the-popped-
fazio-mechanical/; classtype:trojan-activity; sid:29864; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Kuluoz
outbound connection"; flow:to_server,established; content:" HTTP/1.1|0D 0A|Accept:
*/*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent:
Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:25.0) Gecko/20100101 Firefox/25.0|0D
0A|Host: "; fast_pattern:only; content:"POST /"; depth:6; content:" HTTP/1.1";
within:9; distance:42; pcre:"/^POST\x20\x2f[A-F\d]{42}\x20HTTP/";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/8b53c46a7dfbe738c558e653f33fccf2004fc29484
8eee20903daa556bb3af09/analysis/; classtype:trojan-activity; sid:29865; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Napolar phishing attack"; flow:to_client,established;
content:"facebook.com.exe"; fast_pattern:only; metadata:policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/58762cf6aa8eea5744716986773a2c22ae7412eae6
34be7bed648c96465bc8ef/analysis/; classtype:trojan-activity; sid:29869; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Pony HTTP response connection"; flow:to_client,established;
content:"Content-Length: 16"; http_header; file_data; content:"STATUS-IMPORT-OK";
fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; reference:url,file-
analyzer.net/analysis/1830/6840/0/html;
reference:url,www.virustotal.com/en/file/58762cf6aa8eea5744716986773a2c22ae7412eae6
34be7bed648c96465bc8ef/analysis/; classtype:trojan-activity; sid:29870; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69;
urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host:
checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d
36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zeus variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"/gate.php"; fast_pattern:only; http_uri;
content:"|3B 20|MSIE|20|"; http_header; content:!"Accept-Language:"; http_header;
content:!"Referer:"; http_header; content:!"Accept-Encoding:"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; classtype:trojan-activity; sid:29884; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known
malicious user-agent string Updates downloader - Win.Trojan.Upatre";
flow:to_server,established; content:"User-Agent|3A| Updates downloader|0D 0A|";
fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/F167C95A467F584890F39BA2162F1B96E7626F5C57
5EB151C8E4E00E68F97478/analysis/; classtype:trojan-activity; sid:29887; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Pushdo variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:!"Referer|3A 20|"; http_header;
content:"Accept|3A| */*|0D 0A|Accept-Language|3A| en-us|0D 0A|Content-Type|3A|
application/octet-stream|0D 0A|Content-Length|3A| "; depth:93; http_header;
content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B|
SV1)|0D 0A|Host|3A|"; distance:0; fast_pattern:34,20; http_header;
content:"Connection|3A| Keep-Alive|0D 0A|Cache-Control|3A| no-cache|0D 0A|";
distance:0; http_header; metadata:policy max-detect-ips drop, policy security-ips
drop, ruleset community, service http; classtype:trojan-activity; sid:29891;
rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Bancos variant outbound connection"; flow:to_server,established;
content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|
Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0
(Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: ";
fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c=";
within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e
800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.ExplorerHijack variant outbound connection"; flow:to_server,established;
urilen:12; content:"/prl/el.html"; fast_pattern:only; http_uri; content:"Accept:
text/html, */*|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D
0A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/b6f44c7466338ea14d1e711491b1d8174ee71e0054
1759eb18a31f959da521a9/analysis/;
reference:url,www.virustotal.com/en/file/de67654959d29ffc5b9ec854d1e9e240ec96090ce8
b3f9c3c9b337b7f2a54f8a/analysis/; classtype:trojan-activity; sid:29897; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Tiny variant outbound connection"; flow:to_server,established;
content:"/ie-error.gif?action=utility"; fast_pattern:only; http_uri;
content:"&os="; http_uri; content:"&error="; distance:0; http_uri; content:"&rnd=";
distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/d446e176ba2141d0e7ae0799335fdd98f94d5e6b41
c88083f4a3d3c04805a721/analysis/; classtype:trojan-activity; sid:29981; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT
Hello/LightsOut exploit kit payload download attempt"; flow:to_server,established;
content:".php?a=dw"; fast_pattern:only; http_uri; pcre:"/\?a=dw[a-z]$/U"; content:"
Java/1."; http_header; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-
ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http; reference:cve,2011-1255; reference:cve,2012-1723; reference:cve,2013-
1489; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-
sector/; reference:url,jsunpack.jeek.org/?
report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?
report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity;
sid:30003; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Androm variant outbound connection"; flow:to_server,established;
urilen:14; content:"POST"; http_method; content:"/and/image.php";
fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0|0D 0A|"; http_header;
pcre:"/^[a-z\d\x2f\+\x3d]{10,98}$/Pi"; metadata:impact_flag red, policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/0baf3197bdb2c665fea0a84db91d3f65171cf6cf9a
732fd394ff9f707ddaf682/analysis; classtype:trojan-activity; sid:30068; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER
ANDR.Trojan.iBanking outbound connection attempt"; flow:to_server,established;
urilen:21; content:"/android/sms/sync.php"; fast_pattern:only; http_uri;
content:"User-Agent|3A 20|Apache-HttpClient|2F|"; http_header; content:"bot_id=";
http_client_body; content:"&imei="; distance:0; http_client_body;
content:"&iscallhack="; distance:0; http_client_body; content:"&issmshack=";
distance:0; http_client_body; content:"&isrecordhack="; distance:0;
http_client_body; content:"&isadmin="; distance:0; http_client_body;
content:"&control_number="; distance:0; http_client_body; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166;
reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148e8506fd70c
e03165fd89e18113b68e02/analysis/; classtype:trojan-activity; sid:30070; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER
ANDR.Trojan.iBanking outbound connection attempt"; flow:to_server,established;
urilen:21; content:"POST"; http_method; content:"/android/sms/ping.php";
fast_pattern:only; http_uri; content:"User-Agent|3A 20|Apache-HttpClient|2F|";
http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http;
reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166;
reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148e8506fd70c
e03165fd89e18113b68e02/analysis/; classtype:trojan-activity; sid:30071; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER
ANDR.Trojan.iBanking outbound connection attempt"; flow:to_server,established;
urilen:22; content:"/android/sms/index.php"; fast_pattern:only; http_uri;
content:"User-Agent|3A 20|Apache-HttpClient|2F|"; http_header; content:"bot_id=";
http_client_body; content:"&number=&iccid=&model="; distance:0; http_client_body;
content:"&imei="; distance:0; http_client_body; content:"&os="; distance:0;
http_client_body; content:"&control_number="; distance:0; http_client_body;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166;
reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148e8506fd70c
e03165fd89e18113b68e02/analysis/; classtype:trojan-activity; sid:30072; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Gamut configuration download"; flow:to_server,established; content:"|26|
file=SenderClient.conf"; fast_pattern:only; http_uri; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/dcb60900fcfd4ec83930177b7055fbdbba37f8e217
409874be130f9c2e5b78fb/analysis/; classtype:trojan-activity; sid:30087; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Necurs variant outbound connection"; flow:to_server,established;
urilen:13; content:"/forum/db.php HTTP/1.1|0D 0A|Content-Type: application/octet-
stream|0D 0A|Host: "; fast_pattern:only; content:!"User-Agent:"; http_header;
content:!"Referer:"; http_header; content:!"Accept"; http_header; metadata:policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,file-analyzer.net/analysis/2306/8066/0/html#network;
reference:url,www.virustotal.com/en/file/009f75196d1df18713d2572e3a797fb6a784a5c6c7
dd7d253ba408ed7164c313/analysis/1393271978/; classtype:trojan-activity; sid:30091;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Uroburos usermode-centric client request"; flow:to_server,established;
content:"/1/6b-558694705129b01c0"; fast_pattern:only; http_uri;
content:"Connection: Keep-Alive|0D 0A|"; nocase; metadata:impact_flag red, policy
balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset
community, service http;
reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf;
reference:url,public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/
GData_Uroburos_RedPaper_EN_v1.pdf;
reference:url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d3606b8296f
838f0f986a929653d289ed/analysis/; classtype:trojan-activity; sid:30191; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Androm variant outbound connection"; flow:to_server,established;
urilen:14; content:"/tmp/image.php"; fast_pattern:only; http_uri; content:"User-
Agent: Mozilla/4.0|0D 0A|"; http_header; content:!"Accept"; http_header;
pcre:"/^[a-z\d\x2b\x2f\x3d]{48,256}$/iP"; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/0fb9613582fd025b6fd14dcd003973c676db3798b7
33851a6b37ef6b0bc5f3be/analysis; classtype:trojan-activity; sid:30196; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Symmi variant outbound connection"; flow:to_server,established;
content:".xpg.com.br|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|
0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|";
fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/d28a89d789d51b30730a43ef903bc0fbb58e7014e9
d55fbb2e42fd640fee1eac/analysis/; classtype:trojan-activity; sid:30198; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear
exploit kit outbound payload request"; flow:to_server,established; content:"/f/";
depth:3; http_uri; pcre:"/^\/f(?:\/\d)?\/1[34]\d{8}(?:\/\d{9,10})?(?:\/\d)+[^a-zA-
Z]{1,6}$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop,
policy max-detect-ips alert, policy security-ips drop, ruleset community, service
http; classtype:trojan-activity; sid:30220; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Graftor variant outbound connection"; flow:to_server,established;
content:"|0D 0A|User-Agent: Mozilla/5.0 (Windows|3B| U|3B| Windows NT 6.1|3B| pt-
BR|3B| rv:1.9.2b5) Gecko/20091204 Firefox/3.6b5|0D 0A 0D 0A|"; fast_pattern:only;
content:"|0D 0A|Accept-Encoding: gzip,deflate, identity|0D 0A|"; http_header;
content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/9ce3d15cbb5bc8cd42570f44ab4eb8f6332c5d0f28
291d295883bf2923c01d4b/analysis/; classtype:trojan-activity; sid:30234; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Strictor HTTP Response - Brazil Geolocated Infected User";
flow:to_client,established; content:"Content-Length: 6|0D 0A|"; http_header;
file_data; content:"BRASIL"; depth:6; fast_pattern; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/4b6a4211191c8115a3bce64897159127dabcef0fbf
6268007cb223dfa0870b60/analysis/; classtype:trojan-activity; sid:30255; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Strictor HTTP Response - Non-Brazil Geolocated Infected User";
flow:to_client,established; content:"Content-Length: 13|0D 0A|"; http_header;
file_data; content:"INTERNACIONAL"; depth:13; fast_pattern; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/4b6a4211191c8115a3bce64897159127dabcef0fbf
6268007cb223dfa0870b60/analysis/; classtype:trojan-activity; sid:30256; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.ExplorerHijack variant outbound connection"; flow:to_server,established;
urilen:12; content:"/eh.html HTTP/1.1|0D 0A|Content-Type: text/html|0D 0A|Host: ";
fast_pattern:only; content:"|0D 0A|Accept: text/html, */*|0D 0A|User-Agent:
Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/29c3af334ce712ff66985f3584ad0af53ab16c2968
ca41f06b900d703a27064e/analysis/1393266939/;
reference:url,www.virustotal.com/en/file/5c2689920192836b3788a15f856ba311b54976a0a7
5016cbf0ae9a85d5a21d76/analysis/; classtype:trojan-activity; sid:30257; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zeus variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"/forumdisplay.php?fid="; fast_pattern:only;
http_uri; content:"id="; depth:3; http_client_body; content:"&iv="; within:4;
distance:36; http_client_body; content:!"Referer:"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/52906104fa7cf93bbaba9ac9c6c5ffb8c72799e142
48045e467c6568926cb494/analysis/1386078525/;
reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf2342
9d9735c7258d43c101b71f/analysis/; classtype:trojan-activity; sid:30258; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Strictor variant outbound connection"; flow:to_server,established;
content:"/20"; depth:3; http_uri; content:"|0D 0A|Accept: text/html, */*|0D 0A|
Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy
Library)|0D 0A 0D 0A|"; fast_pattern:only; http_header; content:".inf"; nocase;
http_uri; metadata:impact_flag red, policy security-ips drop, ruleset community,
service http;
reference:url,www.virustotal.com/en/file/143756537dfb4964c04d874fd16366ef384bdb4f64
a739db019fa9b947b821a1/analysis/1395684118/; classtype:trojan-activity; sid:30259;
rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Lucky Leap
Adware outbound connection"; flow:to_server,established; content:"/gcs?alpha=";
fast_pattern:only; http_uri; content:"|0D 0A|Cache-Control: no-store,no-cache|0D
0A|Pragma: no-cache|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; content:!"Accept";
http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef32446
91e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30260;
rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Lucky Leap
Adware outbound connection"; flow:to_server,established; content:"/gdi?alpha=";
fast_pattern:only; http_uri; content:"|0D 0A|Cache-Control: no-store,no-cache|0D
0A|Pragma: no-cache|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; content:!"Accept";
http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef32446
91e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30261;
rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Symmi variant outbound connection"; flow:to_server,established;
content:"lista"; http_uri; content:"|3B| name=|22|arquivo|22 3B| filename=|22|C:|
5C|"; fast_pattern:only; http_client_body; content:".log|22 0D 0A|"; nocase;
http_client_body; content:!"Accept-"; http_header; metadata:policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/c70ca3914e44cf574f50019892916ed910d7454cdb
64b4eab403961c953fe44e/analysis/1395407305/; classtype:trojan-activity; sid:30262;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC
Win.Trojan.Glupteba.M initial outbound connection"; flow:to_server,established;
content:"/stat?"; content:"uptime="; content:"&downlink="; distance:0;
content:"&uplink="; distance:0; content:"&id="; distance:0;
content:"&statpass=bpass"; distance:0; fast_pattern; content:"&version=";
distance:0; content:"&features="; distance:0; content:"&guid="; distance:0;
content:"&comment="; distance:0; content:"&p="; distance:0; content:"&s=";
distance:0; metadata:policy balanced-ips drop, policy security-ips drop, ruleset
community, service http; reference:url,www.welivesecurity.com/wp-
content/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity;
sid:30288; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT
Goon/Infinity exploit kit malicious portable executable file request";
flow:to_server,established; content:".mp3?rnd="; fast_pattern:only; http_uri;
pcre:"/\/\d+\.mp3\?rnd=\d+$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy
balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset
community, service http; classtype:trojan-activity; sid:30319; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Linux.Trojan.Calfbot outbound connection"; flow:to_server,established;
content:"/b/index.php?id="; fast_pattern:only; http_uri; content:"&sent=";
http_uri; content:"¬sent="; distance:0; http_uri; content:"&stat="; distance:0;
http_uri; metadata:ruleset community, service http;
reference:url,www.welivesecurity.com/wp-
content/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity;
sid:30336; rev:2;)
alert tcp $EXTERNAL_NET 1600:1604 -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Zbot/Bublik inbound connection"; flow:to_client,established; content:"E|
00|N|00|D|00|S|00|E|00|R|00|V|00|E|00|R|00|B|00|U|00|F|00|F|00|E|00|R|00|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community;
reference:url,isc.sans.edu/forums/diary/Malicious+PDF+sent+in+massive+scam+to+Colom
bian+users+claiming+to+be+from+Credit+score+agency/17875;
reference:url,www.virustotal.com/en/file/bbc1a8b0892785c75f0f44d9414e424ed03cefbf95
1ed20eaae50031670c8a96/analysis/; classtype:trojan-activity; sid:30482; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1600:1604 (msg:"MALWARE-CNC
Win.Trojan.Zbot/Bublik outbound connection"; flow:to_server,established;
content:"GET /123456789.functionss"; fast_pattern:only; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community;
reference:url,isc.sans.edu/forums/diary/Malicious+PDF+sent+in+massive+scam+to+Colom
bian+users+claiming+to+be+from+Credit+score+agency/17875;
reference:url,www.virustotal.com/en/file/bbc1a8b0892785c75f0f44d9414e424ed03cefbf95
1ed20eaae50031670c8a96/analysis/; classtype:trojan-activity; sid:30483; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1600:1604 (msg:"MALWARE-CNC
Win.Trojan.Zbot/Bublik outbound connection"; flow:to_server,established; dsize:<20;
content:"myversion|7C|"; fast_pattern:only; pcre:"/myversion\x7c(\d\x2e)
{3}\d\x0d\x0a/"; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community;
reference:url,isc.sans.edu/forums/diary/Malicious+PDF+sent+in+massive+scam+to+Colom
bian+users+claiming+to+be+from+Credit+score+agency/17875;
reference:url,www.virustotal.com/en/file/bbc1a8b0892785c75f0f44d9414e424ed03cefbf95
1ed20eaae50031670c8a96/analysis/; classtype:trojan-activity; sid:30484; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484]
(msg:"SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt";
flow:to_server,established,only_stream; content:"|18 03 00|"; depth:3;
detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips
drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-
0160; classtype:attempted-recon; sid:30510; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484]
(msg:"SERVER-OTHER OpenSSL TLSv1 heartbeat read overrun attempt";
flow:to_server,established,only_stream; content:"|18 03 01|"; depth:3;
detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips
drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-
0160; classtype:attempted-recon; sid:30511; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484]
(msg:"SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt";
flow:to_server,established,only_stream; content:"|18 03 02|"; depth:3;
detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips
drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-
0160; classtype:attempted-recon; sid:30512; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484]
(msg:"SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt";
flow:to_server,established,only_stream; content:"|18 03 03|"; depth:3;
detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips
drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-
0160; classtype:attempted-recon; sid:30513; rev:7;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any
(msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed
attempt"; flow:to_client,established,only_stream; content:"|18 03 00|"; depth:3;
byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-
ips drop, ruleset community, service ssl; reference:cve,2014-0160;
classtype:attempted-recon; sid:30514; rev:9;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any
(msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed
attempt"; flow:to_client,established,only_stream; content:"|18 03 01|"; depth:3;
byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-
ips drop, ruleset community, service ssl; reference:cve,2014-0160;
classtype:attempted-recon; sid:30515; rev:9;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any
(msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl
heartbleed attempt"; flow:to_client,established,only_stream; content:"|18 03 02|";
depth:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service ssl; reference:cve,2014-0160;
classtype:attempted-recon; sid:30516; rev:9;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any
(msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl
heartbleed attempt"; flow:to_client,established,only_stream; content:"|18 03 03|";
depth:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service ssl; reference:cve,2014-0160;
classtype:attempted-recon; sid:30517; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484]
(msg:"SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt - vulnerable client
response"; flow:to_server,established,only_stream; content:"|18 03 00|"; depth:3;
byte_test:2,>,128,3; detection_filter:track by_dst, count 2, seconds 5;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community,
service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30520; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484]
(msg:"SERVER-OTHER OpenSSL TLSv1 heartbeat read overrun attempt - vulnerable client
response"; flow:to_server,established,only_stream; content:"|18 03 01|"; depth:3;
byte_test:2,>,128,3; detection_filter:track by_dst, count 2, seconds 5;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community,
service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30521; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484]
(msg:"SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt - vulnerable
client response"; flow:to_server,established,only_stream; content:"|18 03 02|";
depth:3; byte_test:2,>,128,3; detection_filter:track by_dst, count 2, seconds 5;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community,
service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30522; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484]
(msg:"SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt - vulnerable
client response"; flow:to_server,established,only_stream; content:"|18 03 03|";
depth:3; byte_test:2,>,128,3; detection_filter:track by_dst, count 2, seconds 5;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community,
service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30523; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484]
(msg:"SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt";
flow:to_server,established; dsize:8; content:"|18 03 02 00 03 01 40 00|"; depth:8;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community,
service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30524; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484]
(msg:"SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt";
flow:to_server,established; dsize:69; content:"|18 03 03 00 40|"; depth:5;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community,
service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30525; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Ramdo variant outbound connection"; flow:to_server,established;
urilen:1; content:"POST"; http_method; content:".org|0D 0A|Content-Length|3A| 128|
0D 0A|Cache-Control|3A| no-cache|0D 0A 0D 0A|"; fast_pattern:only; http_header;
content:!"User-Agent|3A|"; http_header; content:!"Accept|3A|"; http_header;
pcre:"/^Host\x3a\s[a-z]{16}\.org\x0d/Hm"; metadata:impact_flag red, policy
security-ips drop, ruleset community, service http;
reference:url,blogs.technet.com/b/mmpc/archive/2014/04/08/msrt-april-2014-
ramdo.aspx; classtype:trojan-activity; sid:30547; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:6;
content:"POST"; http_method; content:"/write"; http_uri; content:"Host: default|0D
0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,blog.malwaremustdie.org/2014/03/a-post-to-sting-zeus-p2pgameover-
crooks.html;
reference:url,www.virustotal.com/en/file/7647eec6ae87c203085fe433f25c78f415baf31d01
ee8aa31241241712b46a0d/analysis/; classtype:trojan-activity; sid:30548; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL Heartbleed
masscan access exploitation attempt"; flow:to_server,established;
content:"[masscan/1.0]"; metadata:policy balanced-ips drop, policy connectivity-ips
drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-
0160; classtype:attempted-recon; sid:30549; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Malicious
BitCoiner Miner download - Win.Trojan.Minerd"; flow:to_server,established;
urilen:>10; content:"/minerd.exe"; fast_pattern:only; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/583b585078f37f5d399a228f1b8021ca0a9e904a55
792281048bae9cfe0e95c1/analysis/; classtype:trojan-activity; sid:30551; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Malicious
BitCoiner Miner download - Win.Trojan.Systema"; flow:to_server,established;
urilen:20; content:"/aviatic/systema.exe"; fast_pattern:only; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/583b585078f37f5d399a228f1b8021ca0a9e904a55
792281048bae9cfe0e95c1/analysis/;
reference:url,www.virustotal.com/en/file/e8bd297b1f59b7ea11db7d90e81002469a8f054f79
638a57332ac448d819fb5d/analysis/; classtype:trojan-activity; sid:30552; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 10991 (msg:"MALWARE-CNC
Linux.Trojan.Elknot outbound connection"; flow:to_server,established; dsize:401;
content:"Linux|20|"; depth:6; offset:17; pcre:"/Linux\x20\d\.[0-9]{1,2}\.[0-9]
{1,2}/"; metadata:impact_flag red, policy security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/13f13f4e214c2755235ba36643e4ab08d4ea679da0
08397b7a540e0d45e70ab2/analysis/; classtype:trojan-activity; sid:30566; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
Win.Trojan.Agent E-FAX phishing attempt"; flow:to_client,established;
flowbits:isset,file.zip; file_data; content:"pdf_efax_"; fast_pattern:only;
content:"PK"; depth:2; content:".pif"; distance:0; nocase; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/4e102fd6fce767fa6c0d0a9871bb71ec5969ded694
a9292c2c8a9749e5648ed4/analysis/; classtype:trojan-activity; sid:30567; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER
Win.Trojan.Agent E-FAX phishing attempt"; flow:to_server,established;
content:"/cache/pdf_efax_"; fast_pattern:only; http_uri;
pcre:"/\/cache\/pdf\x5Fefax\x5F\d{8,15}\.zip$/Ui"; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/4e102fd6fce767fa6c0d0a9871bb71ec5969ded694
a9292c2c8a9749e5648ed4/analysis/; classtype:trojan-activity; sid:30568; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
Win.Trojan.Agent Funeral ceremony phishing attempt"; flow:to_client,established;
content:"filename=FuneralCeremony_"; fast_pattern:only; http_header;
content:".zip"; nocase; http_header; file_data; content:"FuneralCeremony_";
content:".exe"; distance:0; nocase; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/285ec7e2f8cbaed5d8cebde56bb6d44a921eb4e838
4981832822329d8ccfb125/analysis/1395241815/; classtype:trojan-activity; sid:30569;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Zeus
variant outbound connection"; flow:to_server,established; urilen:6; content:"/webhp
HTTP/1.1|0D 0A|Accept: */*|0D 0A|Connection: Close|0D 0A|User-Agent: Mozilla/4.0
("; fast_pattern:only; content:"|3B| MSIE "; http_header; content:"google.";
http_header; content:!"Accept-"; http_header; content:"PREF="; depth:5;
http_cookie; metadata:impact_flag red, ruleset community, service http;
reference:url,www.virustotal.com/en/file/2f2e20d92f7551fccae73bba64d25dd1f18a4018ff
fd30bdb1f9fb6280182bd0/analysis/1396537812/;
reference:url,www.virustotal.com/en/file/b268cba8515040055d866fb9e29d7fe2bc087f2057
11cdbad3e4b1bde7be2d75/analysis/
reference:url,www.virustotal.com/en/file/ef4e0ccc49decb41f213a20f61d92374c3b9749710
5d7c20e7284f65055d2ccb/analysis/; classtype:trojan-activity; sid:30570; rev:3;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any
(msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed
attempt"; flow:to_client,established; content:"|16 03 00|"; byte_jump:2,0,relative;
content:"|18 03 00|"; within:3; fast_pattern; byte_test:2,>,128,0,relative;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community,
service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30777; rev:3;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any
(msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed
attempt"; flow:to_client,established; content:"|17 03 00|"; byte_jump:2,0,relative;
content:"|18 03 00|"; within:3; fast_pattern; byte_test:2,>,128,0,relative;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community,
service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30778; rev:3;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any
(msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed
attempt"; flow:to_client,established; content:"|16 03 01|"; byte_jump:2,0,relative;
content:"|18 03 01|"; within:3; fast_pattern; byte_test:2,>,128,0,relative;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community,
service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30779; rev:3;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any
(msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed
attempt"; flow:to_client,established; content:"|17 03 01|"; byte_jump:2,0,relative;
content:"|18 03 01|"; within:3; fast_pattern; byte_test:2,>,128,0,relative;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community,
service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30780; rev:3;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any
(msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl
heartbleed attempt"; flow:to_client,established; content:"|16 03 02|";
byte_jump:2,0,relative; content:"|18 03 02|"; within:3; fast_pattern;
byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-
ips drop, ruleset community, service ssl; reference:cve,2014-0160;
classtype:attempted-recon; sid:30781; rev:3;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any
(msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl
heartbleed attempt"; flow:to_client,established; content:"|17 03 02|";
byte_jump:2,0,relative; content:"|18 03 02|"; within:3; fast_pattern;
byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-
ips drop, ruleset community, service ssl; reference:cve,2014-0160;
classtype:attempted-recon; sid:30782; rev:3;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any
(msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl
heartbleed attempt"; flow:to_client,established; content:"|16 03 03|";
byte_jump:2,0,relative; content:"|18 03 03|"; within:3; fast_pattern;
byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-
ips drop, ruleset community, service ssl; reference:cve,2014-0160;
classtype:attempted-recon; sid:30783; rev:3;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any
(msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl
heartbleed attempt"; flow:to_client,established; content:"|17 03 03|";
byte_jump:2,0,relative; content:"|18 03 03|"; within:3; fast_pattern;
byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-
ips drop, ruleset community, service ssl; reference:cve,2014-0160;
classtype:attempted-recon; sid:30784; rev:3;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any
(msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed
attempt"; flow:to_client,established; content:"|18 03 00|"; byte_jump:2,0,relative;
content:"|18 03 00|"; within:3; byte_test:2,>,128,0,relative; metadata:policy
balanced-ips drop, policy security-ips drop, ruleset community, service ssl;
reference:cve,2014-0160; classtype:attempted-recon; sid:30785; rev:3;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any
(msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed
attempt"; flow:to_client,established; content:"|18 03 01|"; byte_jump:2,0,relative;
content:"|18 03 01|"; within:3; byte_test:2,>,128,0,relative; metadata:policy
balanced-ips drop, policy security-ips drop, ruleset community, service ssl;
reference:cve,2014-0160; classtype:attempted-recon; sid:30786; rev:3;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any
(msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl
heartbleed attempt"; flow:to_client,established; content:"|18 03 02|";
byte_jump:2,0,relative; content:"|18 03 02|"; within:3;
byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-
ips drop, ruleset community, service ssl; reference:cve,2014-0160;
classtype:attempted-recon; sid:30787; rev:3;)
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any
(msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl
heartbleed attempt"; flow:to_client,established; content:"|18 03 03|";
byte_jump:2,0,relative; content:"|18 03 03|"; within:3;
byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-
ips drop, ruleset community, service ssl; reference:cve,2014-0160;
classtype:attempted-recon; sid:30788; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER RARLAB
WinRAR ZIP format filename spoof attempt"; flow:to_client,established;
flowbits:isset,file.zip; file_data; content:"|50 4B 03 04|"; depth:4; content:"|00
00|"; within:2; distance:24; content:".exe"; within:64;
flowbits:set,file.zip.winrar.spoof; flowbits:noalert; metadata:policy max-detect-
ips alert, ruleset community, service ftp-data, service http, service imap, service
pop3; reference:bugtraq,66383; reference:url,an7isec.blogspot.co.il/2014/03/winrar-
file-extension-spoofing-0day.html; classtype:attempted-user; sid:30906; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER RARLAB WinRAR ZIP
format filename spoof attempt"; flow:to_server,established;
flowbits:isset,file.zip; file_data; content:"|50 4B 03 04|"; depth:4; content:"|00
00|"; within:2; distance:24; content:".exe"; within:64;
flowbits:set,file.zip.winrar.spoof; flowbits:noalert; metadata:policy max-detect-
ips alert, ruleset community, service smtp; reference:bugtraq,66383;
reference:url,an7isec.blogspot.co.il/2014/03/winrar-file-extension-spoofing-
0day.html; classtype:attempted-user; sid:30909; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.SpySmall variant outbound connection"; flow:to_server,established;
content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 10.0|3B| Windows NT 6.2|3B|
Trident/4.0|0D 0A|"; fast_pattern:only; http_header; content:!"Accept";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/df51eccf430ac391d09817d003977b4ea6af36117c
e3aaee2fa0ebf04505c0d2/analysis/; classtype:trojan-activity; sid:30914; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.SpySmall variant outbound connection"; flow:to_server,established;
content:"|3E 00|e|00|c|00|h|00|o|00 20 00|c|00|m|00|d|00 5F 00|b|00|e|00|g|00|i|00|
n|00|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/df51eccf430ac391d09817d003977b4ea6af36117c
e3aaee2fa0ebf04505c0d2/analysis/; classtype:trojan-activity; sid:30915; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent
known malicious user agent - User-Agent User-Agent Mozilla";
flow:to_server,established; content:"User-Agent: User-Agent: Mozilla/";
fast_pattern:only; http_header; content:!"Accept"; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/file/D67B6706559C5F7AB97CC788E668E27A29B7D2D39C9AC
A93AF73778E53993339/analysis/; classtype:trojan-activity; sid:30918; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Bancos variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"/js/prototype/order.php"; fast_pattern:only;
http_uri; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|
0D 0A|User-Agent: Mozilla/"; content:"|3B 20|MSIE|20|"; distance:0; http_header;
content:"|29 0D 0A|Host:"; distance:0; http_header; content:!"Accept"; http_header;
content:!"|0D 0A|Referer:"; http_header; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e
800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:30919; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple
exploit kit redirection gate"; flow:to_server,established; urilen:72;
content:"POST"; http_method; content:".php?q="; fast_pattern:only; http_uri;
pcre:"/^\/[a-f0-9]{32}\.php\?q=[a-f0-9]{32}$/U"; metadata:policy balanced-ips drop,
policy security-ips drop, ruleset community, service http; classtype:trojan-
activity; sid:30920; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR
Win.Backdoor.Hikit outbound banner response"; flow:to_client,established;
content:"|5D 00 20 00|h|00|i|00|k|00|i|00|t|00|>|00|"; fast_pattern:only;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http, service ssl;
reference:url,www.virustotal.com/en/file/aa4b2b448a5e246888304be51ef9a65a11a53bab78
99bc1b56e4fc20e1b1fd9f/analysis/; classtype:trojan-activity; sid:30948; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX
exploit kit payload request"; flow:to_server,established; content:"/load";
http_uri; content:".php"; distance:0; http_uri; pcre:"/\/load(?:(?:db|rh|silver|
msie|flash|fla[0-9]{4,5}))\.php/U"; flowbits:set,file.exploit_kit.pe;
metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips
drop, ruleset community, service http; reference:url,malware-traffic-
analysis.net/2014/05/29/index.html; classtype:trojan-activity; sid:30973; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE
Potential malware download - .doc.exe within .zip file";
flow:to_client,established; flowbits:isset,file.zip; file_data; content:".doc.exe";
fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-
detect-ips drop, policy security-ips drop, ruleset community, service http;
classtype:trojan-activity; sid:30997; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE
Potential malware download - .gif.exe within .zip file";
flow:to_client,established; flowbits:isset,file.zip; file_data; content:".gif.exe";
fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-
detect-ips drop, policy security-ips drop, ruleset community, service http;
classtype:trojan-activity; sid:30998; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE
Potential malware download - .jpeg.exe within .zip file";
flow:to_client,established; flowbits:isset,file.zip; file_data;
content:".jpeg.exe"; fast_pattern:only; content:"Content-Length:"; http_header;
metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http; classtype:trojan-activity; sid:30999; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE
Potential malware download - .jpg.exe within .zip file";
flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpg.exe";
fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-
detect-ips drop, policy security-ips drop, ruleset community, service http;
classtype:trojan-activity; sid:31000; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE
Potential malware download - .pdf.exe within .zip file";
flow:to_client,established; flowbits:isset,file.zip; file_data; content:".pdf.exe";
fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-
detect-ips drop, policy security-ips drop, ruleset community, service http;
classtype:trojan-activity; sid:31001; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Bancos variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"/hunter/123/order.php"; fast_pattern:only;
http_uri; content:!"Accept"; http_header; content:!"|0D 0A|Referer:"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e
800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:31020; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.SpyBanker variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:".php HTTP/1.0|0D 0A|Connection: keep-alive|0D
0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Content-Length: 0|0D 0A|
Host: "; content:"|0D 0A|Accept: text/html,application/xhtml+xml,application/xml|
3B|q=0.9,*/*|3B|q=0.8|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0
(compatible|3B| Indy Library)|0D 0A 0D 0A|"; distance:0; metadata:impact_flag red,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/726644e5f666b133159e6c2591cdd3bc628bcd335b
381b74fcfd2e4db73689af/analysis/;
reference:url,www.virustotal.com/en/file/af56f8f97c8872d043a4002daa6331f3b3be296427
b0e5d0560fd174e9f59e78/analysis/; classtype:trojan-activity; sid:31036; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.MadnessPro outbound connection"; flow:to_server,established;
content:"/?"; http_uri; content:"uid="; http_uri; content:"&mk="; fast_pattern;
http_uri; content:"&os="; http_uri; content:"&rs="; http_uri; content:"&c=";
http_uri; content:"&rq="; http_uri; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,blog.cylance.com/a-study-in-bots-madness-pro; classtype:trojan-
activity; sid:31053; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Rootkit.Necurs outbound connection"; flow:to_server,established;
content:"POST"; http_method; urilen:15; content:"/docs/index.php";
fast_pattern:only; http_uri; content:"Content-Type|3A 20|application/octet-stream";
http_header; content:!"User-Agent|3A 20|"; http_header; content:!"Accept|3A 20|";
http_header; content:!"Referer|3A 20|"; http_header; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/b47a1bdf5e53f4a754413d2461f7db9a4c7d1e0845
c1f676b5399061e3dc1a4b/analysis/; classtype:trojan-activity; sid:31070; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zbot variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; urilen:11; content:"/srt/ge.php"; fast_pattern:only;
http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/750d533898f19c606ee9e96ff72c1aa3d830c469f2
f564890ebbc38b169eb41b/analysis/1400275398/; classtype:trojan-activity; sid:31084;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent
known malicious user agent - User-Agent hello crazyk"; flow:to_server,established;
content:"User-Agent: hello crazyk|0D 0A|"; fast_pattern:only; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/file/e61acf1cf61938eaa9cfa40e9dcd357f271c17c20218b
a895c1f4a/analysis/; classtype:trojan-activity; sid:31090; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Bancos password stealing attempt"; flow:to_server,established;
content:"rotina=plogin&login="; fast_pattern:only; http_client_body;
content:"&senha="; http_client_body; content:"&casa="; distance:0;
http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/61cbe9b94bca25503c884bb0c9363b95fac6203534
e5b23c5887dde91fbd4951/analysis/1384873658; classtype:trojan-activity; sid:31112;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Bancos variant outbound connection"; flow:to_server,established;
content:")&dt="; fast_pattern:only; http_client_body; content:"pc="; depth:3;
http_client_body; content:"&av="; distance:0; http_client_body; content:"&wd=";
distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/61cbe9b94bca25503c884bb0c9363b95fac6203534
e5b23c5887dde91fbd4951/analysis/1384873658; classtype:trojan-activity; sid:31113;
rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET [16464,16465,16470,16471] (msg:"MALWARE-
CNC Win.Trojan.ZeroAccess inbound connection"; flow:to_server; dsize:16; content:"|
28 94 8D AB|"; depth:4; offset:4; metadata:impact_flag red, policy balanced-ips
drop, policy connectivity-ips drop, policy security-ips drop, ruleset community;
reference:url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407
d9a90703047e7db7ff9/analysis/; classtype:trojan-activity; sid:31136; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Banker variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"/notify.php HTTP/1.0|0D 0A|";
fast_pattern:only; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|
0D 0A|"; http_header; content:"Content-Length: 0|0D 0A|"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/bf40d710dda1a3ada127d68b34b837eca03a28699c
d858cda7d4a3e36690628a/analysis/; classtype:trojan-activity; sid:31221; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Banker variant outbound connection"; flow:to_server,established;
urilen:17; content:"/second/game1.inf"; fast_pattern:only; http_uri; content:"|3B
20|MSIE|20|"; http_header; content:!"Accept-Language:"; http_header;
content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/bf40d710dda1a3ada127d68b34b837eca03a28699c
d858cda7d4a3e36690628a/analysis/; classtype:trojan-activity; sid:31222; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Necurs variant outbound connection"; flow:to_server,established;
urilen:15; content:"/news/index.php HTTP/1.1|0D 0A|Content-Type: application/octet-
stream|0D 0A|Host: "; fast_pattern:only; content:!"User-Agent:"; http_header;
content:!"Referer:"; http_header; content:!"Accept"; http_header;
metadata:impact_flag red, ruleset community, service http;
reference:url,www.virustotal.com/en/file/565496cb40fc868d233dabfb1e178e8b9042d964cb
1e4f5f3386a6db4f1cf30e/analysis/1400509611/; classtype:trojan-activity; sid:31243;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"MALWARE-CNC
Win.Trojan.Kuluoz outbound connection"; flow:to_server,established; urilen:43;
content:"POST /"; depth:6; content:" HTTP/1.1"; within:9; distance:42;
content:"Firefox/"; distance:0; content:!"|0D 0A|Accept-"; pcre:"/^POST\x20\x2f[A-
F\d]{42}\x20HTTP/"; metadata:impact_flag red, policy security-ips drop, ruleset
community, service http;
reference:url,www.virustotal.com/en/file/93a40a83977ca24df6e12d7d6f19a9b9d92cb3ea31
74ea9d4398ad2048205c42/analysis/; classtype:trojan-activity; sid:31244; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Andromeda HTTP proxy response attempt"; flow:to_client,established;
file_data; content:"function FindProxyForURL(url, host)"; depth:35; content:"yx0=0|
3B|yx1=1|3B|yx2=2|3B|yx3=3|3B|yx4=4|3B|yx5=5|3B|yx6=6|3B|yx7=7|3B|yx8=8|3B|yx9=9|
3B|lit=|22 22|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.exposedbotnets.com/2013/06/localmworg-andromeda-http-botnet-
hosted.html; classtype:trojan-activity; sid:31260; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Symmi outbound connection"; flow:to_server,established; content:".inf
HTTP/1.1|0D 0A|Accept: */*|0D 0A|Accept-Encoding: gzip, deflate|0D 0A|User-Agent:
Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header;
pcre:"/\)\r\nHost\x3a\x20[\d\x2e]
{7,15}\r\nConnection\x3a\x20Keep\x2dAlive\r\n\r\n$/"; metadata:impact_flag red,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/c77a679df3b74c622e39ab163fc876cc9d7719f2c2
e8cf80beb36c813827d0c7/analysis/; classtype:trojan-activity; sid:31261; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Worm.VBNA variant outbound connection"; flow:to_server,established;
content:"/0.gif?"; depth:7; http_uri; content:" HTTP/1.1|0D 0A|Host:
sstatic1.histats.com|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,malwr.com/analysis/NWI5M2QwY2QxZWIwNDU4NDliYjU5NWJmMzc0MzQ2MDE/;
reference:url,www.virustotal.com/en/file/0a777870b65d3dc80b56baf77f6d9e342d25a1c7d6
70077eca14a0f4309f9e26/analysis/;
reference:url,www.virustotal.com/en/file/b5a01ce5e2b074f40d86ecca802658a5c998b5bf45
2f164b1a76f8fa27f53b15/analysis/; classtype:trojan-activity; sid:31262; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Dyre publickey outbound connection"; flow:to_server,established;
content:"/publickey/ HTTP/1.1|0D 0A|User-Agent: Wget/1.9|0D 0A|Host: ";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop, ruleset
community, service http; reference:url,phishme.com/project-dyre-new-rat-slurps-
bank-credentials-bypasses-ssl;
reference:url,www.virustotal.com/en/file/417c9cd7c8abbd7bbddfc313c9f153758fd11bda47
f754b9c59bc308d808c486/analysis/; classtype:trojan-activity; sid:31293; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zusy variant outbound connection"; flow:to_server,established;
content:"/workers.php?mac="; fast_pattern:only; http_uri; content:"&gpu=";
http_uri; content:!"|0D 0A|User-Agent:"; http_header; content:!"|0D 0A|Accept";
http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/0f3243a4645ab4acb88e1e0ee4fa0cb254a88709ce
00a193ad6e20faec3243dc/analysis/; classtype:trojan-activity; sid:31295; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.MSIL variant outbound connection"; flow:to_server,established;
content:"/srv2.php?param=1 HTTP/1.1|0D 0A|Host: "; fast_pattern:only;
content:"Connection: Keep-Alive|0D 0A 0D 0A|"; content:!"User-Agent:"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,malwr.com/analysis/ZDI5NTViMGI2MzZiNDU0MTlhMzNlZDhiZGUwNjFmOGY/;
classtype:trojan-activity; sid:31315; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE
Apache Chunked-Encoding worm attempt"; flow:to_server,established;
content:"Transfer-Encoding: Chunked"; fast_pattern; nocase; content:"|0D 0A|";
distance:0 ; byte_test:8,>,2147483647,0,string,hex,relative; content:"|20|";
within:9; metadata:ruleset community, service http; reference:bugtraq,4474;
reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071;
reference:cve,2002-0079; reference:cve,2002-0392; reference:nessus,10932;
classtype:web-application-attack; sid:31405; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Injector variant outbound connection"; flow:to_server,established;
urilen:4; content:"/re/"; fast_pattern:only; http_uri; content:"User-Agent:
Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0)|0D 0A|
Content-Type: application/x-www-form-urlencoded|0D 0A|Host: "; content:"|0D 0A|
Connection: Close|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; distance:0;
http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/56939273f68158dacc58d4e8d5bb5b0c4c04be89e2
79651c8f19fa6392f3d837/analysis/;
reference:url,www.virustotal.com/en/file/ad40cabf66001087c2e9f548811b17341f63f19f52
8a3c04a1c9ab9f10b5eff9/analysis/; classtype:trojan-activity; sid:31442; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.CryptoWall downloader attempt"; flow:to_server,established; urilen:<20;
content:"User-Agent|3A 20|macrotest|0D 0A|"; fast_pattern:only; http_header;
pcre:"/\x2f(css|upload)\x2f[a-z]{2}[0-9]{3}\x2eccs/U"; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/e370c1fc6e7e289523fdf2f090edb7885f8d0de1b9
9be0164dafffeca9914b10/analysis/; classtype:trojan-activity; sid:31449; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.CryptoWall outbound connection"; flow:to_server,established;
content:"POST"; http_method; urilen:<17; content:"HTTP/1.1|0D 0A|Accept: */*|0D 0A|
Content-Type: application/x-www-form-urlencoded|0D 0A|Connection: Close|0D 0A|
Content-Length: 100|0D 0A|User-Agent: "; fast_pattern:only; content:"="; depth:1;
offset:1; http_client_body; pcre:"/[a-z]=[a-f0-9]{98}/P"; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/a92ae8e80b0b70288a32c0455856453c5980021156
132a540035e7ef5e0fa79e/analysis/; classtype:trojan-activity; sid:31450; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Symmi variant outbound connection"; flow:to_server,established;
content:".php?chave=xchave&url|3D 20 3D 7C 3D 20|"; fast_pattern:only; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/08e670fd1f7141f219f0bb7f48c179485146e43984
7a68cdf52b85328b66dd22/analysis/; classtype:trojan-activity; sid:31452; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.ChoHeap variant outbound connection"; flow:to_server,established;
content:" HTTP/1.1|0D 0A|User-Agent: Mozilla/5.0|0D 0A|"; content:"Service Pack ";
fast_pattern:only; http_uri; content:"Cache-Control: no-cache|0D 0A 0D 0A|";
http_header; metadata:impact_flag red, policy security-ips drop, ruleset community,
service http;
reference:url,www.virustotal.com/en/file/0423e10a674fb7e96557eac50b51207709a248df6e
06aeeba401ded6157c1298/analysis/; classtype:trojan-activity; sid:31453; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.ChoHeap variant outbound connection"; flow:to_server,established;
content:".rar HTTP/1.1|0D 0A|Accept: text/*, application/*|0D 0A|User-Agent:
Mozilla/5.0|0D 0A|Host: "; fast_pattern:only; content:"|0D 0A|Cache-Control: no-
cache|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, ruleset community,
service http;
reference:url,www.virustotal.com/en/file/0423e10a674fb7e96557eac50b51207709a248df6e
06aeeba401ded6157c1298/analysis/; classtype:trojan-activity; sid:31454; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig
Exploit Kit Outbound DGA Request"; flow:established,to_server; urilen:25<>32;
content:".html?0."; depth:11; offset:2; http_uri; pcre:"/\/[a-z]
{1,4}\x2ehtml\x3f0\x2e[0-9]{15,}$/U"; metadata:ruleset community, service http;
reference:url,www.symantec.com/connect/blogs/rig-exploit-kit-used-recent-website-
compromise; classtype:trojan-activity; sid:31455; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.SDBot variant outbound connection"; flow:to_server,established;
urilen:8; content:"/install"; http_uri; content:"argc="; depth:5; http_client_body;
content:"&name="; distance:0; http_client_body; content:"&previous=";
fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/5682e096bad2d2e75fb09122af272572b23ca5defb
70325ab7cdc4c534a68e7d/analysis; classtype:trojan-activity; sid:31458; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Androm Click Fraud Request"; flow:to_server,established;
content:"/query?version="; fast_pattern:only; http_uri; content:"&sid="; http_uri;
content:"&builddate="; distance:0; http_uri; content:"&q="; distance:0; http_uri;
content:"&ref="; distance:0; http_uri; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, ruleset community, service http;
reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/;
classtype:trojan-activity; sid:31465; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Androm Click Fraud Request"; flow:to_server,established; content:"|0D
0A|builddate:"; fast_pattern:only; http_header; content:"|0D 0A|aid: ";
http_header; content:"|0D 0A|redirect: http://"; http_header; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/;
classtype:trojan-activity; sid:31466; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Androm variant outbound connection"; flow:to_server,established;
urilen:9; content:"/gate.php"; fast_pattern:only; http_uri; content:"User-Agent:
Mozilla/4.0|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/;
classtype:trojan-activity; sid:31467; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Papras variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"/viewforum.php?f="; fast_pattern:only;
http_uri; content:"&sid="; http_uri; content:!"Referer:"; http_header;
content:!"Cookie:"; http_header; pcre:"/sid=[0-9A-F]{32}/U"; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/9e548d9a37c46423680e324b31204197babc45ddc0
5835afa772fde8627e72b2/analysis/; classtype:trojan-activity; sid:31468; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Trojan.HW32
variant spam attempt"; flow:to_server, established; content:"MAIL FROM:
<Reademal.com>|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service smtp;
reference:url,www.virustotal.com/en/file/e69b310dff09830641d4b9682375ce3df503674d23
c429bd7847979ea9250b2b/analysis/; classtype:trojan-activity; sid:31507; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Symmi variant outbound connection"; flow:to_server,established;
content:"/index.php?email=libpurple_XMPP"; fast_pattern:only; http_uri;
content:"&method=post"; http_uri; content:" HTTP/1.0|0D 0A|Accept: */*|0D 0A|
Connection: close|0D 0A|Host: "; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/b2b7571ffc6ee27fc716f308d72a3268ffa5f32330
ca6349aacc92e6cecb2582/analysis/1406043461/; classtype:trojan-activity; sid:31530;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE
MinerDeploy monitor request attempt"; flow:to_server,established;
content:"/monitor.php?"; fast_pattern; http_uri; content:"myid="; distance:0;
http_uri; content:"&ip="; distance:0; http_uri; content:"&cgminer="; distance:0;
http_uri; content:"&operatingsystem="; distance:0; http_uri; content:!"Content-
Length|3A 20|"; http_header; content:!"Content-Type|3A 20|"; http_header;
metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/06033b08afd30b413cce3b9a169cb8396fe34865f3
bacd436c652dbb469ced62/analysis/; classtype:trojan-activity; sid:31531; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.SMSSend outbound connection"; flow:to_server,established;
content:"sms"; http_uri; content:".ashx?t="; fast_pattern:only; http_uri;
content:!"User-Agent|3A 20|"; http_header; content:!"Accept|3A 20|"; http_header;
content:!"Content-Type|3A 20|"; http_header; metadata:impact_flag red, policy
balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset
community, service http;
reference:url,www.virustotal.com/en/file/a70a62ac920e83bab5e3e38ac8853ca3f45b6022f4
d4ca47c9ae5cb9049700bb/analysis/1406724303/; classtype:trojan-activity; sid:31593;
rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Glupteba
C&C server HELLO request to client"; flow:to_client,established; dsize:6;
content:"HELLO|0A|"; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0
389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31603; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Glupteba
C&C server READD command to client"; flow:to_client,established; dsize:6;
content:"READD|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0
389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31604; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Glupteba
C&C server READY command to client"; flow:to_client,established; dsize:6;
content:"READY|0A|"; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0
389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31605; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Glupteba payload download request"; flow:to_server,established;
content:"/software.php?"; fast_pattern:only; http_uri; content:"Accept|3A| */*";
http_header; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 7.0|3B|
Windows NT 6.1|3B|"; http_header; pcre:"/\/software\x2ephp\x3f[0-9]{15,}/Ui";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0
389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31606; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Glupteba
client response/authenticate to C&C server"; flow:to_server,established;
dsize:15<>18; content:"|3A|bpass|0A|"; fast_pattern:only; pcre:"/[0-9A-Z]
{8}\x3abpass\x0a/"; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0
389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31607; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Tinybanker variant outbound connection"; flow:to_server,established;
content:"User-Agent: Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B|
Trident/5.0)|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Host: ";
fast_pattern:only; http_header; content:"|0D 0A|Content-Length: 13|0D 0A|
Connection: Close|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; http_header; pcre:"/
[^\x20-\x7e\r\n]{3}/P"; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,blog.avast.com/2014/07/17/tinybanker-trojan-targets-banking-
customers/;
reference:url,www.virustotal.com/en/file/b88b978d00b9b3a011263f398fa6a21098aba714db
14f7e71062ea4a6b2e974e/analysis/; classtype:trojan-activity; sid:31641; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Tinybanker variant outbound connection"; flow:to_server,established; urilen:4;
content:"/de/"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0
(compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0)|0D 0A|Content-Type:
application/x-www-form-urlencoded|0D 0A|Host: "; http_header; content:"Content-
Length: 13|0D 0A|Connection: Close|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|";
distance:0; http_header; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,blog.avast.com/2014/07/17/tinybanker-trojan-targets-banking-
customers/;
reference:url,www.virustotal.com/en/file/b88b978d00b9b3a011263f398fa6a21098aba714db
14f7e71062ea4a6b2e974e/analysis/; classtype:trojan-activity; sid:31642; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.Scarelocker outbound connection"; flow:to_server,established;
content:"/api.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Apache-
HttpClient|2F|UNAVAILABLE"; http_header; content:"method="; http_client_body;
content:"&app_key="; http_client_body; metadata:impact_flag red, policy balanced-
ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset
community, service http;
reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html;
reference:url,www.virustotal.com/en/file/ebed6a20738f68787e19eaafc725bc8c76fba6b104
e468ddcfb05a4d88a11811/analysis/; classtype:trojan-activity; sid:31644; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Bancos variant outbound connection"; flow:to_server,established;
urilen:16; content:"/boydn/boye.html"; fast_pattern:only; http_uri; content:"User-
Agent|3A 20|Mozilla/3.0 (compatible|3B| Indy Library)"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/61cbe9b94bca25503c884bb0c9363b95fac6203534
e5b23c5887dde91fbd4951/analysis/1384873658/; classtype:trojan-activity; sid:31649;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Tirabot variant outbound connection"; flow:to_server,established;
content:"&string="; fast_pattern:only; http_client_body; content:"key="; depth:4;
http_client_body; content:"Content-Type: application/x-www-Form-urlencoded|0D 0A|";
http_header; content:".php"; http_uri; pcre:"/User\x2dAgent\x3a\x20([\x20-\x7e]
{3,56})\r\n.*?\r\n\r\nkey\x3d\1\x26string\x3d/ms"; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/7ea920d297e23cf58e9f00fa3d48e02994253cb4a6
73bdd6db9a02fa5ab9ffb8/analysis/1407432311/; classtype:trojan-activity; sid:31680;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Badur download attempt"; flow:to_server,established; urilen:12;
content:"/support.exe"; fast_pattern:only; http_uri; content:".exe HTTP/1.1|0D 0A|
Accept: */*|0D 0A|Accept-Encoding: gzip,deflate,sdch|0D 0A|Host: "; content:")
Chrome/"; distance:0; http_header; content:!"Accept-Language:"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/adf5d662af390ad3a187a1991e0b463327fb8360fd
55a27e6f9961c8a84a47c5/analysis/; classtype:trojan-activity; sid:31681; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Badur download attempt"; flow:to_server,established; urilen:9;
content:"/tmps.exe"; fast_pattern:only; http_uri; content:"Proxy-Authorization:
Basic |0D 0A|"; http_header; content:"__cfduid="; depth:9; http_cookie; content:")
Chrome/"; http_header; content:!"Accept-"; http_header; metadata:impact_flag red,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/840b3b76030696b1ce9eccd5ee6d55dd79c0120871
094cb9266769c09f03029c/analysis/; classtype:trojan-activity; sid:31682; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Badur variant outbound connection"; flow:to_server,established;
content:"/get/?data="; depth:11; http_uri; content:"User-Agent: win32|0D 0A|";
fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/840b3b76030696b1ce9eccd5ee6d55dd79c0120871
094cb9266769c09f03029c/analysis/; classtype:trojan-activity; sid:31683; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft
Multiple Products JPEG parser heap overflow attempt"; flow:to_server,established;
flowbits:isset,file.jpeg; file_data; content:"|00 10|JFIF"; depth:6; offset:4;
pcre:"/^.{0,100}\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/s"; metadata:ruleset
community, service smtp; reference:bugtraq,11173; reference:cve,2004-0200;
reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx;
classtype:attempted-user; sid:31719; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Banker.Delf variant outbound connection"; flow:to_server,established;
urilen:11; content:"POST"; http_method; content:"/notify.php"; http_uri;
content:"Content-Length: 0|0D 0A|"; http_header; content:" HTTP/1.0|0D 0A|";
content:"Content-Type: application/x-www-form-urlencoded|0D 0A|"; http_header;
content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MyApp)|0D 0A 0D 0A|";
fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/dce2799df1da1ad992d37c78ea586dfd0cf673642e
cc56ac464fe7a81a6994ca/analysis/; classtype:trojan-activity; sid:31820; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Graftor variant outbound connection"; flow:to_server,established;
content:"dados="; depth:6; http_client_body; content:"&ct="; distance:0;
http_client_body; content:"/"; within:1; distance:2; http_client_body;
content:"/201"; within:4; distance:2; http_client_body; content:"="; within:1;
distance:1; http_client_body; content:"&windows="; fast_pattern:only;
http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/53ac9c629cf0cc468cfaf77fe4b54f1da7576e0c03
27650915b79f9340fa84ff/analysis/; classtype:trojan-activity; sid:31824; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Delf variant HTTP Response"; flow:to_client,established;
content:"Content-Length: 201|0D 0A|"; file_data; content:"<meta name=|22|token|22|
content=|22 A4|"; depth:29; content:"|A4 22|/>"; within:4; distance:168;
pcre:"/^\x3cmeta\x20name\x3d\x22token\x22\x20content\x3d\x22\xa4[A-F\d]
{168}\xa4\x22\x2f\x3e$/"; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/59e721000aa38a91ed42799e955f9337482c627e06
75520aa54dcad068e6e004/analysis/1409846457/; classtype:trojan-activity; sid:31826;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Delf variant outbound connection"; flow:to_server,established;
content:"/token/token.html HTTP/1.1|0D 0A|User-Agent: "; fast_pattern:only;
content:!"Accept"; http_header; content:!"Referer:"; http_header;
pcre:"/\)\r\nHost\x3a\x20[a-z\d\x2e\x2d]
{6,32}\r\nCache\x2dControl\x3a\x20no\x2dcache\r\n\r\n$/"; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/59e721000aa38a91ed42799e955f9337482c627e06
75520aa54dcad068e6e004/analysis/1409846457/; classtype:trojan-activity; sid:31827;
rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"POLICY-OTHER QLogic
Switch 5600/5800 default ftp login attempt"; flow:to_server,established;
content:"PASS|20|images|0D 0A|"; flowbits:isset,qlogic_default_ftp; metadata:policy
balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset
community, service ftp;
reference:url,filedownloads.qlogic.com/files/Manual/81355/UserGuide_5800V_Series_Qu
ickTools_v80_59264-02B.pdf;
reference:url,filedownloads.qlogic.com/files/manual/67941/QuickTools_Guide_Sb5600_S
eries_v74_59235-03_%5BA%5D.pdf; classtype:default-login-attempt; sid:31830; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"POLICY-OTHER QLogic
Switch 5600/5800 default ftp login attempt"; flow:to_server,established;
content:"USER|20|images|0D 0A|"; flowbits:set,qlogic_default_ftp; flowbits:noalert;
metadata:ruleset community, service ftp;
reference:url,filedownloads.qlogic.com/files/Manual/81355/UserGuide_5800V_Series_Qu
ickTools_v80_59264-02B.pdf;
reference:url,filedownloads.qlogic.com/files/manual/67941/QuickTools_Guide_Sb5600_S
eries_v74_59235-03_%5BA%5D.pdf; classtype:default-login-attempt; sid:31831; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG file magic
detection"; flow:to_server,established; file_data; content:"|FF D8 FF|"; depth:3;
flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp;
classtype:misc-activity; sid:31871; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Bancos variant outbound connection"; flow:to_server,established;
content:"/trdpr/trde.html"; fast_pattern:only; http_uri; content:"Accept:
text/html, */*|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D
0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/61cbe9b94bca25503c884bb0c9363b95fac6203534
e5b23c5887dde91fbd4951/analysis/1384873658/; classtype:trojan-activity; sid:31916;
rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Symmi variant HTTP response attempt"; flow:to_client,established;
file_data; content:"%set_intercepts%"; fast_pattern:only; content:"%ban_contact%";
content:"%ebaylive%"; content:"%dep_host%"; content:"%relay_soxid%";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27f
b8d762ce9de8c58990ffb1/analysis/; classtype:trojan-activity; sid:31923; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Symmi variant outbound connection"; flow:to_server,established;
content:".php?method="; http_uri; content:"&mode=sox&v="; fast_pattern:only;
http_uri; content:" HTTP/1.0|0D 0A|Accept: */*|0D 0A|Connection: close|0D 0A|Host:
"; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27f
b8d762ce9de8c58990ffb1/analysis/; classtype:trojan-activity; sid:31924; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Banker variant outbound connection"; flow:to_server,established;
content:"/notify.php"; fast_pattern:only; http_uri; content:"Accept: text/html,
*/*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: "; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/bf40d710dda1a3ada127d68b34b837eca03a28699c
d858cda7d4a3e36690628a/analysis/; classtype:trojan-activity; sid:31964; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum
exploit kit landing page"; flow:to_client,established; file_data; content:"{(new
Image).src=|22|/"; content:"%72%6f%72%72%65%6e%6f"; distance:0; fast_pattern;
flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.
exploit_kit.silverlight; metadata:policy max-detect-ips alert, policy security-ips
drop, ruleset community, service http;
reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-
activity; sid:31965; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum
exploit kit payload delivery"; flow:to_client,established;
flowbits:isset,file.exploit_kit.pe; file_data; content:"|D5 B1 F8 24 89 28 15 47|";
fast_pattern:only; metadata:policy security-ips drop, ruleset community, service
http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html;
classtype:trojan-activity; sid:31966; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum
exploit kit payload delivery"; flow:to_client,established;
flowbits:isset,file.exploit_kit.pe; file_data; content:"|F2 F7 94 75 16 7E 8E 15|";
fast_pattern:only; metadata:policy security-ips drop, ruleset community, service
http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html;
classtype:trojan-activity; sid:31967; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Astrum
exploit kit redirection attempt"; flow:to_server,established; urilen:>60,norm;
content:"POST"; http_method; pcre:"/\x2f[\w\x2d]*\x2e+$/mU"; content:"Referer|3A
20|"; http_header; content:"x-req|3A 20|"; fast_pattern; http_header;
content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; content:"Pragma|3A 20|
no-cache|0D 0A|"; http_header;
flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.
exploit_kit.silverlight; metadata:policy max-detect-ips alert, policy security-ips
drop, ruleset community, service http;
reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-
activity; sid:31970; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Astrum
exploit kit multiple exploit download request"; flow:to_server,established;
urilen:>60,norm; content:"GET"; content:".. HTTP/1."; fast_pattern:only;
pcre:"/\x2f[\w\x2d]*\x2e\x2e$/mU"; content:"Connection|3A 20|Keep-Alive|0D 0A|";
http_header;
flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.
exploit_kit.silverlight; flowbits:noalert; metadata:policy max-detect-ips alert,
ruleset community, service http;
reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-
activity; sid:31971; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum
exploit kit payload delivery"; flow:to_client,established;
flowbits:isset,file.exploit_kit.pe; file_data; content:"|DC C7 5E 47 A0 DB D2 51|";
fast_pattern:only; metadata:policy security-ips drop, ruleset community, service
http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html;
classtype:trojan-activity; sid:31972; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Chebri variant outbound connection"; flow:to_server,established;
urilen:10; content:"/index.php HTTP/1.0|0D 0A|Host: google.com|0D 0A|User-Agent: ";
fast_pattern:only; content:"0="; depth:2; http_client_body; content:"Accept-
Encoding: none|0D 0A 0D 0A|"; http_header; pcre:"/User\x2dAgent\x3a\x20[A-F\d]
{32}\r\n/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/db94644fc351fb4a9117b68ab625494daa2ebe3611
7a8333577d857a7c2d1ec6/analysis/1409853252/; classtype:trojan-activity; sid:31973;
rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI
environment variable injection attempt"; flow:to_server,established; content:"%3D
%28%29+%7B"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-
detect-ips drop, policy security-ips drop, ruleset community, service http;
reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278;
reference:cve,2014-7169; classtype:attempted-admin; sid:31975; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI
environment variable injection attempt"; flow:to_server,established; content:"()
{"; fast_pattern:only; http_client_body; metadata:policy balanced-ips drop, policy
max-detect-ips drop, policy security-ips drop, ruleset community, service http;
reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278;
reference:cve,2014-7169; classtype:attempted-admin; sid:31976; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI
environment variable injection attempt"; flow:to_server,established; content:"()
{"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-
detect-ips drop, policy security-ips drop, ruleset community, service http;
reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278;
reference:cve,2014-7169; classtype:attempted-admin; sid:31977; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI
environment variable injection attempt"; flow:to_server,established; content:"()
{"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy max-
detect-ips drop, policy security-ips drop, ruleset community, service http;
reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278;
reference:cve,2014-7169; classtype:attempted-admin; sid:31978; rev:5;)
alert udp $HOME_NET 67 -> $HOME_NET 68 (msg:"OS-OTHER Malicious DHCP server bash
environment variable injection attempt"; flow:stateless; content:"() {";
fast_pattern:only; content:"|02 01 06 00|"; depth:4; metadata:policy balanced-ips
drop, policy max-detect-ips drop, policy security-ips drop, ruleset community;
reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278;
reference:cve,2014-7169; classtype:attempted-admin; sid:31985; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known
malicious user-agent string - Install - Win.Backdoor.Upatre";
flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: Install|0D
0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/ae7f419e0093fd2d4892ea6920aaa2c12c95cede9c
97cb0a1f096496d4ff93ea/analysis/; classtype:trojan-activity; sid:31990; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known
malicious user-agent string - Treck - Win.Backdoor.Upatre";
flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: Treck|0D
0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/e295922322324e048657a5b4c0c4c9717a1a127e39
ba45a03dc5d4d4bb2e523f/analysis/; classtype:trojan-activity; sid:31991; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake Delta
Ticket HTTP Response phishing attack"; flow:to_client,established; file_data;
content:"PK"; depth:2; content:"DeltaTicket_ET-RM-"; distance:0; nocase;
content:".exe"; distance:0; nocase; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.satinfo.es/blog/tag/deltaticket_et-rm-0hj423891156-exe;
classtype:trojan-activity; sid:32008; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC
Linux.Backdoor.Flooder inbound connection attempt - command";
flow:to_client,established; dsize:<15; content:"|21 2A 20|SCANNER ON";
fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop,
ruleset community;
reference:url,www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626d
ec9d55efcc6ebcba6fa489/analysis/; classtype:trojan-activity; sid:32009; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"MALWARE-CNC
Linux.Backdoor.Flooder outbound telnet connection attempt";
flow:to_server,established; content:"/bin/busybox|3B|echo -e |27 5C|147|5C|141|5C|
171|5C|146|5C|147|5C|164|27 0D 0A|"; fast_pattern:only; metadata:policy balanced-
ips drop, policy security-ips drop, ruleset community, service telnet;
reference:url,www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626d
ec9d55efcc6ebcba6fa489/analysis/; classtype:trojan-activity; sid:32010; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Linux.Backdoor.Flooder outbound connection"; flow:to_server,established; dsize:10;
content:"BUILD X86|0A|"; fast_pattern:only; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626d
ec9d55efcc6ebcba6fa489/analysis/; classtype:trojan-activity; sid:32011; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Bash environment
variable injection attempt"; flow:to_server,established; content:"() {";
fast_pattern:only; content:"MAIL"; nocase; content:"FROM|3A|"; distance:0; nocase;
pcre:"/^\s*?MAIL\s+?FROM\x3a[^\r\n]*?\x28\x29\s\x7b/i"; metadata:policy balanced-
ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community,
service smtp; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-
6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32038; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Bash environment
variable injection attempt"; flow:to_server,established; content:"() {";
fast_pattern:only; content:"RCPT"; nocase; content:"TO|3A|"; distance:0; nocase;
pcre:"/^\s*?RCPT\s+?TO\x3a[^\r\n]*?\x28\x29\s\x7b/i"; metadata:policy balanced-ips
drop, policy max-detect-ips drop, policy security-ips drop, ruleset community,
service smtp; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-
6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32039; rev:3;)
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash
environment variable injection attempt"; flow:stateless; sip_header; content:"()
{"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset
community, service sip; reference:cve,2014-6271; reference:cve,2014-6277;
reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin;
sid:32041; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash
environment variable injection attempt"; flow:to_server,established; sip_header;
content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop,
ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277;
reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin;
sid:32042; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"OS-OTHER Bash environment
variable injection attempt"; flow:to_server,established; content:"USER "; depth:5;
content:"() {"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-
detect-ips drop, policy security-ips drop, ruleset community, service ftp;
reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278;
reference:cve,2014-7169; classtype:attempted-admin; sid:32043; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Asprox inbound connection"; flow:to_client,established;
content:"Content-Length: 30"; http_header; file_data; content:"|3C|html|3E 3C|body|
3E|hi!|3C 2F|body|3E 3C 2F|html|3E|"; fast_pattern:only; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736f4fa7eec15
ed9cca17abfca692d26fe4/analysis/; classtype:trojan-activity; sid:32065; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Asprox outbound connection"; flow:to_server,established; urilen:20<>23;
content:"/b/pkg/T202"; depth:11; fast_pattern; http_uri; content:"UA-CPU: ";
http_header; content:"Connection: Keep-Alive|0D 0A 0D 0A|";
pcre:"/\x2fb\x2fpkg\x2fT202[0-9a-z]{10}/U"; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736f4fa7eec15
ed9cca17abfca692d26fe4/analysis/; classtype:trojan-activity; sid:32066; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Asprox outbound connection"; flow:to_server,established; urilen:46<>51;
content:"/x/"; depth:3; fast_pattern; http_uri; content:"UA-CPU: ";
content:"Connection: Keep-Alive|0D 0A 0D 0A|"; pcre:"/\x2fx\x2f[0-9a-z]
{8,10}\x2f[0-9a-f]{32}\x2fAA\x2f0$/U"; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736f4fa7eec15
ed9cca17abfca692d26fe4/analysis/; classtype:trojan-activity; sid:32067; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"OS-OTHER Bash environment
variable injection attempt"; flow:to_server,established; content:"PASS "; depth:5;
content:"() {"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-
detect-ips drop, policy security-ips drop, ruleset community, service ftp;
reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278;
reference:cve,2014-7169; classtype:attempted-admin; sid:32069; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zemot configuration download attempt"; flow:to_server,established;
content:"/mod_"; http_uri; content:"/soft"; http_uri; content:".dll";
fast_pattern:only; http_uri; content:"Connection|3A 20|Close|0D 0A|"; http_header;
content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header; content:!"Referer";
http_header; pcre:"/\x2fsoft(64|32)\x2edll$/U"; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736f4fa7eec15
ed9cca17abfca692d26fe4/analysis/; classtype:trojan-activity; sid:32072; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zemot outbound connection"; flow:to_server,established;
content:"/b/shoe/"; fast_pattern:only; http_uri; content:"Connection|3A 20|Close|0D
0A|"; http_header; content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header;
content:!"Referer"; http_header; pcre:"/\x2fb\x2fshoe\x2f[0-9]{3,5}$/U";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736f4fa7eec15
ed9cca17abfca692d26fe4/analysis/; classtype:trojan-activity; sid:32073; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zemot payload download attempt"; flow:to_server,established;
content:"/mod_articles-auth-"; depth:19; fast_pattern; http_uri;
content:"/jquery/"; within:8; distance:7; http_uri; content:"Accept: */*|0D 0A|
Connection|3A 20|Close|0D 0A|"; http_header; content:"Cache-Control|3A 20|no-cache|
0D 0A|"; http_header; content:!"Referer"; http_header; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736f4fa7eec15
ed9cca17abfca692d26fe4/analysis/; classtype:trojan-activity; sid:32074; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Bancos variant outbound connection"; flow:to_server,established;
content:"/beta/order.php"; fast_pattern:only; http_uri; content:" HTTP/1.1|0D 0A|
Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/";
content:"|3B 20|MSIE|20|"; distance:0; http_header; content:"|29 0D 0A|Host:";
distance:0; http_header; content:!"Accept"; http_header; content:!"|0D 0A|
Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e
800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:32130; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [53,80,443,5432] (msg:"MALWARE-CNC
WIN.Trojan.Plugx variant outbound connection"; flow:to_server,established;
content:"HHV1:"; content:"HHV2:"; within:20; content:"HHV3: 61456"; within:20;
fast_pattern; content:"HHV4:"; within:20; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service dns,
service http, service ssl;
reference:url,virustotal.com/en/file/4d464f9def2276dac15d19ccf049b7c68642290bc0e345
e06d4b6e9103fde9e6/analysis/; classtype:trojan-activity; sid:32179; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.ZxShell
connection incoming attempt"; flow:to_client,established; dsize:16; content:"|85 19
00 00 25 04 00 00|"; depth:8; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community;
reference:url,virustotal.com/en/file/438ed90e1f69b5dcae2d30d241159aaed74f9d3125c60f
1003915b2237978f7d/analysis/; classtype:trojan-activity; sid:32180; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.ZxShell
connection outgoing attempt"; flow:to_server,established; dsize:16; content:"|86 19
00 00 04 01 00 00|"; depth:8; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community;
reference:url,virustotal.com/en/file/438ed90e1f69b5dcae2d30d241159aaed74f9d3125c60f
1003915b2237978f7d/analysis/; classtype:trojan-activity; sid:32181; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Zxshell
variant outbound connection"; flow:to_server,established; content:"|20|OS|3A 20|";
content:"|20|CPU|3A|"; distance:0; content:"Hz,RAM|3A|"; distance:0;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community;
reference:url,www.virustotal.com/en/file/547044cb73f1c18ccd92cd28afded37756f749a933
8ed7c04306c1de46889d6b/analysis/; classtype:trojan-activity; sid:32192; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Graftor variant outbound connection"; flow:to_server,established;
content:"form-data|3B| name=|22|PLUG|22 0D 0A|"; fast_pattern:only;
http_client_body; content:"form-data|3B| name=|22|PC|22 0D 0A|"; http_client_body;
content:"form-data|3B| name=|22|SEG|22 0D 0A|"; distance:0; http_client_body;
content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|";
http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/f7215718184d5fa1a2057e5dd714d3cdbd00fe9243
34ecdd3cd5662c3c284d90/analysis/; classtype:trojan-activity; sid:32196; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Cryptowall variant outbound connection"; flow:to_server,established;
urilen:27; content:"/blog-trabajos/n65dj17i1836"; fast_pattern:only; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/f75b9ed535c3b33ead4da28854f3e8d6e805135679
a2352463184acb06ffcaf0/analysis/; classtype:trojan-activity; sid:32225; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla 1.0
Javascript arbitrary cookie access attempt"; flow:to_server,established; file_data;
content:"javascript|3A|//"; fast_pattern:only; content:"document.cookie"; nocase;
metadata:ruleset community, service smtp; reference:bugtraq,5293;
reference:cve,2002-2314; classtype:attempted-user; sid:32244; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Hydraq.variant outbound detected"; flow:to_server,established;
content:"/info.xml"; http_uri; content:"Host:"; http_header; content:"update-
adobe.com"; within:30; http_header; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service http; classtype:trojan-activity;
sid:32250; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Sinkhole reply -
irc-sinkhole.cert.pl"; flow:to_client,established; content:"|3A|irc|2D|sinkhole|2E|
cert|2E|pl"; fast_pattern:only; content:"|3A|End of MOTD command|2E|";
metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-
ips drop, ruleset community; classtype:trojan-activity; sid:32260; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI
environment variable injection attempt"; flow:to_server,established; content:" ()
{"; depth:50; urilen:>0,norm; content:!"HTTP/"; metadata:policy max-detect-ips
drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-
6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin;
sid:32335; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI
environment variable injection attempt"; flow:to_server,established; content:"()
{"; fast_pattern:only; content:"() {"; http_cookie; metadata:policy max-detect-ips
drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-
6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin;
sid:32336; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Bash environment
variable injection attempt"; flow:to_server,established; content:"() {";
content:"}"; within:25; pcre:"/^[\w\x2d\x5f]+?\x3a\s*?\x28\x29\s\x7b/mi";
metadata:policy max-detect-ips drop, ruleset community, service smtp;
reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278;
reference:cve,2014-7169; classtype:attempted-admin; sid:32366; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.GameOverZeus variant outbound connection"; flow:to_server,established;
urilen:<10; content:"/update"; http_uri; content:"POST"; http_method; content:"|0D
0A|Accept-Encoding:|0D 0A|Connection: close|0D 0A|Content-Length: ";
fast_pattern:only; http_header; content:!"User-Agent:"; http_header;
metadata:impact_flag red, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/d866214d1f921028f9001ae399e9f8dec32ec8998c
84d20d60a992164888a6fc/analysis; classtype:trojan-activity; sid:32367; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER AOL Instant
Messenger goaway message buffer overflow attempt"; flow:to_server,established;
file_data; content:"aim|3A|goaway?message="; nocase; isdataat:500,relative;
pcre:"/\x22aim\x3Agoaway\x3Fmessage\x3D[^\x22]
{500}|\x27aim\x3Agoaway\x3Fmessage\x3D[^\x27]{500}|
aim\x3Agoaway\x3Fmessage\x3D[^\s]{500}/i"; metadata:ruleset community, service
smtp; reference:bugtraq,10889; reference:cve,2004-0636; classtype:misc-attack;
sid:32370; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Androm variant outbound connection"; flow:to_server,established;
urilen:13; content:"POST"; http_method; content:"/and/gate.php"; fast_pattern:only;
http_uri; content:"User-Agent: Mozilla/4.0|0D 0A|"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/;
classtype:trojan-activity; sid:32374; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY bmp file attachment
detected"; flow:to_server,established; content:".bmp"; fast_pattern:only;
content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase;
pcre:"/filename=[^\n]*\x2ebmp/i"; flowbits:set,file.bmp; flowbits:noalert;
metadata:ruleset community, service smtp;
reference:url,en.wikipedia.org/wiki/BMP_file_format; classtype:misc-activity;
sid:32378; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY dib file attachment
detected"; flow:to_server,established; content:".dib"; fast_pattern:only;
content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase;
pcre:"/filename=[^\n]*\x2edib/i"; flowbits:set,file.bmp; flowbits:noalert;
metadata:ruleset community, service smtp;
reference:url,en.wikipedia.org/wiki/BMP_file_format; classtype:misc-activity;
sid:32380; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear
exploit kit outbound structure"; flow:to_server,established; content:"/f/";
depth:3; http_uri; pcre:"/^\/f(\/[^\x2f]+)?\/14\d{8}(\/\d{9,10})?(\/\d)+(\/x[a-f0-
9]+(\x3b\d)+?)?$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips
drop, policy max-detect-ips alert, policy security-ips drop, ruleset community,
service http; classtype:trojan-activity; sid:32386; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Symmi variant outbound connection"; flow:to_server,established;
urilen:16; content:"/cbrry/cbre.html"; fast_pattern:only; http_uri; content:"User-
Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/7c110c2d125a4100322bd9c4328d0a01259cb00a4e
3709815711b8b364a58bdd/analysis/1415285838/; classtype:trojan-activity; sid:32583;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Symmi variant outbound connection"; flow:to_server,established;
content:"plug=NAO"; fast_pattern:only; http_client_body; content:".php HTTP/1.0|0D
0A|"; content:"Content-Length: 8"; http_header; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,malwr.com/analysis/NDUwYTczYzQ0YWMwNGM2Yjk5MDc5YmU4Yjg5MzY5OWY/;
reference:url,www.virustotal.com/en/file/d34644047c451081e9332e18600dba25aed42ff76f
96fc51cb3eada95ba57e59/analysis/; classtype:trojan-activity; sid:32584; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Geodo variant outbound connection"; flow:to_server,established;
urilen:1; content:"User-Agent: Mozilla/4.0 (compatible|3B|MSIE 7.0|3B|Windows NT
6.0)|0D 0A|"; fast_pattern:only; http_header; content:!"Accept-Language:";
http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/330b408173d45365dd6372bc659ebdd54b9eb18b32
3079da9552c4e3d8e62d1e/analysis/; classtype:trojan-activity; sid:32604; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Worm.Jenxcus variant outbound connection"; flow:to_server,established;
content:"/seo.php?username=MAREYOLE&format=ptp"; fast_pattern:only; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/8538cbb2271f90c57f57150d714ec92e59869f52c7
060bb2ab1f57ef6757321d/analysis/; classtype:trojan-activity; sid:32605; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Sodebral variant outbound connection"; flow:to_server,established;
content:"/verifica/index.php?id="; fast_pattern:only; http_uri; content:"User-
Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecadd
c60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32606; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data;
dsize:<194; content:"INTERNACIONAL"; depth:13; content:!"Content-Length";
http_header; content:"Transfer-Encoding: chunked"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecadd
c60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data;
dsize:<194; content:"BRASIL"; depth:6; content:!"Content-Length"; http_header;
content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecadd
c60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known
malicious user-agent string RUpdate"; flow:to_server,established; content:"User-
Agent: RUpdate|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/0d68f1d3855543a4732e551e9e4375a2cd85d9ab11
a86334f67ad99c5f6990a0/analysis/; classtype:trojan-activity; sid:32645; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE
Potential malware download - _pdf.exe within .zip file";
flow:to_client,established; flowbits:isset,file.zip; file_data; content:"_pdf.exe";
fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/0d68f1d3855543a4732e551e9e4375a2cd85d9ab11
a86334f67ad99c5f6990a0/analysis/; classtype:trojan-activity; sid:32646; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Chopstick variant outbound request"; flow:to_server,established;
content:"/search?btnG="; http_uri; content:"utm="; distance:0; http_uri;
content:"ai="; distance:0; http_uri; content:!"."; depth:20; http_client_body;
content:!"|22|"; depth:20; http_client_body; content:!"|3A|"; depth:20;
http_client_body; isdataat:500,relative; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, ruleset community, service http;
reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aa
e459dca98dc8216965/analysis/; classtype:trojan-activity; sid:32665; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Chopstick variant outbound request"; flow:to_server,established;
content:"/webhp?rel="; http_uri; content:"hl="; distance:0; http_uri;
content:"ai="; distance:0; http_uri; content:!"."; depth:20; http_client_body;
content:!"|22|"; depth:20; http_client_body; content:!"|3A|"; depth:20;
http_client_body; isdataat:500,relative; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, ruleset community, service http;
reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aa
e459dca98dc8216965/analysis/; classtype:trojan-activity; sid:32667; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Dropper.Ch variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"/tasks.php"; fast_pattern:only; http_uri;
content:"Content-length:"; http_header; content:"Content-type:"; http_header;
content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/3d8f05f45f8335198e5488716be2a9c5cebead7d03
21bc371fa475d689ffe658/analysis/; classtype:trojan-activity; sid:32670; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [8000,8080] (msg:"MALWARE-CNC
Win.Trojan.Wiper variant outbound connection"; flow:to_server,established;
dsize:42; content:"(|00|"; depth:2; content:"|04 00 00 00|"; within:4; distance:36;
metadata:impact_flag red, policy security-ips drop, ruleset community;
reference:url,virustotal.com/en/file/e2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c
15863bb9929f781a0a/analysis/; classtype:trojan-activity; sid:32674; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC FIN4 VBA
Macro credentials upload attempt"; flow:to_server, established; content:"POST";
http_method; content:"/report.php?msg="; fast_pattern:only; http_uri;
content:"&uname="; http_uri; content:"&pword="; http_uri; content:"Content-Length|
3A 20|0|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/url/536ed7236769b9a5f09b2a31ab138fbad7331108cb6
5e1f4c77d129df7fb7764/analysis/; classtype:trojan-activity; sid:32776; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Darkhotel outbound connection"; flow:to_server,established;
content:"/images/view.php"; fast_pattern:only; http_uri; content:"User-Agent|3A
20|"; http_header; content:"Media Center PC 6.0"; within:175; http_header;
content:!"Accept|3A 20|"; http_header; content:!"Referer|3A 20|"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf;
reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf;
classtype:trojan-activity; sid:32823; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Darkhotel variant outbound connection"; flow:to_server,established;
content:"/txt/read.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|";
http_header; content:"Media Center PC 6.0"; within:175; http_header;
content:!"Accept|3A 20|"; http_header; content:!"Referer|3A 20|"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf;
reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf;
classtype:trojan-activity; sid:32824; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Darkhotel outbound connection"; flow:to_server,established;
content:"/bin/read_i.php?"; http_uri; content:"a1="; http_uri; content:"&a2=step2-
down"; fast_pattern:only; http_uri; content:"&a3="; http_uri; content:"&a4=";
http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf;
reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf;
classtype:trojan-activity; sid:32825; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Darkhotel data upload attempt"; flow:to_server,established;
content:"POST"; http_method; content:"/html/docu.php"; http_uri; content:"User-
Agent|3A 20|"; http_header; content:"Media Center PC 6.0"; within:175; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf;
reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf;
classtype:trojan-activity; sid:32826; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Darkhotel response connection attempt"; flow:to_client,established;
file_data; content:"DEXT87"; pcre:"/DEXT87(no|up|\d+\x2e\d+\x2e\d+\x2e\d+)/i";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf;
reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf;
classtype:trojan-activity; sid:32827; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute
Software Computrace outbound connection - 209.53.113.223";
flow:to_server,established; content:"Host|3A| 209.53.113.223|0D 0A|";
fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy
security-ips drop, ruleset community, service http;
reference:url,absolute.com/support/consumer/technology_computrace;
reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-
Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-
usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity;
sid:32845; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute
Software Computrace outbound connection - absolute.com";
flow:to_server,established; content:".absolute.com|0D 0A|"; fast_pattern:only;
http_header; content:"TagId: "; http_header; pcre:"/^m\d+\.absolute\.com$/Hi";
metadata:policy security-ips drop, ruleset community, service http;
reference:url,absolute.com/support/consumer/technology_computrace;
reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-
Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-
usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity;
sid:32846; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute
Software Computrace outbound connection - bh.namequery.com";
flow:to_server,established; content:"Host|3A| bh.namequery.com|0D 0A|";
fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy
security-ips drop, ruleset community, service http;
reference:url,absolute.com/support/consumer/technology_computrace;
reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-
Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-
usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity;
sid:32847; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute
Software Computrace outbound connection - namequery.nettrace.co.za";
flow:to_server,established; content:"Host|3A| namequery.nettrace.co.za|0D 0A|";
fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy
security-ips drop, ruleset community, service http;
reference:url,absolute.com/support/consumer/technology_computrace;
reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-
Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-
usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity;
sid:32848; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute
Software Computrace outbound connection - search.us.namequery.com";
flow:to_server,established; content:"Host|3A| search.us.namequery.com|0D 0A|";
fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy
security-ips drop, ruleset community, service http;
reference:url,absolute.com/support/consumer/technology_computrace;
reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-
Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-
usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity;
sid:32849; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute
Software Computrace outbound connection - search2.namequery.com";
flow:to_server,established; content:"Host|3A| search2.namequery.com|0D 0A|";
fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy
security-ips drop, ruleset community, service http;
reference:url,absolute.com/support/consumer/technology_computrace;
reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-
Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-
usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity;
sid:32850; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute
Software Computrace outbound connection - search64.namequery.com";
flow:to_server,established; content:"Host|3A| search64.namequery.com|0D 0A|";
fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy
security-ips drop, ruleset community, service http;
reference:url,absolute.com/support/consumer/technology_computrace;
reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-
Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-
usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity;
sid:32851; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Poolfiend variant outbound connection"; flow:to_server, established;
content:"/11/form.php"; fast_pattern:only; http_uri; content:"POST"; http_method;
content:!"Accept"; http_header; pcre:"/[a-z\d\x2f\x2b\x3d]{100}/AGPi";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/12a803cd2f67d2dbdc3fb1a6940b9a11b61f6d8455
f139e6e90893d9a4eb455a/analysis/; classtype:trojan-activity; sid:32852; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Poolfiend variant outbound connection"; flow:to_server, established;
content:"/11/feed.php"; fast_pattern:only; http_uri; content:"POST"; http_method;
content:!"Accept"; http_header; pcre:"/[a-z\d\x2f\x2b\x3d]{100}/AGPi";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/12a803cd2f67d2dbdc3fb1a6940b9a11b61f6d8455
f139e6e90893d9a4eb455a/analysis/; classtype:trojan-activity; sid:32853; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE
Potential Redirect from Compromised WordPress site to Fedex - Spammed Malware
Download attempt"; flow:to_server,established; urilen:1; content:"GET";
http_method; content:"/wp-admin/"; fast_pattern:only; http_header; content:"Host:
www.fedex.com|0D 0A|"; http_header;
pcre:"/Referer\x3a\x20[\x20-\x7E]*?\/wp\x2dadmin\/[a-z\d\x2d]+?\.php\r\n/Hi";
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.hybrid-
analysis.com/sample/a531bc62b0460eba5b0003b535a2e9cceae0b623aecfdc6f0331743fbee77e5
6/; classtype:trojan-activity; sid:32888; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft and
libpng multiple products PNG large image width overflow attempt";
flow:to_server,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D
0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32767,0,relative;
metadata:ruleset community, service smtp; reference:bugtraq,11523;
reference:cve,2004-0990; reference:cve,2004-1244; reference:cve,2007-5503;
reference:url,sourceforge.net/p/png-mng/mailman/message/33173462/;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009;
classtype:attempted-user; sid:32889; rev:1;)
# alert tcp $EXTERNAL_NET 488 -> $HOME_NET any (msg:"MALWARE-BACKDOOR
Win.Trojan.Wiper inbound communication attempt"; flow:to_client,established;
content:"|60 DB 37 37 37 37 37 37|"; fast_pattern:only; metadata:impact_flag red,
ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A;
classtype:trojan-activity; sid:32911; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 488 (msg:"MALWARE-BACKDOOR
Win.Trojan.Wiper outbound communication attempt"; flow:to_server,established;
content:"|60 DB 37 37 37 37 37 37|"; fast_pattern:only; metadata:impact_flag red,
ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A;
classtype:trojan-activity; sid:32912; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR
Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data;
content:"|4C 4C|"; depth:2; offset:16; content:"|75 14 2A 2A|"; within:4;
distance:4; metadata:impact_flag red, ruleset community, service ftp-data, service
http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A;
classtype:trojan-activity; sid:32913; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR
Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data;
content:"|8A 10 80 C2 67 80 F2 24 88 10|"; fast_pattern:only; metadata:impact_flag
red, ruleset community, service ftp-data, service http, service imap, service pop3;
reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity;
sid:32914; rev:1;)
# alert tcp $EXTERNAL_NET 488 -> $HOME_NET any (msg:"MALWARE-BACKDOOR
Win.Trojan.Wiper inbound communication attempt"; flow:to_client,established;
content:"|65 DB 37 37 37 37 37 37|"; fast_pattern:only; metadata:impact_flag red,
ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A;
classtype:trojan-activity; sid:32915; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 488 (msg:"MALWARE-BACKDOOR
Win.Trojan.Wiper outbound communication attempt"; flow:to_server,established;
content:"|65 DB 37 37 37 37 37 37|"; fast_pattern:only; metadata:impact_flag red,
ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A;
classtype:trojan-activity; sid:32916; rev:1;)
# alert tcp $EXTERNAL_NET [547,8080,133,117,189,159] -> $HOME_NET any
(msg:"MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt";
flow:to_client,established; content:"|7B 08 2A 2A|"; offset:17; content:"|08 2A 2A
01 00|"; distance:0; metadata:impact_flag red, ruleset community; reference:url,us-
cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32917; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR
Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data;
content:"Sleepy!@#qaz13402scvsde890"; fast_pattern:only; metadata:impact_flag red,
ruleset community, service ftp-data, service http, service imap, service pop3;
reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity;
sid:32918; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data;
content:"|C9 06 D9 96 FC 37 23 5A FE F9 40 BA 4C 94 14 98|"; depth:16;
metadata:impact_flag red, ruleset community, service ftp-data, service http,
service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A;
classtype:trojan-activity; sid:32919; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data;
content:"|AA 64 BA F2 56|"; depth:50; metadata:impact_flag red, ruleset community,
service ftp-data, service http, service imap, service pop3; reference:url,us-
cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32920; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data;
content:"|AA 74 BA F2 B9 75|"; depth:74; metadata:impact_flag red, ruleset
community, service ftp-data, service http, service imap, service pop3;
reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity;
sid:32921; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data;
content:"|0C 1F 1F 1F 4D 5A 4C 4F 50 51 4C 5A 3F 2D 2F 2F 3F 50 54 3E 3E 3E|";
depth:22; metadata:impact_flag red, ruleset community, service ftp-data, service
http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A;
classtype:trojan-activity; sid:32922; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data;
content:"|D3 C4 D2 D1 CE CF D2 C4 A1 B3 B1 B1 A1 CE CA A0 A0 A0|"; depth:18;
metadata:impact_flag red, ruleset community, service ftp-data, service http,
service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A;
classtype:trojan-activity; sid:32923; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data;
content:"|17 08 14 13 67 0F 13 13 17 67 15 02 16 12 02 14 13 78 47 47|"; depth:24;
metadata:impact_flag red, ruleset community, service ftp-data, service http,
service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A;
classtype:trojan-activity; sid:32924; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data;
content:"|4F 50 4C 4B 3F 57 4B 4B 4F 3F 4D 5A 4E 4A 5A 4C 4B 20 1F|"; depth:23;
metadata:impact_flag red, ruleset community, service ftp-data, service http,
service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A;
classtype:trojan-activity; sid:32925; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data;
content:"|15 02 14 17 08 09 14 02 67 75 77 77 67 08 0C 66 66 66|"; depth:22;
metadata:impact_flag red, ruleset community, service ftp-data, service http,
service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A;
classtype:trojan-activity; sid:32926; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data;
content:"|09 22 33 30 28 35 2C|"; fast_pattern:only; metadata:impact_flag red,
ruleset community, service ftp-data, service http, service imap, service pop3;
reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity;
sid:32927; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data;
content:"|13 2F 22 35 22 67 26 35 22 29 27 33 67 28 37 22 29 67 37 28 35 33 34
69|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-
data, service http, service imap, service pop3; reference:url,us-
cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32928; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data;
content:"|43 47 47 47 45 67 47 47 43 47 47 47 44 67 47 47|"; fast_pattern:only;
metadata:impact_flag red, ruleset community, service ftp-data, service http,
service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A;
classtype:trojan-activity; sid:32929; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data;
content:"|43 47 47 47 42 67 47 47 43 47 47 47 4F 67 47 47 43 47 47 47 43 67 47 47
43 47 47 47 4E 67 47 47|"; fast_pattern:only; metadata:impact_flag red, ruleset
community, service ftp-data, service http, service imap, service pop3;
reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity;
sid:32930; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data;
content:"|D1 CE D2 D5 A1 C9 D5 D5 D1 A1 D3 C4 D0 D4 C4 D2 D5 BE|"; depth:18;
metadata:impact_flag red, ruleset community, service ftp-data, service http,
service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A;
classtype:trojan-activity; sid:32931; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data;
content:"|17 08 14 13 67 0F 13 13 17 67 15 02 16 12 02 14 13 78|"; depth:18;
metadata:impact_flag red, ruleset community, service ftp-data, service http,
service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A;
classtype:trojan-activity; sid:32932; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data;
content:"|0C 1F 1F 1F 4F 50 4C 4B 3F 57 4B 4B 4F 3F 4D 5A 4E 4A 5A 4C 4B 20|";
fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data,
service http, service imap, service pop3; reference:url,us-
cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32933; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data;
content:"|8A 10 80 EA 62 80 F2 B4 88 10|"; fast_pattern:only; metadata:impact_flag
red, ruleset community, service ftp-data, service http, service imap, service pop3;
reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity;
sid:32934; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data;
content:"|8A 10 80 C2 4E 80 F2 79 88 10|"; fast_pattern:only; metadata:impact_flag
red, ruleset community, service ftp-data, service http, service imap, service pop3;
reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity;
sid:32935; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-TOOLS
Win.Trojan.Wiper proxy tools download attempt"; flow:to_client,established;
file_data; content:"|8A 10 80 C2 3A 80 F2 73 88 10|"; fast_pattern:only;
metadata:impact_flag red, ruleset community, service ftp-data, service http,
service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A;
classtype:trojan-activity; sid:32936; rev:1;)
# alert tcp any any -> any any (msg:"MALWARE-TOOLS Win.Trojan.Wiper proxy
communication attempt"; flow:established; content:!"HTTP/1"; content:"|E2 1D 49
49|"; depth:4; fast_pattern; content:"|49 49 49 49|"; within:4; distance:4;
metadata:impact_flag red, ruleset community; reference:url,us-
cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32937; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-TOOLS
Win.Trojan.Wiper proxy tool download attempt"; flow:to_client,established;
file_data; content:"|82 F4 DE D4 D3 C2 CA F5 C8 C8 D3 82 FB F4 DE D4 D3 C2 CA 94 95
FB D4 D1 C4 CF C8 D4 D3 89 C2 DF C2 87 8A CC 87 00|"; fast_pattern:only;
metadata:impact_flag red, ruleset community, service ftp-data, service http,
service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A;
classtype:trojan-activity; sid:32938; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Android.CoolReaper.Trojan outbound connection"; flow:to_server, established;
content:"POST"; http_method; content:"/dmp/api/"; fast_pattern:only; http_uri;
content:"User-Agent|3A 20|UAC/1.0.0 (Android "; http_header; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/94b3d27488d10ec2dd73f39513a6d7845ab50b395d
6b3adb614b94f8a8609f0e/analysis/; classtype:trojan-activity; sid:32956; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.TinyZBot outbound SOAP connection attempt"; flow:to_server,established;
content:"POST"; http_method; urilen:17; content:"/checkupdate.asmx";
fast_pattern:only; http_uri; content:"SOAPAction|3A 20|"; http_header;
content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|MS Web
Services Client Protocol"; pcre:"/SOAPAction\x3a[^\r\n]*Get(ServerTime|FileList|
File)\x22/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/0d1f479842cd5bde4f18ab8c85a099da39e13a4051
a7c21334e33d55b6f18d76/analysis/; classtype:trojan-activity; sid:32957; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.TinyZBot response connection attempt"; flow:to_client, established;
file_data; content:"<?xml"; content:"<soap:Body><GetFileListResponse xmlns=|22|
http|3A 2F 2F|"; within:70; distance:200;
content:"<GetFileListResult><string>[ALL]__"; within:75; fast_pattern;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/0d1f479842cd5bde4f18ab8c85a099da39e13a4051
a7c21334e33d55b6f18d76/analysis/; classtype:trojan-activity; sid:32958; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Kuluos variant outbound connection"; flow:to_server, established;
content:"POST"; http_method; content:"/w1/feed.php"; fast_pattern:only; http_uri;
urilen:12; content:!"Connection|3A 20|"; http_header; content:!"Accept";
http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/48936d3242ccd9decedf1057b08eacf5f952efeb1b
7bb2f354bb02028a361ac2/analysis/; classtype:trojan-activity; sid:32976; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Kuluos variant outbound connection"; flow:to_server, established;
content:"POST"; http_method; content:"/w1/form.php"; fast_pattern:only; http_uri;
urilen:12; content:!"Connection|3A 20|"; http_header; content:!"Accept";
http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/48936d3242ccd9decedf1057b08eacf5f952efeb1b
7bb2f354bb02028a361ac2/analysis/; classtype:trojan-activity; sid:32977; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known
malicious user-agent string - realupdate - Win.Backdoor.Upatre";
flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: realupdate|
0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http; classtype:trojan-
activity; sid:33047; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Medusa
variant inbound connection"; flow:to_client,established; dsize:<510; content:"|00|
U|00|n|00|d|00|e|00|r|00 20 00|C|00|o|00|n|00|s|00|t|00|r|00|u|00|c|00|t|00|i|00|o|
00|n|00|<|00|/"; content:"|00 22 00 3E 00|w|00|w|00|w|00|.|00|m|00|i|00|c|00|r|00|
o|00|s|00|o|00|f|00|t|00 2E 00|c|00|o|00|m|00 3C|"; distance:0;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; classtype:trojan-activity; sid:33058; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Backdoor.Medusa variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"/bbc_mirror/"; http_uri; content:"search?
id="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http; classtype:trojan-
activity; sid:33059; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Backdoor.Medusa variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"CNN_Mirror/EN"; http_uri; content:"search?
id="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http; classtype:trojan-
activity; sid:33060; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Heur variant outbound connection"; flow:to_server, established;
content:"GET"; http_method; urilen:17; content:"/01/WindowsUpdate";
fast_pattern:only; http_uri; content:!"User-Agent:"; http_header;
content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/2fb5c3859df3b46cc7e2e2176654cb7e5f739f2bc9
faf3e813736b37c6d3b6bc/analysis/; classtype:trojan-activity; sid:33153; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known
malicious user-agent string - Mazilla/5.0 - Win.Backdoor.Upatre";
flow:to_server,established; content:"User-Agent: Mazilla/5.0|0D 0A|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http; classtype:trojan-activity;
sid:33207; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PUA-ADWARE
SoftPulse variant HTTP response attempt"; flow:to_client,established; file_data;
content:",|22|installerBehavior|22|:{|22|hideOnInstall|22|:"; fast_pattern:only;
content:"{|22|time|22|:"; content:"|22|country|22|"; within:30; content:",|22|
countryId|22|:"; within:20; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service ftp-data, service http,
service imap, service pop3;
reference:url,www.virustotal.com/en/file/7aa774bffa2eb38c691774c1cc59e0adf6186da62a
fc417baa6333670e1e3011/analysis/1421687954/; classtype:trojan-activity; sid:33212;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Gamarue variant outbound connection"; flow:to_server,established;
urilen:9; content:"POST"; http_method; content:"/2ldr.php"; fast_pattern:only;
http_uri; content:"User-Agent: Mozilla/4.0|0D 0A|"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/eefe5370b09a32a7b295c136073a8560958c4a5882
2a7da5b501a10543266c6e/analysis/1421697833/; classtype:trojan-activity; sid:33219;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC
Win.Trojan.HawkEye keylogger exfiltration attempt"; flow:to_server,established;
content:"HawkEye Keylogger"; fast_pattern:only; content:"Subject: =?utf-8?B";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service smtp;
reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f2
84d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:33220; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC
Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot";
flow:to_server,established; content:"Subject|3A 20|=?utf-8?B?"; fast_pattern;
content:"=?=|0D 0A|"; within:150; flowbits:set,hawk.lgr; flowbits:noalert;
metadata:ruleset community, service smtp;
reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f2
84d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:33221; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC
Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot";
flow:to_server,established; flowbits:isset,hawk.lgr; content:"=0D=0AClipboard";
fast_pattern:only; content:"=0D=0AKeyboard"; nocase; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
smtp;
reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f2
84d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:33222; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC
Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot";
flow:to_server,established; flowbits:isset,hawk.lgr; content:"name=screenshot";
fast_pattern:only; pcre:"/name\x3dscreenshot\d+\x2e/i"; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
smtp;
reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f2
84d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:33223; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE
Win.Trojan.Blocker variant outbound connection attempt";
flow:to_server,established; content:"User-Agent: Mozilla/5.0 (Windows NT 6.3|3B|
WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36|0D
0A|Host: checkip.dyndns.org|0D 0A|"; fast_pattern:only; http_header;
content:!"Accept"; http_header; metadata:ruleset community, service http;
reference:url,www.virustotal.com/en/file/79b75a8564e2e446789e1890f52c025792de919b63
719e02630a70d6ae9a3ca4/analysis/1421439683/; classtype:misc-activity; sid:33224;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Agent.BHHK variant outbound connection"; flow:to_server,established; dsize:136;
urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B|
MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|
Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab6
3502d28df78c2faeaad366/analysis/1421677054/; classtype:trojan-activity; sid:33227;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Kovter variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"/form2.php"; fast_pattern:only; http_uri;
content:!"Accept"; http_header; pcre:"/[a-z\d\x2f\x2b\x3d]{100,300}/Pi";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/599dc4c4dae2d12f8c8ea00114c1cbddecbc171c55
2e7fbe5aba516ef11b08f0/analysis/; classtype:trojan-activity; sid:33228; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Upatre variant outbound connection"; flow:to_server,established;
content:"/js/jquery-"; fast_pattern; http_uri; content:".js?"; within:15;
distance:1; http_uri; pcre:"/\x2ejs\x3f[a-zA-Z0-9]{9,20}=Mozilla\x2f/UGi";
content:"Referer|3A 20|"; http_header; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/7a06565bb9d49aa92084b5bc32cf59d04dc1d60d63
827099ca7c14063f54967a/analysis/1421616162/; classtype:trojan-activity; sid:33282;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Symmi variant outbound connection"; flow:to_server,established;
content:"/r1xpr/r1xe.html"; fast_pattern:only; http_uri; content:"User-Agent:
Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/4ca26daa7cfb81c8ee05c955f19ef527a9452f2dad
3c63674afa7f6796d96f02/analysis/; classtype:trojan-activity; sid:33443; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.SpyBanker variant outbound connection"; flow:to_server,established;
content:"/m343ff4ufbnmm4uu4nf34m443frr/"; fast_pattern:only; http_uri;
content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|";
http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/66e69ff2c4881a1c95eccd287af3b8db692fd5c9df
3caee464f8b4125d46c1a4/analysis/; classtype:trojan-activity; sid:33444; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established;
dsize:214; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0
(compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|
3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|
Host: ip-addr.es|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d73880
18408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33449; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.FileEncoder variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"="; depth:2; http_client_body;
content:"Content-Length: 128|0D 0A|"; fast_pattern:only; http_header;
content:"Content-Type: application/x-www-form-urlencoded|0D 0A|"; http_header;
content:"|3B 20|MSIE|20|"; http_header; content:!"Accept-Language:"; http_header;
pcre:"/[a-z]\x3d[a-f\d]{126}/P"; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d73880
18408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33450; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS
Win.Toolbar.Crossrider variant outbound connection"; flow:to_server,established;
content:".gif?action="; http_uri; content:"&browser="; distance:0; http_uri;
content:"&osbuild="; distance:0; http_uri; content:"&osprod="; distance:0;
http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset
community, service http;
reference:url,www.virustotal.com/en/file/06f3bd3df0326b5c3c5b03070d9d870507b868ee4e
1acff62f0d301c43492709/analysis/; classtype:trojan-activity; sid:33452; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Kovter variant outbound connection"; flow:to_server,established;
urilen:13; content:"POST"; http_method; content:"/12/index.php"; fast_pattern:only;
http_uri; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B|
rv:11.0) like Gecko|0D 0A|"; http_header; content:!"Accept"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/db8952943708f4eefa72ad04ff01bdf9acb33fdd89
a5ad98b0ec2649fb116a52/analysis/1422981882/; classtype:trojan-activity; sid:33453;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Symmi variant outbound connection"; flow:to_server,established;
content:"GET"; http_method; content:"User-Agent: http://www.pershop.com.br/";
fast_pattern:only; http_header; content:".php"; http_uri; content:!"Referer:";
http_header; content:!"Accept-"; http_header; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/609c2c8ab60a30822689a3955fb84f06b5c3962e0d
2b894f4794ac8ee5eee2eb/analysis/; classtype:trojan-activity; sid:33457; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent
known malicious user agent - ALIZER"; flow:to_server,established; content:"User-
Agent|3A 20|ALIZER|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/958c004400ca2a736473c68d842cbea9038bde940d
1e44fb08cf08c4352c5f55/analysis/; classtype:trojan-activity; sid:33519; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Zusy inbound CNC response"; flow:to_client,established; file_data;
content:"|0A|Array|0A 28 0A 20 20 20 20 5B|"; fast_pattern; content:"] => ";
within:20; pcre:"/\x0aArray\x0a\x28\x0a\x20{4}\x5b[a-z\d]
{11}\x5d\x20\x3d\x3e\x20\d{16}\x0a\x29/i"; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/958c004400ca2a736473c68d842cbea9038bde940d
1e44fb08cf08c4352c5f55/analysis/; classtype:trojan-activity; sid:33520; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zusy variant outbound connection"; flow:to_server,established;
content:"&pcname="; fast_pattern:only; http_client_body; content:"hwid="; depth:5;
http_client_body; content:"&mode="; within:50; http_client_body;
content:"&system="; within:32; http_client_body; content:"&version="; within:60;
http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/958c004400ca2a736473c68d842cbea9038bde940d
1e44fb08cf08c4352c5f55/analysis/; classtype:trojan-activity; sid:33521; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent
known malicious user-agent - DNS Changer"; flow:to_server,established;
content:"User-Agent|3A 20|DNS Check|0D 0A|"; fast_pattern:only; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/2b16bd74ed6cf86938a7108b6a6fa9343ac4f890f0
228b964a98c45428cb4e3c/analysis/;
reference:url,www.virustotal.com/en/file/e5cbca1c1cca4ce5ef8beddca38869bdb18e089b96
9171e5ba337aa756371c36/analysis/; classtype:trojan-activity; sid:33522; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.DNSChanger variant outbound connection"; flow:to_server,established;
content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; fast_pattern:only;
http_header; content:"/postinstall.php?"; http_uri; content:"src="; within:5;
http_uri; content:"&medium="; within:15; http_uri; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/2b16bd74ed6cf86938a7108b6a6fa9343ac4f890f0
228b964a98c45428cb4e3c/analysis/;
reference:url,www.virustotal.com/en/file/e5cbca1c1cca4ce5ef8beddca38869bdb18e089b96
9171e5ba337aa756371c36/analysis/; classtype:trojan-activity; sid:33523; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.DNSChanger variant outbound connection"; flow:to_server,established;
content:"/updateb.xml?"; fast_pattern:only; http_uri; content:"rnd="; http_uri;
content:"&spfail="; within:20; http_uri; content:"&guid="; within:15; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/2b16bd74ed6cf86938a7108b6a6fa9343ac4f890f0
228b964a98c45428cb4e3c/analysis/;
reference:url,www.virustotal.com/en/file/e5cbca1c1cca4ce5ef8beddca38869bdb18e089b96
9171e5ba337aa756371c36/analysis/; classtype:trojan-activity; sid:33524; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Turla outbound connection"; flow:to_server,established; content:"POST";
http_method; content:"?uid="; http_uri; content:"&context="; distance:0; http_uri;
content:"&mode=text"; distance:0; fast_pattern; http_uri; content:"&data=";
distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/1a488c6824bd39f3568346b2aaf3f6666f41b1d496
1a2d77360c7c65c7978b5e/analysis/; classtype:trojan-activity; sid:33547; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; urilen:<64;
content:"/check.action?iid="; http_uri; content:"&kernel="; within:8; distance:32;
http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/e8cb63cc050c952c1168965f597105a128b5611483
5eb7d40bdec964a0e243dc/analysis/; classtype:trojan-activity; sid:33646; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; urilen:>100;
content:"POST"; http_method; content:"/submit.action?username="; http_uri;
content:"&password="; within:30; http_uri; content:".tgz"; distance:0; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/e8cb63cc050c952c1168965f597105a128b5611483
5eb7d40bdec964a0e243dc/analysis/; classtype:trojan-activity; sid:33647; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; urilen:>100;
content:"/compiler.action?iid="; http_uri; content:"&username="; within:10;
distance:32; http_uri; content:"&password="; within:30; distance:1; http_uri;
content:"&kernel="; distance:0; http_uri; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/e8cb63cc050c952c1168965f597105a128b5611483
5eb7d40bdec964a0e243dc/analysis/; classtype:trojan-activity; sid:33648; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent
known malicious user agent - Google Omaha - Win.Trojan.ExtenBro";
flow:to_server,established; content:"User-Agent: Google Omaha|0D 0A|";
fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/34a3667846bbdea8dc92150e6766e3bac129a2b5fd
4856c6f1512e794b90f23d/analysis/; classtype:trojan-activity; sid:33649; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Tinba outbound connection"; flow:to_server,established; content:"POST";
http_method; urilen:9; content:"/preview/"; http_uri; content:"Content-Length: 157|
0D 0A|"; http_header; content:!"User-Agent|3A 20|"; http_header; content:"|00 80 00
00 00|"; depth:5; offset:24; http_client_body; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/8eb2c85abe7acee219e344ae0592a2b1c159bdafa0
37be39ac062bdaeeb1f621/analysis/; classtype:trojan-activity; sid:33650; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Babar outbound connection"; flow:to_server,established;
content:"/bb/index.php"; http_uri; content:"User-Agent|3A 20|Mozilla/4.0
(compatible|3B| MSI 6.0|3B|"; fast_pattern:only; http_header; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/c72a055b677cd9e5e2b2dcbba520425d023d906e6e
e609b79c643d9034938ebf/analysis/; classtype:trojan-activity; sid:33677; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.FannyWorm outbound connection"; flow:to_server,established;
content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B|)|0D 0A|"; fast_pattern:only;
http_header; content:"/ads/QueryRecord"; http_uri; content:".html"; within:25;
http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/003315b0aea2fcb9f77d29223dd8947d0e6792b3a0
227e054be8eb2a11f443d9/analysis/; classtype:trojan-activity; sid:33678; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft emf
file download request"; flow:to_server,established; flowbits:isset,file.emf;
file_data; content:" EMF"; depth:4; offset:40; metadata:policy max-detect-ips drop,
ruleset community, service smtp; reference:bugtraq,10120; reference:bugtraq,28819;
reference:bugtraq,9707; reference:cve,2003-0906; reference:cve,2007-5746;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-032;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-053;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-001;
classtype:misc-activity; sid:33740; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware
Goobzo/CrossRider variant outbound connection"; flow:to_server,established;
content:"/install.ashx?id="; fast_pattern:only; http_uri; content:"User-Agent|3A
20|NSIS_Inetc (Mozilla)|0D 0A|"; http_header; metadata:ruleset community, service
http;
reference:url,www.virustotal.com/en/file/bace69ffe133e7693b3b77994a3c81e990288ca4b6
42cffe12938d705c7019df/analysis/; classtype:misc-activity; sid:33815; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware
Goobzo/CrossRider variant outbound connection"; flow:to_server,established;
content:"/ping.ashx?action="; fast_pattern:only; http_uri; content:"&usid=";
http_uri; content:"&aff="; distance:0; http_uri; metadata:ruleset community,
service http;
reference:url,www.virustotal.com/en/file/bace69ffe133e7693b3b77994a3c81e990288ca4b6
42cffe12938d705c7019df/analysis/; classtype:misc-activity; sid:33816; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Egamipload variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"/service/related?sector="; fast_pattern:only;
http_uri; content:"Mozilla|2F|4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B|
Trident/4.0)"; http_header; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/50d7dab7095d5b84a6ccb11769d82cc105b519d84a
b7aef4d540ed3703ae3e45/analysis/; classtype:trojan-activity; sid:33822; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft
Windows SMB NTLM NULL session attempt"; flow:to_server,established; content:"|FF|
SMB|73 00 00 00 00|"; depth:9; offset:4; content:"|00 00|"; within:2; distance:13;
content:"|FF|"; within:1; distance:9; content:"NTLMSSP|00 03 00 00 00|";
within:100; content:"|00 00 00 00 40 00 00 00|"; within:8; distance:24;
flowbits:set,smb.null_session; flowbits:noalert; metadata:ruleset community,
service netbios-ssn; reference:bugtraq,1163; reference:cve,2000-0347;
classtype:attempted-recon; sid:33825; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE User-Agent
adware OutBrowse/Amonitize"; flow:to_server,established; content:"User-Agent|3A 20|
Mozilla"; http_header; content:" Loader|0D 0A|"; within:150; fast_pattern;
http_header; metadata:ruleset community, service http; classtype:trojan-activity;
sid:33833; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE User-Agent
adware OutBrowse/Amonitize"; flow:to_server,established; content:"User-Agent|3A
20|"; http_header; content:" Pi/3.1415926|0D 0A|"; within:150; fast_pattern;
http_header; metadata:ruleset community, service http; classtype:trojan-activity;
sid:33834; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE User-Agent
adware OutBrowse/Amonitize"; flow:to_server,established; content:"User-Agent|3A
20|"; http_header; content:" in my heart of heart.|0D 0A|"; within:150;
fast_pattern; http_header; metadata:ruleset community, service http;
classtype:trojan-activity; sid:33835; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Poseidon outbound connection"; flow:established,to_server;
content:"Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 6.1|3B| Trident/4.0|
3B| SLCC2|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.5.30729|3B| .NET CLR 3.0.30729|3B|
Media Center PC 6.0)"; fast_pattern:only; http_header; content:"uid="; depth:4;
http_client_body; content:"&uinfo="; within:26; http_client_body; content:"&win=";
distance:0; http_client_body; content:"&bits="; within:6; distance:3;
http_client_body; content:"&build="; within:20; distance:8; http_client_body;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity;
sid:33851; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Poseidon outbound connection"; flow:established,to_server;
content:"Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 6.1|3B| Trident/4.0|
3B| SLCC2|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.5.30729|3B| .NET CLR 3.0.30729|3B|
Media Center PC 6.0)"; http_header; content:"oprat="; depth:6; http_client_body;
content:"&uinfo="; within:10; distance:23; http_client_body; content:"&win=";
distance:0; http_client_body; content:"&vers="; within:6; distance:3;
http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity;
sid:33852; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Gh0st
variant outbound connection"; flow:to_server,established; content:"KrisR"; depth:5;
content:"|00 00 00|"; within:3; distance:1; content:"|00 00 78 9C|"; within:4;
distance:2; metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community;
reference:url,virustotal.com/en/file/a4fd37b8b9eabd0bfda7293acbb1b6c9f97f8cc3042f3f
78ad2b11816e1f9a59/analysis/1425053730/; classtype:trojan-activity; sid:33885;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.VBPasswordStealer variant outbound connection";
flow:to_server,established; content:"/index.php?"; http_uri; content:"action=add";
fast_pattern; http_uri; content:"&username="; distance:0; http_uri;
content:"&password="; distance:0; http_uri; content:"&app="; distance:0; http_uri;
content:"&pcname="; distance:0; http_uri; content:"&sitename="; distance:0;
http_uri; content:!"Accept"; http_header; content:!"Connection"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/4f0988ac590d52b97b1a162f5ee098c38f6e640be7
83a511049d8e5006cac011/analysis/; classtype:trojan-activity; sid:34047; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
InstallMetrix precheck stage outbound connection"; flow:to_server,established;
content:"/installer_gate_client.php?"; fast_pattern:only; http_uri;
content:"download_id="; http_uri; content:"&mode=prechecking"; distance:0;
http_uri; content:!"Accept"; http_header; content:!"Connection"; http_header;
metadata:ruleset community, service http;
reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f
10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34119;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
InstallMetrix fetch offers stage outbound connection"; flow:to_server,established;
content:"/installer_gate_client.php?"; fast_pattern:only; http_uri;
content:"download_id="; http_uri; content:"&mode=getcombo"; distance:0; http_uri;
content:"&offers="; distance:0; http_uri; content:!"Accept"; http_header;
content:!"Connection"; http_header; metadata:ruleset community, service http;
reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f
10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34120;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
InstallMetrix reporting binary installation stage status";
flow:to_server,established; content:"POST"; http_method; content:"User-Agent|3A 20|
NSIS_Inetc (Mozilla)|0D 0A|"; fast_pattern:only; http_header; content:"|22|
event_type|22|"; offset:1; http_client_body; content:"|22|environment|22|";
distance:0; http_client_body; content:"|22|machine_ID|22|"; distance:0;
http_client_body; content:"|22|result|22|"; distance:0; http_client_body;
content:"|22|failure_reason|22|"; distance:0; http_client_body; metadata:ruleset
community, service http;
reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f
10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34121;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
InstallMetrix reporting fetch offers stage status"; flow:to_server,established;
content:"/report.php?"; http_uri; content:"download_id="; distance:0; http_uri;
content:"&mode="; distance:0; http_uri; content:"&combo_id="; distance:0; http_uri;
content:"&os_name="; distance:0; http_uri; content:"&os_add="; distance:0;
http_uri; content:"&os_build="; distance:0; http_uri; content:"&proj_id=";
distance:0; http_uri; content:"&offer_id="; distance:0; http_uri;
content:!"Connection"; http_header; metadata:ruleset community, service http;
reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f
10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34122;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE User-Agent
Vitruvian"; flow:to_server,established; content:"User-Agent|3A 20|Vitruvian";
fast_pattern:only; http_header; metadata:ruleset community, service http;
reference:url,www.virustotal.com/en/file/a59f0e717dc530814dea3fdf65597faaad90ed8bfe
3c8b8f6cea0e708049a784/analysis/1426449345/; classtype:misc-activity; sid:34125;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vitruvian
outbound connection"; flow:to_server,established; content:"/inst?"; http_uri;
content:"hid="; http_uri; content:"&sid="; distance:0; http_uri; content:"&tr=";
distance:0; http_uri; content:"&a="; distance:0; http_uri; content:"&adm=";
distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"User-Agent|3A
20|Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.";
fast_pattern:only; http_header; metadata:ruleset community, service http;
reference:url,www.virustotal.com/en/file/a59f0e717dc530814dea3fdf65597faaad90ed8bfe
3c8b8f6cea0e708049a784/analysis/1426449345/; classtype:misc-activity; sid:34126;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vitruvian
outbound connection"; flow:to_server,established; content:"/inst?"; http_uri;
content:"sid="; http_uri; content:"&st="; distance:0; http_uri; content:"User-
Agent|3A 20|Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.";
fast_pattern:only; http_header; metadata:ruleset community, service http;
reference:url,www.virustotal.com/en/file/a59f0e717dc530814dea3fdf65597faaad90ed8bfe
3c8b8f6cea0e708049a784/analysis/1426449345/; classtype:misc-activity; sid:34127;
rev:1;)
alert tcp $EXTERNAL_NET 1433 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Banload
variant MSSQL response"; flow:to_client,established; content:"|0B|m|00|a|00|c|00|a|
00|v|00|e|00|r|00|d|00|e|00|m|00|2|00 06|m|00|a|00|s|00|t|00|e|00|r|00|";
fast_pattern:only; content:"|08|D|00|B|00|S|00|Q|00|0|00|0|00|1|00|7|00|";
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/22ccd94c7e99a17753218708cea1abe162d289b7a0
105c3be9620bf224f36f3f/analysis/; classtype:trojan-activity; sid:34136; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
SearchProtect user-agent detection"; flow:to_server,established; content:"User-
Agent|3A 20|SearchProtect|3B|"; fast_pattern:only; http_header; metadata:ruleset
community, service http;
reference:url,www.virustotal.com/en/file/cbddccb934d302497ac60f924088034a1852c378cc
51df20c2e53b401ffc4651/analysis/; classtype:misc-activity; sid:34137; rev:2;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dyre
publickey outbound connection"; flow:to_client,established; content:"|00 DE C5 45
99 14 1E F5 7E 56 78 DF 23 CE 8A 12|"; fast_pattern:only;
content:"LvtfOWStYYHNbdiE15aNsOyg"; metadata:impact_flag red, policy security-ips
drop, ruleset community, service http; reference:url,phishme.com/project-dyre-new-
rat-slurps-bank-credentials-bypasses-ssl;
reference:url,www.virustotal.com/en/file/417c9cd7c8abbd7bbddfc313c9f153758fd11bda47
f754b9c59bc308d808c486/analysis/; classtype:trojan-activity; sid:34140; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
SuperOptimizer installation status"; flow:to_server,established; content:"User-
Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; fast_pattern:only; http_header;
content:"|22|event_type|22|"; depth:15; offset:1; http_client_body; content:"|22|
installation_session_id|22|"; within:100; http_client_body; content:"|22|
environment|22|"; distance:0; http_client_body; content:"|22|command_line|22|";
distance:0; http_client_body; metadata:ruleset community, service http;
reference:url,www.virustotal.com/en/file/1df4d1f316bd526e56b5fa0f84704bac365484c049
e6a7c76145cb45e5e32049/analysis/1426449377/; classtype:misc-activity; sid:34144;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
SuperOptimizer encrypted data transmission"; flow:to_server,established;
content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; fast_pattern:only;
http_header; content:"|22|encryptedKey|22|"; depth:20; offset:1; http_client_body;
content:"|22|encryptedData|22|"; distance:0; http_client_body; metadata:ruleset
community, service http;
reference:url,www.virustotal.com/en/file/1df4d1f316bd526e56b5fa0f84704bac365484c049
e6a7c76145cb45e5e32049/analysis/1426449377/; classtype:misc-activity; sid:34145;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
SuperOptimizer geolocation request"; flow:to_server,established; content:"/ip/?
client=sp"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|NSIS_Inetc
(Mozilla)|0D 0A|"; http_header; metadata:ruleset community, service http;
reference:url,www.virustotal.com/en/file/1df4d1f316bd526e56b5fa0f84704bac365484c049
e6a7c76145cb45e5e32049/analysis/1426449377/; classtype:misc-activity; sid:34146;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Eorezo
outbound connection"; flow:to_server,established; urilen:30<>65; content:"/atJs/v";
fast_pattern; http_uri; content:"/Client/"; within:8; distance:1; http_uri;
content:!"Accept"; http_header; content:!"User-Agent"; http_header;
metadata:ruleset community, service http;
reference:url,www.virustotal.com/en/file/a31d47e5d6885c32cad2fb5799033982e7f9d070ed
350cd2025dd8594d067651/analysis/1426449407/; classtype:misc-activity; sid:34236;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Eorezo get
advertisement"; flow:to_server,established; content:"/cgi-bin/advert/getads.cgi?";
http_uri; content:"did="; distance:0; http_uri; content:"User-Agent|3A 20|mpck_";
fast_pattern:only; http_header; metadata:ruleset community, service http;
reference:url,www.virustotal.com/en/file/a31d47e5d6885c32cad2fb5799033982e7f9d070ed
350cd2025dd8594d067651/analysis/1426449407/; classtype:misc-activity; sid:34237;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; urilen:<64;
content:"/check?iid="; http_uri; content:"&kernel="; within:8; distance:32;
http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/92a260d856e00056469fb26f5305a37f6ab443d735
d1476281b053b10b3c4f86/analysis/; classtype:trojan-activity; sid:34261; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; urilen:>100;
content:"/compiler?iid="; http_uri; content:"&username="; within:10; distance:32;
http_uri; content:"&password="; within:30; distance:1; http_uri;
content:"&kernel="; distance:0; http_uri; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/92a260d856e00056469fb26f5305a37f6ab443d735
d1476281b053b10b3c4f86/analysis/; classtype:trojan-activity; sid:34262; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; urilen:<64;
content:"/upload/module"; http_uri; content:"build.tgz"; within:9; distance:32;
http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/92a260d856e00056469fb26f5305a37f6ab443d735
d1476281b053b10b3c4f86/analysis/; classtype:trojan-activity; sid:34263; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
vBulletin XSS redirect attempt"; flow:to_server,established; content:"/misc.php?
v="; http_uri; content:"&js=js"; within:12; http_uri; metadata:ruleset community,
service http;
reference:url,www.virustotal.com/en/url/6a7664105f1f144930f51e71dd0fec728607b4c9e33
037d376cd7bf8351273a9/analysis/1430224991/; classtype:web-application-attack;
sid:34287; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Kraken outbound connection"; flow:to_server,established;
content:"/idcontact.php?"; http_uri; content:"&steam="; within:35; http_uri;
content:"&origin="; within:10; http_uri; content:"&webnavig="; within:12; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; reference:url,itsjack.cc/blog/2015/02/krakenhttp-
not-sinking-my-ship-part-1;
reference:url,www.virustotal.com/en/file/27fa65a3166def75feb75f8feb25dd9784b8f2518c
73defcc4ed3e9f46868e76/analysis/; classtype:trojan-activity; sid:34292; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established;
content:"/get_status.php?name="; fast_pattern:only; http_uri; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243
e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34307; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"/products/fupdates.php?"; http_uri;
content:"account="; distance:0; http_uri; content:"&name="; distance:0; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243
e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34308; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established;
content:"/products/file_order"; http_uri; content:".php?"; within:8; http_uri;
content:"name="; distance:0; http_uri; content:"&path="; distance:0; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243
e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34309; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established;
content:"/add_user.php?name="; http_uri; content:"&user="; distance:0; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243
e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34310; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established;
content:"/new/"; http_uri; content:"_flash"; within:12; http_uri; content:".php?";
within:15; http_uri; content:"name="; distance:0; http_uri; content:"&serial=";
distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243
e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34311; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established;
content:"/new/get_tree.php?"; http_uri; content:"name="; distance:0; http_uri;
content:"&date="; distance:0; http_uri; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243
e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34312; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established;
content:"/new/add_tree.php?"; http_uri; content:"name="; distance:0; http_uri;
content:"&date="; distance:0; http_uri; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243
e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34313; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established;
content:"/new/all_file_info1.php?"; http_uri; content:"name="; distance:0;
http_uri; content:"&user="; distance:0; http_uri; content:"&file="; distance:0;
http_uri; content:"&type="; distance:0; http_uri; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243
e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34314; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established;
content:"/flupdate/"; http_uri; content:".html"; within:7; http_uri;
pcre:"/\/flupdate\/\d\.html/iU"; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243
e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34315; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established;
content:"/gget_rtemp.php?n="; fast_pattern:only; http_uri; content:"User-Agent|3A
20|SK"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243
e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34316; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established;
content:"/aadd_rtemp.php?n="; fast_pattern:only; http_uri; content:"User-Agent|3A
20|SK"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243
e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34317; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.CryptoWall variant outbound connection"; flow:to_server,established;
urilen:<130; content:".php?"; nocase; http_uri; content:"|3D|"; within:1;
distance:1; http_uri; content:"Cache-Control: no-cache|0D 0A 0D 0A|"; nocase;
http_header; content:!"|0D 0A|Accept-"; http_header; content:"Content-Type:
application/x-www-form-urlencoded|0D 0A|"; fast_pattern:only; http_header;
content:"|3D|"; depth:2; offset:1; http_client_body; pcre:"/^[a-z]\x3d[a-f\d]
{80,140}$/Pi"; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/d14f1d1e07bd116ed0faf5896438177f36a05adacf
5af4f32910e313e9c1fd93/analysis/; classtype:trojan-activity; sid:34318; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Magento
remote code execution attempt"; flow:to_server,established; content:"/Adminhtml_";
http_uri; content:"forwarded="; distance:0; http_uri; metadata:ruleset community,
service http; reference:cve,2015-1398; classtype:attempted-admin; sid:34365;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Beebone
outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|
Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| SV1)|0D 0A|";
fast_pattern:only; content:"GET"; pcre:"/GET \/[a-z]{8,12}\?[a-z] HTTP\/1.1/i";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community;
reference:url,www.virustotal.com/en/file/b06c6ac1174a6992f423d935ccba6f34f107b65917
68a743d44d66423312d33a/analysis/; classtype:trojan-activity; sid:34366; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Banload variant outbound connection"; flow:to_server,established;
urilen:16; content:"/arquivo/vrs.txt"; fast_pattern:only; http_uri;
content:"Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|";
http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/fc2cc624c2357bad23eaff951c4eac3a1f1c1c3ec5
133665c7e101f4f4e3bbba/analysis/1430145774/; classtype:trojan-activity; sid:34367;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Banload variant outbound connection"; flow:to_server,established;
urilen:19; content:"/arquivo/cookie.txt"; fast_pattern:only; http_uri;
content:"Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|";
http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/fc2cc624c2357bad23eaff951c4eac3a1f1c1c3ec5
133665c7e101f4f4e3bbba/analysis/1430145774/; classtype:trojan-activity; sid:34368;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Bancos variant outbound connection"; flow:to_server,established;
content:"/poppxr/popi.html"; fast_pattern:only; http_uri; content:"User-Agent:
Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/6ca7047c377ad26b9db86c4028b59aa2f6600bfbdb
74f1af3519ebf10314b3a6/analysis/; classtype:trojan-activity; sid:34452; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Bancos variant outbound connection"; flow:to_server,established;
content:"sname="; depth:6; http_client_body; content:".php HTTP/1.0|0D 0A|";
content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|";
fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/6ca7047c377ad26b9db86c4028b59aa2f6600bfbdb
74f1af3519ebf10314b3a6/analysis/; classtype:trojan-activity; sid:34453; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25] (msg:"MALWARE-CNC
Linux.Trojan.Mumblehard variant outbound connection"; flow:to_server,established;
content:"POST / HTTP/1.0|0D 0A|Host: "; depth:28; content:"Content-type:
application/x-www-form-urlencoded|0D 0A|Content-Length: "; within:100; content:"|0D
0A 0D 0A 0F 0F 09|"; within:25; fast_pattern; content:!"User-Agent: "; nocase;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,virustotal.com/file/9512cd72e901d7df95ddbcdfc42cdb16141ff155e0cb0f832
1069212e0cd67a8/analysis/1430996623; classtype:trojan-activity; sid:34461; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Linux.Downloader.Mumblehard variant outbound connection";
flow:to_server,established; urilen:1; content:"User-Agent: Mozilla/5.0 (Windows NT
6.1|3B| rv:7.0.1) Gecko/20100101 Firefox/7.0.1|0D 0A|"; fast_pattern:only;
http_header; content:"Accept: text/html,application/xhtml+xml,application/xml|3B|
q=0.8,*/*|3B|q=0.9|0D 0A|"; http_header; content:"Accept-Language: en-us,en|3B|
q=0.5|0D 0A|"; distance:0; http_header; content:"Accept-Encoding: gzip, deflate|0D
0A|"; distance:0; http_header; content:"Accept-Charset: ISO-8859-1,utf-8|3B|
q=0.7,*|3B|q=0.7|0D 0A|"; distance:0; http_header; content:"Connection: close|0D 0A
0D 0A|"; distance:0; http_header; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,virustotal.com/file/84dfe2ac489ba41dfb25166a983ee2d664022bbcc01058c56
a1b1de82f785a43/analysis/1430849540/; classtype:trojan-activity; sid:34462; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR
Win.Backdoor.Wekby Torn variant outbound connection"; flow:established, to_server;
dsize:16; content:"|00 00 00 11 C8 00 00 00 00 00 00 00 00 00 00 00|"; depth:16;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community;
reference:url,www.virustotal.com/en/file/1D6BCF409C85887861D587C8AABFC8C8393EA692FE
93C0A6836BE507A7F75985/analysis/; classtype:trojan-activity; sid:34500; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.Wekby
Torn variant outbound connection"; flow:established, to_server; dsize:16;
content:"|00 00 00 11 D0 00 00 00|"; depth:8; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/1D6BCF409C85887861D587C8AABFC8C8393EA692FE
93C0A6836BE507A7F75985/analysis/; classtype:trojan-activity; sid:34501; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Bancos variant outbound connection"; flow:to_server,established;
content:"/popkx3/popi.html"; fast_pattern:only; http_uri; content:"User-Agent:
Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/d6beeae945d570d98784bdea68310ddef17f4a0353
4632dec48c691677c67402/analysis/; classtype:trojan-activity; sid:34622; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent
known malicious user agent - EMERY - Win.Trojan.W97M"; flow:to_server,established;
content:"User-Agent|3A 20|EMERY|0D 0A|"; fast_pattern:only; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/d0f0a446162c6dafc58e4034f4879275d3766f2033
6b6998cb5a5779d995a243/analysis/; classtype:trojan-activity; sid:34843; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE
Metasploit Meterpreter reverse HTTPS certificate"; flow:to_client,established;
content:"|16 03 03|"; content:"|0B|"; within:1; distance:2; content:"|30 82|";
within:2; distance:9; content:"|30 82|"; within:2; distance:2; content:"|A0 03 02
01 02 02|"; within:6; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01|";
within:22; content:"|31|"; within:1; distance:5; content:"|30|"; within:1;
distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; content:"|30|";
within:10; distance:3; content:"|17 0D|"; within:2; distance:1; content:"Z|17 0D|";
within:3; distance:12; content:"Z|30|"; within:2; distance:12; content:"|31|";
within:1; distance:1; content:"|30|"; within:1; distance:1; content:"|06 03 55 04
03 0C|"; within:6; distance:1; content:"|30 82|"; within:9; distance:2; content:"|
30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|"; within:17; distance:2;
content:"|30 82|"; within:2; distance:3; content:"|02 82|"; within:2; distance:2;
content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09
2A 86 48 86 F7 0D 01 01 0B 05 00|"; fast_pattern:only; metadata:ruleset community,
service ssl; reference:url,blog.didierstevens.com; classtype:misc-activity;
sid:34864; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Rovnix variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"/vbulletin/post.php?qu="; fast_pattern:only;
http_uri; content:!"User-Agent:"; http_header; content:!"Accept"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/a184775757cf30f9593977ee0344cd6c54deb4b14a
012a7af8e3a2cdbb85a749/analysis/; classtype:trojan-activity; sid:34868; rev:1;)
alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Critroni
certificate exchange"; flow:to_client,established; content:"|00 D3 62 47 DA 62 4A
A1 34|"; content:"|3B 02 49 86 4B DF D7 D7 6C E2 2F 36 81 01 24 3F|"; within:400;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service ssl;
reference:url,www.virustotal.com/en/file/af7a9f581653394955bec5cf10a7dbafbf64f42d09
918807274b5d25849a1251/analysis/; classtype:trojan-activity; sid:34917; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Bancos variant outbound connection"; flow:to_server,established;
content:"ID_MAQUINA="; fast_pattern:only; http_client_body; content:"&VERSAO=";
nocase; http_client_body; content:"&WIN="; within:50; nocase; http_client_body;
content:"&NAVEGADOR="; within:200; nocase; http_client_body; content:"&PLUGIN=";
within:50; nocase; http_client_body; content:"&AV="; within:50; nocase;
http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/7816d2b6507950177cf1af596744abe523cad492f4
d78e230962602b1b269044/analysis/; classtype:trojan-activity; sid:34931; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Prok variant outbound connection"; flow:to_server,established;
content:"/prok/"; http_uri; content:"Content-Type: multipart/form-data,
boundary=7DF051D"; fast_pattern:only; http_header; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/ada4a63abae42266f9d472f1d4ebd0bd22702270f8
b38ad7a824a16ce449ea2b/analysis/; classtype:trojan-activity; sid:34950; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Androm variant outbound connection"; flow:to_server,established;
urilen:16; content:"POST"; http_method; content:"/forum/image.php";
fast_pattern:only; http_uri; content:"|0D 0A|User-Agent: Mozilla/4.0|0D 0A|";
http_header; content:"|0D 0A|Content-Type: application/x-www-form-urlencoded|0D
0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/38c7d403660c98ceb0246192d7d89cd66e126c6721
008f6b347d4d53b4dc063b/analysis/; classtype:trojan-activity; sid:34958; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.SpyBanker variant outbound connection"; flow:to_server,established;
content:"texto=%0D%0A"; depth:12; http_client_body; content:"/consulta"; http_uri;
content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|";
fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/33b598e185ba483c5c1571651a03b90359fb1f56b5
5e902c7038baf315c5dad9/analysis/; classtype:trojan-activity; sid:34959; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
Win.Adware.Sendori user-agent detection"; flow:to_server,established;
content:"User-Agent|3A 20|Sendori-Client-Win32"; fast_pattern:only; http_header;
metadata:ruleset community, service http;
reference:url,www.virustotal.com/en/file/26ee215c531b6c50d28ef9b9a48db05b08139e460b
997167de1813484beb7a9e/analysis/; classtype:misc-activity; sid:34964; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Banbra variant outbound connection"; flow:to_server,established;
urilen:43; content:"/imagens/nacional/new/1/2/3/br/contador.php";
fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B|
WOW64|3B| rv:12.0) Gecko/20100101 Firefox/12.0"; http_header; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/078f4f7bbd0a7fc3f1934a4988997e9f3b69ca8b9d
c1bfd37a6c85b44fb50b48/analysis/; classtype:trojan-activity; sid:34994; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Banbra HTTP Header Structure"; flow:to_server,established; content:"|0D
0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent:
Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:12.0) Gecko/20100101 Firefox/12.0|0D
0A 0D 0A|"; fast_pattern:only; http_header; content:".php HTTP/1.1|0D 0A|Content-
Type: text/html|0D 0A|Host: "; content:".php"; http_uri; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/078f4f7bbd0a7fc3f1934a4988997e9f3b69ca8b9d
c1bfd37a6c85b44fb50b48/analysis/; classtype:trojan-activity; sid:34995; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Agent-ALPW variant outbound connection"; flow:to_server,established;
content:"|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-
Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:12.0) Gecko/20100101
Firefox/12.0|0D 0A 0D 0A|"; fast_pattern:only; http_header; content:"A="; depth:2;
http_client_body; content:".php"; http_uri; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/6452bea82dbef796eaed8d2403ffa7141e4379bb05
2fdb7b63a21400c04b0334/analysis/; classtype:trojan-activity; sid:34996; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Graftor
variant HTTP Response"; flow:to_client,established; dsize:<54; content:"HTTP/1.1
200 OK|0D 0A|Content-Length: "; content:"|0D 0A 0D 0A|session:"; within:15;
fast_pattern; pcre:"/\r\n\r\nsession\x3a\d{1,7}$/"; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/1ed49a78ee46c4a0d2eeb3b9ab707b40d3c87448c6
f399d7fceefc0c16c66d38/analysis/; classtype:trojan-activity; sid:34997; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:9;
content:"/diff.php"; fast_pattern:only; http_uri; content:"|0D 0A|User-Agent:
Mozilla/4.0|0D 0A|"; http_header; content:"|0D 0A|Content-Type: application/octet-
stream|0D 0A|"; http_header; content:"|A0 CD 37 A4 5B|"; depth:5; http_client_body;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/a7009a6ed3ff0191e3c8e7f8b27b9b16afe2a82d1e
b131ecd27d8f8a5b17e819/analysis/1433243075/; classtype:trojan-activity; sid:35030;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Zusy
variant outbound connection"; flow:to_server,established; urilen:21;
content:"POST"; http_method; content:"/siganofi/rounder.php"; fast_pattern:only;
http_uri; content:"Cache-Control: no-cache"; http_header; content:"Pragma|3A| no-
cache|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.www.virustotal.com/en/file/857ae380e297f840b88146ec042286ef459a1c
4dc53680b117a9677b189e6c68/analysis/; classtype:trojan-activity; sid:35076; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Ursnif outbound connection"; flow:to_server,established;
content:"/photoLibrary/?user="; http_uri; content:"&ver="; http_uri;
content:"&os2="; fast_pattern:only; http_uri; content:"&type="; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,malware.dontneedcoffee.com/2015/07/a-fileless-ursnif-doing-some-
pos.html; classtype:trojan-activity; sid:35312; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Cryptowall click fraud response"; flow:to_client,established; file_data;
content:"2|7C|http://"; depth:9; content:"/search.php|7C|http://"; within:60;
content:"|7C|Mozilla/4.0 "; within:100; content:"/r.php?key="; fast_pattern:only;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/3b78dd891a81c18cffa5031e52f9c2329e2986ba83
c5c75a67dc4ae3d1f0bec3/analysis/; classtype:trojan-activity; sid:35344; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Elise.B variant outbound connection"; flow:to_server,established;
content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSIE 8.0)";
fast_pattern:only; http_header; urilen:28; content:"/page_"; depth:6; offset:9;
nocase; http_uri; content:".html"; within:5; distance:8; nocase; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/9a226eeae1fc51a2bc2e72b098d5654238d0cc8eae
29c0cdaacb49ae9d997d04/analysis/; classtype:trojan-activity; sid:35353; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Bedep initial outbound connection"; flow:to_server,established;
content:"protocolVersion|22|"; offset:2; http_client_body; content:"|22|rev|22|";
within:10; http_client_body; content:"|22|buildId|22|"; within:15;
http_client_body; content:"|22|tags|22 3A|"; distance:0; http_client_body;
content:"|22|type|22 3A 22|"; within:10; http_client_body; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,malware.dontneedcoffee.com/2015/07/a-fileless-ursnif-doing-
some-pos.html; classtype:trojan-activity; sid:35386; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Andromeda initial outbound connection"; flow:to_server,established;
content:"/forum.php"; depth:10; http_uri; content:"User-Agent|3A 20|Mozilla/4.0|0D
0A|"; fast_pattern:only; http_header; content:!"Accept"; http_header;
content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,malware.dontneedcoffee.com/2015/07/a-fileless-ursnif-doing-some-
pos.html; classtype:trojan-activity; sid:35387; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Andromeda download request"; flow:to_server,established; content:".mod";
http_uri; pcre:"/[a-z]{2}_[a-z0-9]{8}\.mod/Ui"; content:"User-Agent|3A 20|
Mozilla/4.0|0D 0A|"; fast_pattern:only; http_header; content:!"Accept";
http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,malware.dontneedcoffee.com/2015/07/a-fileless-ursnif-doing-some-
pos.html; classtype:trojan-activity; sid:35388; rev:1;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.TorrentLocker/Teerac self-signed certificate";
flow:to_client,established; ssl_state:server_hello; content:"|16 03 01 00 51 02|";
content:"|55 04 06 13 02|XX"; fast_pattern:only; content:"|55 04 07 0C 0C|Default
City"; content:"|55 04 0A 0C 13|Default Company Ltd"; distance:6;
metadata:impact_flag red, ruleset community, service ssl;
reference:url,www.virustotal.com/en/file/4072beeaf09fe6fef48365f1c14fd800e21b32cfa2
af561f515bc45372dd590d/analysis/; classtype:trojan-activity; sid:35393; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.TorrentLocker/Teerac payment page request"; flow:to_server,established;
content:".php?user_code="; http_uri; content:"&user_pass="; fast_pattern:only;
http_uri; content:"Referer|3A|"; http_header; content:"tor"; within:30; nocase;
http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/4072beeaf09fe6fef48365f1c14fd800e21b32cfa2
af561f515bc45372dd590d/analysis/; classtype:trojan-activity; sid:35394; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zeus variant outbound connection"; flow:to_server,established;
urilen:10; content:"/order.php"; http_uri; content:"|0D 0A|User-Agent: Mozilla/4.0|
0D 0A|"; http_header; content:"|0D 0A|Content-Type: application/octet-stream|0D
0A|"; http_header; content:"|A0 CD 37 A4 5B|"; depth:5; fast_pattern;
http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/a7009a6ed3ff0191e3c8e7f8b27b9b16afe2a82d1e
b131ecd27d8f8a5b17e819/analysis/1433243075/; classtype:trojan-activity; sid:35549;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Potao outbound connection"; flow:to_server,established; content:"|3C|
methodName|3E|10a7d030-1a61-11e3-beea-001c42e2a08b|3C 2F|methodName|3E|";
fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/c66955f667e9045ea5591ebf9b59246ad86227f174
ea817d1398815a292b8c88/analysis/; classtype:trojan-activity; sid:35733; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear
WNDR4700 and R6200 admin interface authentication bypass attempt";
flow:to_server,established; content:"/BRS_03B_haveBackupFile_fileRestore.html";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,59406; reference:cve,2013-3071; classtype:attempted-admin;
sid:35734; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE
Wild Neutron potential exploit attempt"; flow:to_server,established; urilen:>25;
content:".swf?"; http_uri; content:"styleid="; distance:0; http_uri;
content:"&langid="; distance:0; http_uri; content:"&sid="; distance:0; http_uri;
content:"&d="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips
drop, policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http; reference:url,securelist.com/blog/research/71275/wild-neutron-
economic-espionage-threat-actor-returns-with-new-tricks/; classtype:trojan-
activity; sid:35745; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zeus variant outbound connection"; flow:to_server,established;
urilen:11; content:"/atomic.php"; fast_pattern:only; http_uri; content:"|0D 0A|
User-Agent: Mozilla/4.0|0D 0A|"; http_header; content:"|A0 CD 37 A4 5B|"; depth:5;
http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/a7009a6ed3ff0191e3c8e7f8b27b9b16afe2a82d1e
b131ecd27d8f8a5b17e819/analysis/; classtype:trojan-activity; sid:35746; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Backdoor.IsSpace outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"/SNews.asp?HostID="; fast_pattern:only;
http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http; reference:url,publicintelligence.net/fbi-
hack-tools-opm/; classtype:trojan-activity; sid:35749; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Backdoor.IsSpace initial outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"/STTip.asp"; fast_pattern:only; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; reference:url,publicintelligence.net/fbi-hack-
tools-opm/; classtype:trojan-activity; sid:35750; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file
upload detected"; flow:to_server,established; file_data; content:"|FF D8 FF E1|";
depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community,
service http; classtype:misc-activity; sid:35852; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"FILE-IDENTIFY OLE
Document upload detected"; flow:to_server,established; file_data; content:"Content-
Disposition|3A|"; nocase; content:"Form-data|3B|"; within:20; nocase; content:"|D0
CF 11 E0 A1 B1 1A E1|"; within:200; fast_pattern; flowbits:set,file.ole;
flowbits:noalert; metadata:ruleset community, service http; classtype:misc-
activity; sid:36058; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Bagsu variant outbound connection"; flow:to_server,established;
content:"/rp?v="; fast_pattern:only; http_uri; content:!"User-Agent:"; http_header;
content:"&u="; http_uri; content:"&c="; within:3; distance:32; http_uri;
content:"&f="; distance:0; http_uri; content:"&a="; distance:0; http_uri;
content:"&d="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/049bc9beeba4acd2a558dc695f65ad284b0ae1ff89
f69a38f743510d6ab640c0/analysis; classtype:trojan-activity; sid:36064; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Bagsu variant outbound connection"; flow:to_server,established;
content:"/offers_new?v="; fast_pattern:only; http_uri; content:!"User-Agent";
http_header; content:"&a="; http_uri; content:"&i="; distance:0; http_uri;
content:"&f="; distance:0; http_uri; content:"&u="; distance:0; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/049bc9beeba4acd2a558dc695f65ad284b0ae1ff89
f69a38f743510d6ab640c0/analysis; classtype:trojan-activity; sid:36065; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Bagsu variant outbound connection"; flow:to_server,established;
content:"User-Agent: Mozilla/4.0 (compatible|3B| MyApp)|0D 0A 0D 0A|";
fast_pattern:only; http_header; content:"windows="; depth:8; http_client_body;
content:"&av="; within:50; http_client_body; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/1fbe27602da7de2ce95254ffd409f7063517937135
4b4914997de273f6be9422/analysis/; classtype:trojan-activity; sid:36066; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.FakeAV variant outbound connection"; flow:to_server,established;
content:"/purchase.php?a="; fast_pattern:only; http_uri; content:"&v="; http_uri;
content:"&u="; distance:0; http_uri; content:"&bgload="; within:8; distance:32;
http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/f4c10d33b8c46cc7922a6eebc9f14858a01b2f573e
e99dd1dc02a4534b537e18/analysis; classtype:trojan-activity; sid:36107; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Nimisi variant outbound connection"; flow:to_server,established;
content:!"User-Agent"; http_header; content:"/logs.php?&prog="; fast_pattern:only;
http_uri; content:"&url="; http_uri; content:"&user="; distance:0; http_uri;
content:"&pass="; distance:0; http_uri; content:"&comp="; distance:0; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/a1f8f8b509001e5bca811a168455a89517000a2534
d271018c0c87c6210bd69f/analysis/; classtype:trojan-activity; sid:36108; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Yakes variant dropper"; flow:to_server,established;
content:"/document.php?rnd="; fast_pattern:only; http_uri; content:"&id="; depth:4;
offset:22; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/ff0ae81f0dece17baf8480d866c9462c9f3d49be9a
dde8b16f105e244eb31d67/analysis/; classtype:trojan-activity; sid:36202; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE
Metasploit Meterpreter reverse HTTPS certificate"; flow:to_client,established;
content:"|16 03 01|"; content:"|0B|"; within:1; distance:2; content:"|30 82|";
within:2; distance:9; content:"|30 82|"; within:2; distance:2; content:"|A0 03 02
01 02 02|"; within:6; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01|";
within:22; content:"|31|"; within:1; distance:5; content:"|30|"; within:1;
distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1;
byte_extract:1,0,string_size,relative; content:"|30|"; within:1;
distance:string_size; content:"|17 0D|"; within:2; distance:1; content:"Z|17 0D|";
within:3; distance:12; content:"Z|30|"; within:2; distance:12; content:"|31|";
within:1; distance:1; content:"|30|"; within:1; distance:1; content:"|06 03 55 04
03 0C|"; within:6; distance:1; byte_extract:1,0,string_size,relative; content:"|30
82|"; within:2; distance:string_size; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01
01 05 00 03 82|"; within:17; distance:2; content:"|30 82|"; within:2; distance:3;
content:"|02 82|"; within:2; distance:2; content:"|02 03 01 00 01 A3 0D 30 0B 30 09
06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|";
fast_pattern:only; metadata:ruleset community, service ssl;
reference:url,blog.didierstevens.com; classtype:misc-activity; sid:36611; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE
Metasploit Meterpreter reverse HTTPS certificate"; flow:to_client,established;
content:"|16 03 02|"; content:"|0B|"; within:1; distance:2; content:"|30 82|";
within:2; distance:9; content:"|30 82|"; within:2; distance:2; content:"|A0 03 02
01 02 02|"; within:6; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01|";
within:22; content:"|31|"; within:1; distance:5; content:"|30|"; within:1;
distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; content:"|30|";
within:10; distance:3; content:"|17 0D|"; within:2; distance:1; content:"Z|17 0D|";
within:3; distance:12; content:"Z|30|"; within:2; distance:12; content:"|31|";
within:1; distance:1; content:"|30|"; within:1; distance:1; content:"|06 03 55 04
03 0C|"; within:6; distance:1; content:"|30 82|"; within:9; distance:2; content:"|
30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|"; within:17; distance:2;
content:"|30 82|"; within:2; distance:3; content:"|02 82|"; within:2; distance:2;
content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09
2A 86 48 86 F7 0D 01 01 0B 05 00|"; fast_pattern:only; metadata:ruleset community,
service ssl; reference:url,blog.didierstevens.com; classtype:misc-activity;
sid:36612; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential
hostile executable served from compromised or malicious WordPress site";
flow:to_server,established; content:"/wp-admin/"; http_uri; content:".exe|20|
HTTP/1."; fast_pattern:only; pcre:"/\.exe$/U"; metadata:policy balanced-ips drop,
policy security-ips drop, ruleset community, service http; classtype:trojan-
activity; sid:36914; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Kovter outbound connection"; flow:to_server,established;
content:"/counter/?"; fast_pattern:only; http_uri; content:"UA-CPU"; http_header;
content:"MSIE 7.0|3B|"; http_header; content:!"Referer"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,virustotal.com/en/file/e3da9c7f20e7f24891e0dec594dad6d9deebee14515361
1a5c05c69593284a27/analysis/;
reference:url,www.virustotal.com/en/file/9d6b1bd74848dd0549ad3883b7292d3ba0a4fa06d0
aaf562032b0bf6dc198249/analysis/; classtype:trojan-activity; sid:37045; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Backdoor.Chopper web shell connection"; flow:to_server,established;
content:"=@eval(base64_decode($_POST"; fast_pattern:only; http_client_body;
metadata:impact_flag red, ruleset community, service http;
reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-
webshell.html;
reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41B
EC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:37245; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Vawtrak variant outbound connection"; flow:to_server,established;
content:"/rss/feed/stream"; fast_pattern:only; http_uri; content:"|3F|"; depth:1;
offset:2; http_client_body; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/6ADFAFFEA064A9F89064FBA300CDFCD7634CFD0680
2BF250FA1B070CABFBEBF5/analysis/; classtype:trojan-activity; sid:37467; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.iSpySoft variant outbound connection"; flow:to_server,established;
content:"/Recoveries/Browser.txt"; fast_pattern:only; http_uri; content:!"User-
Agent"; http_header; content:!"Accept"; http_header; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/84409422426933e6f1ea227f042ff56d1f66868734
54959d2e3308b9f5daac61/analysis/; classtype:trojan-activity; sid:37521; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.iSpySoft variant outbound connection"; flow:to_server,established;
content:"/Recoveries/Mail.txt"; fast_pattern:only; http_uri; content:!"User-Agent";
http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/84409422426933e6f1ea227f042ff56d1f66868734
54959d2e3308b9f5daac61/analysis/; classtype:trojan-activity; sid:37522; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.iSpySoft variant outbound connection"; flow:to_server,established;
content:"/Recoveries/OSKey.txt"; fast_pattern:only; http_uri; content:!"User-
Agent"; http_header; content:!"Accept"; http_header; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/84409422426933e6f1ea227f042ff56d1f66868734
54959d2e3308b9f5daac61/analysis/; classtype:trojan-activity; sid:37523; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Engr variant outbound connection"; flow:to_server,established;
urilen:7<>8; content:".php"; http_uri; content:"boundary=Xu02=$";
fast_pattern:only; http_header; content:!"User-Agent"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/54f6600db99fdab31453f3e23e8fb080438cd1ec36
b6fc2868ff86cf88f14bb0/analysis/; classtype:trojan-activity; sid:37552; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Symmi variant dropper download connection"; flow:to_client,established;
file_data; content:"|A6 4D AA E1 65 52 A5 E1 E3 58 76 E1 81 4D A5 E1 CE 48 9C E1 BB
4D A5 E1 CE 48 A9 E1 A1 4D A5 E1|"; fast_pattern:only; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/881bb1538b4d077976cd9b27523cd5af9bd86c0ae3
bce4edf453e74bba9f4c1b/analysis/; classtype:trojan-activity; sid:37646; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Symmi variant outbound connection"; flow:to_server,established;
content:"/vip.jpg"; fast_pattern:only; http_uri; urilen:8; content:"User-Agent:
Mozilla/4.0 (compatible)|0D 0A|"; http_header; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/881bb1538b4d077976cd9b27523cd5af9bd86c0ae3
bce4edf453e74bba9f4c1b/analysis/; classtype:trojan-activity; sid:37647; rev:1;)
# alert udp any 53 -> $HOME_NET any (msg:"PROTOCOL-DNS glibc getaddrinfo A record
stack buffer overflow attempt"; flow:to_client; dsize:>2000; byte_test:1,&,2,2;
byte_test:1,&,0x80,2; byte_test:1,!&,0x78,2; content:"|00 01|"; depth:2; offset:4;
content:"|00 00 01 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop,
policy security-ips drop, ruleset community, service dns; reference:cve,2015-7547;
reference:url,googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-
getaddrinfo-stack.html; classtype:attempted-user; sid:37730; rev:5;)
# alert udp any 53 -> $HOME_NET any (msg:"PROTOCOL-DNS glibc getaddrinfo AAAA
record stack buffer overflow attempt"; flow:to_client; dsize:>2000;
byte_test:1,&,2,2; byte_test:1,&,0x80,2; byte_test:1,!&,0x78,2; content:"|00 01|";
depth:2; offset:4; content:"|00 00 1C 00 01|"; fast_pattern:only; metadata:policy
max-detect-ips drop, policy security-ips drop, ruleset community, service dns;
reference:cve,2015-7547;
reference:url,googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-
getaddrinfo-stack.html; classtype:attempted-user; sid:37731; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Dridex dropper variant outbound connection"; flow:to_server,established;
content:"/gt.jpg?"; fast_pattern; http_uri; content:"="; within:1; distance:15;
http_uri; content:"bytes=6433-"; http_header; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/8a80760f60f42ce5574a8020c08123a6a8fc2a12d2
8e8802f3d5101f72c2ad0c/analysis/; classtype:trojan-activity; sid:37733; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"POLICY-OTHER Polycom Botnet
inbound connection attempt"; flow:to_server,established; file_data; content:"|03
00|"; depth:2; content:"|08|"; distance:2; content:"|05|"; distance:4;
content:"MERA RTU"; within:100; fast_pattern; metadata:ruleset community;
reference:url,support.polycom.com/global/documents/support/documentation/H_3_2_3_Bo
tnet_Bulletin_v_1_2.pdf; classtype:trojan-activity; sid:37814; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"POLICY-OTHER Polycom Botnet
inbound connection attempt"; flow:to_server,established; file_data; content:"|03
00|"; depth:2; content:"|08 02|"; within:2; distance:2; content:"EE|A8 C6|3";
within:80; content:"ooh323"; distance:6; fast_pattern; metadata:ruleset community;
reference:url,support.polycom.com/global/documents/support/documentation/H_3_2_3_Bo
tnet_Bulletin_v_1_2.pdf; classtype:trojan-activity; sid:37815; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Kazy variant outbound connection"; flow:to_server,established;
urilen:10; content:"post="; depth:5; fast_pattern; http_client_body;
content:"/index.php"; http_uri; content:!"User-Agent"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/522e5d4ea0771f5c0bc300c2d66a0445a66ae85bd4
b50c21a502365db0a638d9/analysis/; classtype:trojan-activity; sid:37816; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Locky variant outbound connection"; flow:to_server,established;
content:"/lockycrypt.rar"; fast_pattern:only; http_uri; content:!"User-Agent";
http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/ee6abe4a9530b78e997d9c28394356216778eaf2d4
6aa3503999e7d6bfbefe90/analysis/; classtype:trojan-activity; sid:37834; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Locky variant outbound connection"; flow:to_server,established;
content:"/34gf5y/r34f3345g"; fast_pattern:only; http_uri; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/ee6abe4a9530b78e997d9c28394356216778eaf2d4
6aa3503999e7d6bfbefe90/analysis/; classtype:trojan-activity; sid:37835; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE
malicious file download attempt"; flow:to_server,established; content:"|2F 70 6F
63|"; http_uri; pcre:"/\x2f\x70\x6f\x63(\d*|\x5f[\x61-\x7a]
+)\x2e(\x68\x74\x6d\x6c|\x78(\x6c\x73|\x73\x6c|\x6d\x6c)|\x6a(\x73|\x61\x76a)|\x61\
x73\x70|\x70(\x64f|\x70\x74|\x48\x70|\x73\x64)|\x66\x6c\x76|\x73\x77\x66|\x64\x6fc|
\x74\x74\x66|\x62\x6d\x70|\x6d(\x70\x33|\x33\x75))/Ui"; metadata:policy max-detect-
ips drop, ruleset community, service http; classtype:misc-activity; sid:37963;
rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win-
Linux.Trojan.Derusbi variant outbound connection"; flow:to_server,established;
content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; fast_pattern:only; http_header;
content:"Pragma|3A 20|no-cache"; http_header; content:"Proxy-Connection|3A 20|Keep-
Alive|0D 0A|"; http_header; content:"POST"; http_method;
content:"/photos/photo.asp"; http_uri; content:!"Referer"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602%283
%29.pdf; classtype:trojan-activity; sid:38255; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win-
Linux.Trojan.Derusbi variant outbound connection"; flow:to_server,established;
content:"CONNECT"; http_method; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|";
fast_pattern:only; http_header; content:"Pragma|3A 20|no-cache"; http_header;
content:"Proxy-Connection|3A 20|Keep-Alive|0D 0A|"; http_header; content:"Accept:
*/*"; http_header; content:"Accept-Encoding|3A| identity"; http_header;
content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602%283
%29.pdf; classtype:trojan-activity; sid:38256; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win-
Linux.Trojan.Derusbi variant outbound connection"; flow:to_server,established;
content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1)|
0D 0A|"; fast_pattern:only; http_header; content:"Pragma|3A 20|no-cache";
http_header; content:"Cache-Control|3A 20|no-cache"; http_header; content:"GET";
http_method; content:"/Query.asp?loginid="; http_uri; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602%283
%29.pdf; classtype:trojan-activity; sid:38257; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win/Linux.Trojan.Derusbi variant outbound connection"; flow:to_server,established;
content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1)|
0D 0A|"; fast_pattern:only; http_header; content:"Pragma|3A 20|no-cache";
http_header; content:"Cache-Control|3A 20|no-cache"; http_header; content:"POST";
http_method; content:"/login1.asp"; http_uri; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602%283
%29.pdf; classtype:trojan-activity; sid:38258; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Locky variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"/main.php"; fast_pattern:only; http_uri;
urilen:9,norm; content:!"|0D 0A|Accept|2D|Language|3A|"; http_header; content:!"|0D
0A|Referer|3A|"; http_header; content:!"|0D 0A|Cookie|3A|"; http_header;
content:"Content-Length|3A 20|"; http_raw_header;
byte_test:10,>,95,0,relative,string,dec; byte_test:10,<,115,0,relative,string,dec;
content:"Connection|3A 20|Keep-Alive|0D 0A|Cache-Control|3A 20|no-cache";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/33ab0605b83356e065459559bb81ec5e7464be5630
59fce607760517fedaf603/analysis/; classtype:trojan-activity; sid:38331; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Linux.Trojan.Bifrose outbound connection"; flow:to_server; content:"|9B 4F B0 75 E2
76 96 04 5A F1 F9 43 D4 A2 6B|"; depth:15; offset:4; content:"|76 13 85 45 17 1B|";
within:6; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/0a0d7bed3c8aa0e0e87e484a37e62b0bd0e97981b0
bea55f6f3607316831ba5d/analysis/; classtype:trojan-activity; sid:38333; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.NetWiredRC variant connection setup"; flow:to_server,established;
content:"|43 00 00 00 05|"; depth:5; dsize:<80; metadata:impact_flag red, policy
security-ips drop, ruleset community; reference:url,www.circl.lu/pub/tr-23/;
classtype:trojan-activity; sid:38353; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.NetWiredRC variant failed read logs"; flow:to_server,established;
content:"|01 00 00 00 3C|"; depth:5; dsize:5; metadata:impact_flag red, policy
security-ips drop, ruleset community; reference:url,www.circl.lu/pub/tr-23/;
classtype:trojan-activity; sid:38354; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.NetWiredRC variant keepalive"; flow:to_server,established; content:"|01
00 00 00 01|"; depth:5; dsize:5; metadata:impact_flag red, ruleset community;
reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38355;
rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.NetWiredRC variant send credentials"; flow:to_server,established;
content:"|01 00 00 00 3D|"; depth:5; dsize:5; metadata:impact_flag red, policy
security-ips drop, ruleset community; reference:url,www.circl.lu/pub/tr-23/;
classtype:trojan-activity; sid:38357; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.NetWiredRC variant send mail credentials"; flow:to_server,established;
content:"|01 00 00 00 41|"; depth:5; dsize:<10; metadata:impact_flag red, policy
security-ips drop, ruleset community; reference:url,www.circl.lu/pub/tr-23/;
classtype:trojan-activity; sid:38359; rev:1;)
alert tcp $EXTERNAL_NET 4043 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex
certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|
0B|"; distance:3; content:"|55 04 07 0C 06|Lisbon"; content:"|55 04 0A 0C 10|Souppi
Otiop SEM"; distance:6; content:"|55 04 03 0C 0E|wthcethesmw.ph";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service ssl;
reference:url,www.virustotal.com/en/file/f4bf52759270fa4fc4e5745d51dd8d73b49feae9de
5bedfd8f4e0a865e8047c4/analysis/1459264179/; classtype:trojan-activity; sid:38378;
rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Dridex file download attempt"; flow:to_client,established; file_data;
content:"FeintedEscalator"; fast_pattern:only; content:"InkingGrange";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service ftp-data, service http, service imap, service pop3;
reference:url,www.virustotal.com/en/file/f4bf52759270fa4fc4e5745d51dd8d73b49feae9de
5bedfd8f4e0a865e8047c4/analysis/1459264179/; classtype:trojan-activity; sid:38379;
rev:1;)
alert tcp $HOME_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Dridex
file download attempt"; flow:to_server,established; file_data;
content:"FeintedEscalator"; fast_pattern:only; content:"InkingGrange";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service smtp;
reference:url,www.virustotal.com/en/file/f4bf52759270fa4fc4e5745d51dd8d73b49feae9de
5bedfd8f4e0a865e8047c4/analysis/1459264179/; classtype:trojan-activity; sid:38380;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC
Win.Trojan.FTPKeyLogger outbound connection"; flow:to_server,established;
content:"USER [email protected]|0D 0A|"; fast_pattern:only; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
ftp;
reference:url,www.virustotal.com/en/file/44f956d41f5aea97884f88f60c1e28dc246b4b7318
a87b332367e7f0476ca8fc/analysis/1459279340/; classtype:trojan-activity; sid:38385;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC
Win.Trojan.FTPKeyLogger outbound connection"; flow:to_server,established;
content:"PASS Goodman1986|0D 0A|"; fast_pattern:only; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp;
reference:url,www.virustotal.com/en/file/44f956d41f5aea97884f88f60c1e28dc246b4b7318
a87b332367e7f0476ca8fc/analysis/1459279340/; classtype:trojan-activity; sid:38386;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC
Win.Trojan.FTPKeyLogger outbound connection"; flow:to_server,established;
content:"STOR Screenshot from|3A 20|"; fast_pattern; content:"|29|.png"; within:80;
metadata:impact_flag red, ruleset community, service ftp;
reference:url,www.virustotal.com/en/file/44f956d41f5aea97884f88f60c1e28dc246b4b7318
a87b332367e7f0476ca8fc/analysis/1459279340/; classtype:trojan-activity; sid:38387;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.FTPKeyLogger geolocation check"; flow:to_server,established; urilen:16;
content:"/geoip/geoip.php"; fast_pattern:only; http_uri; content:!"Accept";
http_header; content:!"User-Agent"; http_header; content:!"Referer"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/44f956d41f5aea97884f88f60c1e28dc246b4b7318
a87b332367e7f0476ca8fc/analysis/1459279340/; classtype:trojan-activity; sid:38388;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Boaxxe variant outbound connection"; flow:to_server,established;
content:"|7C 7C|CM01|7C|CM02|7C|CM03|7C|"; fast_pattern:only; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/efd9036e675507da76cd0946408aedb814aff9da62
d23de4f0680a4e7186a75c/analysis/1460471360/; classtype:trojan-activity; sid:38509;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.iSpySoft variant exfiltration attempt"; flow:to_server,established;
urilen:11; content:"POST"; http_method; content:"/api?upload"; fast_pattern:only;
http_uri; content:"Expect|3A 20|"; http_header; content:!"User-Agent"; http_header;
content:!"Accept"; http_header; content:!"Referer"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/146889acc9c4a5dbda2de339320159560567b14f84
6653df727284076f092e63/analysis/1460466642/; classtype:trojan-activity; sid:38510;
rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Sweeper
outbound connection"; flow:to_server,no_stream; dsize:9; content:"hi00";
fast_pattern:only; pcre:"/hi00[0-9]{5}/"; detection_filter:track by_src, count
1000, seconds 1; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/38221267218184b17a78d8814d1bd06b12143be859
488ae15ca0d754f32d60fc/analysis/1460472611/; classtype:trojan-activity; sid:38514;
rev:3;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Sweeper
outbound connection"; flow:to_server,no_stream; dsize:24; content:"|39 64 30 33 66
65 66 35 30 30 62 39 30 30 34 36 32 37 31 31 30 33 32 35|"; fast_pattern:only;
detection_filter:track by_src, count 1000, seconds 1; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/38221267218184b17a78d8814d1bd06b12143be859
488ae15ca0d754f32d60fc/analysis/1460472611/; classtype:trojan-activity; sid:38515;
rev:3;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Sweeper
outbound connection"; flow:to_server,no_stream; dsize:24; content:"|61 63 36 62 66
34 64 30 66 35 36 30 30 30 34 36 32 37 31 31 30 33 39 39|"; fast_pattern:only;
detection_filter:track by_src, count 1000, seconds 1; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/38221267218184b17a78d8814d1bd06b12143be859
488ae15ca0d754f32d60fc/analysis/1460472611/; classtype:trojan-activity; sid:38516;
rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC binary
download while video expected"; flow:to_client,established; content:"Content-Type|
3A 20|video/quicktime|0D 0A 0D 0A|"; http_header; file_data; content:"MZ";
within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-
64; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service ftp-data, service http, service imap, service pop3;
reference:url,www.virustotal.com/en/file/38221267218184b17a78d8814d1bd06b12143be859
488ae15ca0d754f32d60fc/analysis/1460472611/; classtype:trojan-activity; sid:38517;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.GateKeylogger outbound connection"; flow:to_server,established;
content:"/News/gate.php"; fast_pattern:only; http_uri; content:"Connection|3A 20|
Keep-Alive"; http_header; content:!"Accept"; http_header; content:!"Content-Type";
http_header; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-
F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa12
37b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38557;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.GateKeylogger outbound connection"; flow:to_server,established;
content:"/News/gate.php"; fast_pattern:only; http_uri; content:"="; depth:4;
http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-
Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa12
37b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38558;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.GateKeylogger outbound connection - keystorkes";
flow:to_server,established; content:"/News/gate.php?"; fast_pattern:only; http_uri;
content:"<br><br><b><big>"; http_client_body; pcre:"/\/News\/gate\.php\x3f[a-f0-9]
{32}\x3d\d/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa12
37b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38559;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.GateKeylogger outbound connection - screenshot";
flow:to_server,established; content:"/News/gate.php?"; fast_pattern:only; http_uri;
content:"JFIF"; http_client_body; pcre:"/\/News\/gate\.php\x3f[a-f0-9]
{32}\x3d\d/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa12
37b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38560;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.GateKeylogger plugins download attempt"; flow:to_server,established;
content:".p HTTP/1.1"; fast_pattern:only; content:"/plugins/"; http_uri;
pcre:"/\/plugins\/[a-z]{3,10}\.p/Ui"; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa12
37b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38561;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.GateKeylogger initial exfiltration attempt"; flow:to_server,established;
content:"/gate.php"; fast_pattern:only; content:"pc="; nocase; http_client_body;
content:"&admin="; distance:0; nocase; http_client_body; content:"&os=";
distance:0; nocase; http_client_body; content:"&hid="; distance:0; nocase;
http_client_body; content:"&arc="; distance:0; nocase; http_client_body;
content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]
{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa12
37b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38562;
rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.GateKeylogger fake 404 response"; flow:to_client,established; file_data;
content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:">404 Not
Found<"; fast_pattern:only; content:" requested URL / was not found ";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa12
37b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38563;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.GateKeylogger keylog exfiltration attempt"; flow:to_server,established;
content:"/post.php?"; fast_pattern:only; http_uri; content:"pl="; http_uri;
content:"&education="; distance:0; http_uri; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa12
37b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38564;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Sweeper variant dropper initial download attempt";
flow:to_server,established; content:"HEAD"; http_method; content:".bin";
fast_pattern:only; content:"User-Agent|3A 20|Microsoft BITS"; http_header;
content:"Accept-Encoding|3A 20|identity|0D 0A|"; content:!"Content-Length";
http_header; pcre:"/\/[a-f0-9]{32}\/\w+\.bin/U"; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/70e6df66c76700afef596e2dd7c956f4f476acca5b
935b3f067084241638d182/analysis/1460636221/; classtype:trojan-activity; sid:38565;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Sweeper variant dropper download attempt"; flow:to_server,established;
content:".bin"; fast_pattern:only; content:"User-Agent|3A 20|Microsoft BITS";
http_header; content:"Accept-Encoding|3A 20|identity|0D 0A|"; content:"If-
Unmodified-Since"; http_header; content:"Range"; http_header; pcre:"/\/[a-f0-9]
{32}\/\w+\.bin/U"; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/70e6df66c76700afef596e2dd7c956f4f476acca5b
935b3f067084241638d182/analysis/1460636221/; classtype:trojan-activity; sid:38566;
rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RFT
document malformed header"; flow:to_client,established; flowbits:isset,file.rtf;
file_data; content:"|7B 5C|rtvpn"; depth:7; metadata:policy balanced-ips drop,
policy max-detect-ips drop, policy security-ips drop, ruleset community, service
ftp-data, service http, service imap, service pop3; reference:cve,2015-1641;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033;
classtype:attempted-user; sid:38580; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RFT document
malformed header"; flow:to_server,established; flowbits:isset,file.rtf; file_data;
content:"|7B 5C|rtvpn"; depth:7; metadata:policy balanced-ips drop, policy max-
detect-ips drop, policy security-ips drop, ruleset community, service smtp;
reference:cve,2015-1641; reference:url,technet.microsoft.com/en-
us/security/bulletin/ms15-033; classtype:attempted-user; sid:38581; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Backdoor.DFSCook variant JS dropper outbound connection";
flow:to_server,established; content:"/img/script.php?"; fast_pattern:only;
content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"UA-CPU|3A 20|";
http_header; content:!"Referer"; http_header; content:!"Accept-Language";
http_header; pcre:"/\/img\/script\.php\x3f.*\.mov$/Ui"; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/7a32e9d01e66f68461e410a29e38e147fb8a3d3695
f1e55f4cf0d2ad789d5b2d/analysis/1460564508/; classtype:trojan-activity; sid:38584;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Backdoor.DFSCook variant outbound connection"; flow:to_server,established;
urilen:139<>200,norm; content:"/wp-includes.php?d="; fast_pattern:only;
content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"Connection|3A 20|close|0D
0A|"; content:!"User-Agent"; http_header; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/7a32e9d01e66f68461e410a29e38e147fb8a3d3695
f1e55f4cf0d2ad789d5b2d/analysis/1460564508/; classtype:trojan-activity; sid:38585;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Backdoor.DFSCook variant outbound connection"; flow:to_server,established;
urilen:>180,norm; content:"/api.php?d="; fast_pattern:only; http_uri;
content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"Connection|3A 20|close|0D
0A|"; http_header; content:!"User-Agent"; http_header; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/7a32e9d01e66f68461e410a29e38e147fb8a3d3695
f1e55f4cf0d2ad789d5b2d/analysis/1460564508/; classtype:trojan-activity; sid:38586;
rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Backdoor.DFSCook variant temporary redirect attempt";
flow:to_client,established; content:"307"; http_stat_code; content:"Temporary
Redirect"; http_stat_msg; content:"Set-Cookie|3A 20|DFSCOOK="; fast_pattern:only;
content:"Location: "; content:"/api.php?d="; distance:0; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/7a32e9d01e66f68461e410a29e38e147fb8a3d3695
f1e55f4cf0d2ad789d5b2d/analysis/1460564508/; classtype:trojan-activity; sid:38587;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Backdoor.DFSCook variant outbound connection"; flow:to_server,established;
urilen:>185,norm; content:".php?d="; fast_pattern:only; http_uri; content:"Accept|
3A 20|*/*"; http_header; content:!"User-Agent"; http_header; content:!"Referer";
pcre:"/\.php\x3fd=[A-F0-9]{174}/U"; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/7a32e9d01e66f68461e410a29e38e147fb8a3d3695
f1e55f4cf0d2ad789d5b2d/analysis/1460564508/; classtype:trojan-activity; sid:38588;
rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Bloomberg
web crawler outbound connection"; flow:to_server,established; content:"User-Agent:
BLP_bbot"; fast_pattern:only; http_header; metadata:ruleset community, service
http; reference:url,irwebreport.com/20110223/bloomberg-bot-strikes-again-
transocean-earnings-leaked; classtype:misc-activity; sid:38594; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.UP007 variant outbound connection"; flow:to_server,established;
urilen:10; content:"/index.asp"; fast_pattern:only; http_uri; content:"User-Agent|
3A 20|Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B|)"; http_header;
content:"Accept-Language|3A 20|en-us|0D 0A|"; http_header; content:"UP007";
http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,citizenlab.org/2016/04/between-hong-kong-and-burma/;
classtype:trojan-activity; sid:38603; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Qakbot variant network speed test"; flow:to_server,established;
content:"/random750x750.jpg?x="; fast_pattern:only; http_uri; content:"&y=";
http_uri; content:"Accept|3A 20|application/x-shockwave-flash, image/gif,
image/jpeg, image/pjpeg, */*|0D 0A|"; http_header; content:"Cache-Control|3A 20|no-
cache|0D 0A|"; http_header; content:!"Accept-"; http_header; content:!"Referer";
http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/1826dba769dad9898acd95d6bd026a0b55d0a093a2
67b481695494f3ab547088/analysis/1461598351/; classtype:trojan-activity; sid:38606;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Qakbot variant outbound connection"; flow:to_server,established;
urilen:30<>35,norm; content:"btst="; http_cookie; content:"snkz="; http_cookie;
content:"Accept|3A 20|application/x-shockwave-flash, image/gif, image/jpeg,
image/pjpeg, */*|0D 0A|"; fast_pattern:only; http_header; content:"Cache-Control|3A
20|no-cache|0D 0A|"; http_header; content:!"Connection"; http_header;
content:!"Referer"; http_header; metadata:impact_flag red, ruleset community,
service http;
reference:url,www.virustotal.com/en/file/1826dba769dad9898acd95d6bd026a0b55d0a093a2
67b481695494f3ab547088/analysis/1461598351/; classtype:trojan-activity; sid:38607;
rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.RockLoader variant outbound connection"; flow:to_server,established;
urilen:5; content:"/api/"; fast_pattern:only; http_uri; content:"Content-Type|3A
20|octet-stream"; http_header; content:"Cache-Control|3A 20|no-cache|0D 0A|";
http_header; content:!"User-Agent"; http_header; content:!"Referer"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/d3cd3630b5709535f9bfa59c4ec75c806126298591
9a43a175ec9d7e15c9419a/analysis/1461598531/; classtype:trojan-activity; sid:38608;
rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Godzilla downloader successful base64 binary download";
flow:to_client,established; content:"GODZILLA="; fast_pattern:only;
content:"GODZILLA="; http_cookie; metadata:impact_flag red, ruleset community,
service http;
reference:url,www.virustotal.com/en/file/f597634ff5e2623baff35d99bfdb2aac1725c9f498
05b4903c13093c43172cb7/analysis/1461593386; classtype:trojan-activity; sid:38610;
rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-
COMPROMISE Content-Type text/plain containing Portable Executable data";
flow:to_client,established; content:"Content-Type|3A 20|text/plain"; http_header;
file_data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"PE|00
00|"; within:4; distance:-64; metadata:policy max-detect-ips drop, policy security-
ips alert, ruleset community, service ftp-data, service http, service imap, service
pop3;
reference:url,www.virustotal.com/en/file/fc25709c4e05dbfbcc6ae0cf8a7c06e80156ae0517
9203021838259aeda9801a/analysis/1461600547/; classtype:trojan-activity; sid:38619;
rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex
certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|
0B|"; distance:3; content:"|55 04 07 0C 0B|Ouagadougou"; content:"|55 04 0A 0C 16|
Tiongon Wledb A.M.B.A."; distance:6; content:"|55 04 03 0C 10|ina.themanyag.zm";
distance:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service ssl;
reference:url,www.virustotal.com/en/file/fc25709c4e05dbfbcc6ae0cf8a7c06e80156ae0517
9203021838259aeda9801a/analysis/1461600547/; classtype:trojan-activity; sid:38620;
rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Dridex certificate exchange"; flow:to_client,established; content:"|16
03|"; content:"|0B|"; distance:3; content:"|55 04 07 0C 09|Bujumbura"; content:"|55
04 0A 0C 10|Wiqur Hitin ehf."; distance:6; content:"|55 04 03 0C 11|
puppeitursilth.cz"; distance:6; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service ssl;
reference:url,www.virustotal.com/en/file/fc25709c4e05dbfbcc6ae0cf8a7c06e80156ae0517
9203021838259aeda9801a/analysis/1461600547/; classtype:trojan-activity; sid:38621;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Bayrob
variant outbound connection"; flow:to_server,established; dsize:8; content:"|4C 48
42 80 71 C2 A5 DF|"; depth:8; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/6b6b91cd104f4a6d32b5187131d905391160767207
6e6ed26ed51369e5329cad/analysis/1462889491/; classtype:trojan-activity; sid:38886;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Locky JS dropper outbound connection"; flow:to_server,established;
content:"/log.php?"; fast_pattern:only; http_uri; content:"UA-CPU"; http_header;
content:"Accept|3A 20|*/*"; http_header; content:!"Referer"; http_header;
pcre:"/\/log\.php\x3f[a-z]\x3d\d{3}/Ui"; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/11180a0ff4576e0dbbe48d77ed717e72678520516f
f13f523cad832d1b9fa9ac/analysis/1462906326/; classtype:trojan-activity; sid:38887;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Locky variant outbound connection"; flow:to_server,established;
urilen:13; content:"/userinfo.php"; fast_pattern:only; content:"Cache-Control|3A
20|no-cache|0D 0A|"; http_header; content:"Content-Type|3A 20|application/x-www-
form-urlencoded|0D 0A|"; http_header; content:!"Accept"; http_header;
content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/2d766d57bc549b3ac7b87b604e2103318eaf41b526
086ffe0201d5778521c1b6/analysis/1462906540/; classtype:trojan-activity; sid:38888;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Kirts exfiltration attempt"; flow:to_server,established; content:".php?
fname=Hawkeye_Keylogger"; fast_pattern:only; http_uri; content:"&data="; http_uri;
content:!"User-Agent"; http_header; content:!"Accept"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/f81128f3b9c0347f4ee5946ecf9a95a3d556e8e3a4
742d01e5605f862e1d116d/analysis/1462888129/; classtype:trojan-activity; sid:38890;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC
Win.Trojan.Kirts initial registration"; flow:to_server,established;
content:"Subject|3A 20|=?utf-8?B?SGF3a0V5ZSBMb2dnZXIg"; fast_pattern:only;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service smtp;
reference:url,www.virustotal.com/en/file/f81128f3b9c0347f4ee5946ecf9a95a3d556e8e3a4
742d01e5605f862e1d116d/analysis/1462888129/; classtype:trojan-activity; sid:38891;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.PassStealer passwords exfiltration attempt"; flow:to_server; file_data;
content:"Passwords Recorded On "; fast_pattern; content:"Time of Recording:";
within:20; distance:22; content:"IP Address"; within:12; distance:15;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service ftp;
reference:url,virustotal.com/en/file/5780e8408c8d5c84d1fbe5c53eeb77832a6af54fd41fab
7f720c89fc10989340/analysis/1463495191/; classtype:trojan-activity; sid:38950;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
Win.Adware.OpenSoftwareUpdater variant outbound connection attempt";
flow:to_server,established; content:"/installer.php?"; http_uri; content:"CODE=";
fast_pattern:only; content:"UID="; http_uri; content:"action="; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/829918eb3edb26deccd2d80c7ac8bc8ad58b4fb76a
370c11731884b408a21a73/analysis/1463575824/; classtype:trojan-activity; sid:38951;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
Win.Adware.OpenSoftwareUpdater variant outbound connection attempt";
flow:to_server,established; content:"/optin.php?"; fast_pattern:only; http_uri;
content:"f="; content:"quant="; http_uri; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/829918eb3edb26deccd2d80c7ac8bc8ad58b4fb76a
370c11731884b408a21a73/analysis/1463575824/; classtype:trojan-activity; sid:38952;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
Win.Adware.OpenSoftwareUpdater variant outbound connection attempt";
flow:to_server,established; content:"/info.php?"; http_uri; content:"quant=";
fast_pattern:only; content:"f="; http_uri; content:"h="; http_uri; content:"size=";
http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/829918eb3edb26deccd2d80c7ac8bc8ad58b4fb76a
370c11731884b408a21a73/analysis/1463575824/; classtype:trojan-activity; sid:38953;
rev:1;)
alert tcp any any -> any $HTTP_PORTS (msg:"SQL use of sleep function in HTTP header
- likely SQL injection attempt"; flow:established,to_server; content:"User-Agent|
3A| "; http_header; content:"sleep("; within:200; fast_pattern; http_header;
pcre:"/User-Agent\x3A\x20[^\r\n]*sleep\x28/H"; metadata:policy balanced-ips drop,
policy max-detect-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,blog.cloudflare.com/the-sleepy-user-agent/; classtype:web-
application-attack; sid:38993; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Sinrin initial JS dropper outbound connection";
flow:to_server,established; urilen:<31; content:"Accept|3A 20|*/*|0D 0A|UA-CPU|3A
20|"; fast_pattern:only; http_header; content:"Connection|3A 20|Keep-Alive|0D 0A|";
http_header; content:"Accept-Encoding|3A 20|gzip, deflate|0D 0A|"; http_header;
content:!"Referer"; http_header; pcre:"/\/[a-z0-9]{8,10}\x3f[A-Za-z]{7,10}\x3d[A-
Za-z]{6,10}/U"; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/e0f8b6fd78c724b688f6467baf37f08c5ed198ea1b
4224f31f50c8acbad49742/analysis/; classtype:trojan-activity; sid:39064; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.NetWiredRC variant connection setup"; flow:to_server,established;
content:"|3B 00 00 00 05|"; depth:5; dsize:<65; metadata:impact_flag red, ruleset
community;
reference:url,www.virustotal.com/en/file/5db3b9ce06e334cb61279dd936a40be75df6732228
bb692a7a84b1299eb09071/analysis/1464362377/; classtype:trojan-activity; sid:39080;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.LuminosityLink RAT variant outbound connection";
flow:to_server,established; content:"=P4CK3T="; depth:32; content:"8_=_8";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community;
reference:url,virustotal.com/en/file/0a6ee066b27f5f8dfeedb8e5f19659e47b70296a49a627
e2ce9d3d9456287051/analysis/; classtype:trojan-activity; sid:39106; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.LuminosityLink RAT variant inbound connection";
flow:to_client,established; content:"=P4CK3T="; depth:32; content:"8_=_8";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community;
reference:url,virustotal.com/en/file/0a6ee066b27f5f8dfeedb8e5f19659e47b70296a49a627
e2ce9d3d9456287051/analysis/; classtype:trojan-activity; sid:39107; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.JRat
inbound self-signed SSL certificate"; flow:to_client,established; content:"|16 03
01|"; content:"|02|"; distance:2; content:"|03 01|"; distance:3; content:"|55 04 06
13 02|FR"; content:"|55 04 0A 13 0C|assylias.Inc"; distance:6; content:"|55 04 03
13 08|assylias"; distance:6; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service ssl;
reference:url,www.virustotal.com/en/file/45e8df88b177cec3972f36284290eab652fb21806e
f7e9575be853fb30528f28/analysis/; classtype:trojan-activity; sid:39159; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.JRat
inbound self-signed SSL certificate"; flow:to_client,established; content:"|16 03
01|"; content:"|02|"; distance:2; content:"|03 01|"; distance:3; content:"|55 04 06
13 02|US"; content:"|55 04 08 13 0A|California"; distance:6; content:"|55 04 07 13
0E|Redwood Shores"; distance:6; content:"|55 04 0A 13 14|Oracle America, Inc.";
distance:6; content:"|55 04 0B 13 13|Code Signing Bureau"; distance:6; content:"|55
04 03 13 14|Oracle America, Inc."; distance:6; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service ssl;
reference:url,www.virustotal.com/en/file/9d54565f8fb7cf50df11bf9745f7efd04a49abb03e
85a3aafbf9a5b5fcd065c9/analysis/; classtype:trojan-activity; sid:39160; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex
self-signed certificate exchange"; flow:to_client,established; content:"|16 03|";
content:"|59|"; distance:3; content:"|55 04 06 13 02|BN"; content:"|55 04 07 0C 13|
Bandar Seri Begawan"; distance:6; content:"|55 04 0A 0C 12|Cowchi Aromep LTD.";
distance:6; content:"|55 04 03 0C 17|tsre131.eollaieefi.jprs"; distance:6;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service ssl;
reference:url,www.virustotal.com/en/file/6467418eea0564f77c66844e30a17c8561089f2b83
01a7d306a71a34e4fef693/analysis/; classtype:trojan-activity; sid:39163; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Dridex self-signed certificate exchange"; flow:to_client,established;
content:"|16 03|"; content:"|59|"; distance:3; content:"|55 04 06 13 02|PW";
content:"|55 04 07 0C 08|Melekeok"; distance:6; content:"|55 04 0A 0C 0E|Merwh
Whena NL"; distance:6; content:"|55 04 03 0C 16|pepa634.omeewengreq.mz";
distance:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service ssl;
reference:url,www.virustotal.com/en/file/6467418eea0564f77c66844e30a17c8561089f2b83
01a7d306a71a34e4fef693/analysis/; classtype:trojan-activity; sid:39164; rev:1;)
alert tcp $HOME_NET any -> $SMTP_SERVERS [25,587] (msg:"MALWARE-CNC Win.Trojan.iSpy
variant initial outbound connection"; flow:to_server,established;
content:"=0D=0A=0D=0A"; fast_pattern:only; content:"iSpy Keylogger";
content:"Computer Information"; content:"Username:"; within:30;
content:"Installed"; within:50; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service smtp;
reference:url,www.virustotal.com/en/file/f4e902c1c2647e79167262bf948fe41368bab4d387
6255eb3d9edb5ae02097b7/analysis/; classtype:trojan-activity; sid:39409; rev:1;)
alert tcp $HOME_NET any -> $SMTP_SERVERS [25,587] (msg:"MALWARE-CNC Win.Trojan.iSpy
variant exfiltration outbound connection"; flow:to_server,established;
content:"=0D=0A"; fast_pattern:only; content:"iSpy Keylogger";
content:"=0D=0ABrowser"; content:"=0D=0AWebsite"; within:70;
content:"=0D=0AUsername"; within:70; content:"=0D=0APassword"; within:70;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service smtp;
reference:url,www.virustotal.com/en/file/f4e902c1c2647e79167262bf948fe41368bab4d387
6255eb3d9edb5ae02097b7/analysis/; classtype:trojan-activity; sid:39410; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Qbot variant outbound connection"; flow:to_server,established;
content:"zwlviewforumogaf.php"; fast_pattern:only; http_uri; content:"Host|3A|
a.topgunnphoto.com"; http_header; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/020356457e95f7607c1941e03294b4c16e23daa402
d7e79cfd2ba91b23969480/analysis/1463667519/; classtype:trojan-activity; sid:39411;
rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF
document incorrect file magic attempt"; flow:to_client,established;
flowbits:isset,file.rtf; file_data; content:"|7B 5C|rt|0D 3C|"; depth:6;
metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips
drop, ruleset community, service ftp-data, service http, service imap, service
pop3; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-
us/security/bulletin/ms15-033; classtype:attempted-user; sid:39526; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF document
incorrect file magic attempt"; flow:to_server,established; flowbits:isset,file.rtf;
file_data; content:"|7B 5C|rt|0D 3C|"; depth:6; metadata:policy balanced-ips drop,
policy max-detect-ips drop, policy security-ips drop, ruleset community, service
smtp; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-
us/security/bulletin/ms15-033; classtype:attempted-user; sid:39527; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE
Microsoft Office RTF WRAssembly ASLR bypass download attempt";
flow:to_client,established; flowbits:isset,file.rtf; file_data;
content:"WRAssembly"; fast_pattern:only; metadata:impact_flag red, policy balanced-
ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community,
service ftp-data, service http, service imap, service pop3; reference:cve,2015-
1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033;
classtype:attempted-user; sid:39528; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office
RTF WRAssembly ASLR bypass download attempt"; flow:to_server,established;
flowbits:isset,file.rtf; file_data; content:"WRAssembly"; fast_pattern:only;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service smtp; reference:cve,2015-1641;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033;
classtype:attempted-user; sid:39529; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot
variant outbound connection"; flow:to_server,established; dsize:12; content:"|08 00
00 00 27 C7 CC 6B C2 FD 13 0E|"; depth:12; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/d74fcf6b8f2f1c3a1ed742feb3f323f7826e9fc79a
3d642082cee46770a4697a/analysis/1461003042/; classtype:trojan-activity; sid:39573;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot
variant outbound connection"; flow:to_server,established; dsize:12; content:"|08 00
00 00 D7 75 FF F7 C7 62 B9 82|"; depth:12; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/d74fcf6b8f2f1c3a1ed742feb3f323f7826e9fc79a
3d642082cee46770a4697a/analysis/1461003042/; classtype:trojan-activity; sid:39574;
rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [9000:] (msg:"MALWARE-CNC
Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established;
dsize:68; content:"|40 00 00 00|"; depth:4; byte_test:1,>,2,0,relative; content:!"|
0A|"; within:1; distance:1; metadata:impact_flag red, ruleset community;
reference:url,www.virustotal.com/en/file/d74fcf6b8f2f1c3a1ed742feb3f323f7826e9fc79a
3d642082cee46770a4697a/analysis/1461003042/; classtype:trojan-activity; sid:39575;
rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [9000:] (msg:"MALWARE-CNC
Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established;
dsize:36; content:"|20 00 00 00 AD|"; depth:5; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/d74fcf6b8f2f1c3a1ed742feb3f323f7826e9fc79a
3d642082cee46770a4697a/analysis/1461003042/; classtype:trojan-activity; sid:39576;
rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot
variant outbound connection"; flow:to_server,established; dsize:12; content:"|08 00
00 00 86 CC 02 89 8F F7 A6 67|"; depth:12; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/0a19499dec07ca2ade3aefdf910e13231d63d7a2e2
38776272b4fffd0ff3a527/analysis/1467727738/; classtype:trojan-activity; sid:39577;
rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot
variant inbound connection"; flow:to_client,established; dsize:36; content:"|20 00
00 00 FE A5 0D 55 BB 10 A4 09 7A D9 86 FF 6C 81 E6 97 7C 91 BC DA EE 89 08 2A|";
depth:28; metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community;
reference:url,www.virustotal.com/en/file/0a19499dec07ca2ade3aefdf910e13231d63d7a2e2
38776272b4fffd0ff3a527/analysis/1467727738/; classtype:trojan-activity; sid:39578;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot
variant outbound connection"; flow:to_server,established; dsize:60; content:"|38 00
00 00 FE A5 0D 55 BB 10 A4 09 7A D9 86 FF 6C 81 E6 97 7C 91 BC DA EE 89 08 2A|";
depth:28; metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community;
reference:url,www.virustotal.com/en/file/0a19499dec07ca2ade3aefdf910e13231d63d7a2e2
38776272b4fffd0ff3a527/analysis/1467727738/; classtype:trojan-activity; sid:39579;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot
variant outbound connection"; flow:to_server,established; dsize:68; content:"|40 00
00 00 FE A5 0D 55 BB 10 A4 09 7A D9 86 FF 6C 81 E6 97 7C 91 BC DA EE 89 08 2A|";
depth:28; metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community;
reference:url,www.virustotal.com/en/file/0a19499dec07ca2ade3aefdf910e13231d63d7a2e2
38776272b4fffd0ff3a527/analysis/1467727738/; classtype:trojan-activity; sid:39580;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.NanoBot/Perseus initial outbound connection";
flow:to_server,established; dsize:60; content:"|38 00 00 00 F5 13 89 53|"; depth:8;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community;
reference:url,www.virustotal.com/en/file/4b16d1e205f198222bd2b2bb8dbd55886a9e2b79de
484eec0d8cce5db376d3c8/analysis/; classtype:trojan-activity; sid:39581; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.NanoBot/Perseus server heartbeat request attempt";
flow:to_client,established; dsize:36; content:"|20 00 00 00 2B FF 4B F4|"; depth:8;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community;
reference:url,www.virustotal.com/en/file/4b16d1e205f198222bd2b2bb8dbd55886a9e2b79de
484eec0d8cce5db376d3c8/analysis/; classtype:trojan-activity; sid:39582; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.NanoBot/Perseus client heartbeat response attempt";
flow:to_server,established; dsize:52; content:"|30 00 00 00 2B FF 4B F4|"; depth:8;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community;
reference:url,www.virustotal.com/en/file/4b16d1e205f198222bd2b2bb8dbd55886a9e2b79de
484eec0d8cce5db376d3c8/analysis/; classtype:trojan-activity; sid:39583; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Zeus variant inbound connection"; flow:to_client,established;
content:"attachment|3B|"; http_header; content:"filename="; http_header;
content:"/us.xml"; within:20; fast_pattern; http_header; content:"Content-Type|3A
20|application/octet-stream|0D 0A|"; http_header; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/292c12a4c9cf8724c7bfa9ec73e1b703bd51720ea1
8cd4528e9be516d05b5628/analysis/1468961317/; classtype:trojan-activity; sid:39705;
rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-
COMPROMISE Content-Type image containing Portable Executable data";
flow:to_client,established; content:"Content-Type|3A 20|image/"; fast_pattern:only;
http_header; file_data; content:"MZ"; depth:2; byte_jump:4,58,relative,little;
content:"PE|00 00|"; within:4; distance:-64; metadata:ruleset community, service
ftp-data, service http, service imap, service pop3;
reference:url,www.virustotal.com/en/file/2dc752d12baa8c8441b82dd52abfd51c25abd28ba4
2344b22869ba7ae5a9a877/analysis/1469197722/; classtype:trojan-activity; sid:39729;
rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HttpOxy
CGI application vulnerability potential man-in-the-middle attempt";
flow:to_server,established; content:"|0A|Proxy|3A|"; fast_pattern:only;
http_header; metadata:policy max-detect-ips drop, ruleset community, service http;
reference:cve,2016-5385; reference:cve,2016-5386; reference:cve,2016-5387;
reference:cve,2016-5388; reference:url,httpoxy.org; classtype:web-application-
attack; sid:39737; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Trans variant outbound connection"; flow:to_server,established;
content:"/site/images/banners/casecor21.gif"; fast_pattern:only; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/a4c1234bb748f9bcabeb9ab990614fd4c1035135c5
f5068fd42bace4b75fff0e/analysis/; classtype:trojan-activity; sid:39738; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Hancitor variant outbound connection"; flow:to_server,established;
content:"/gate.php"; fast_pattern:only; http_uri; content:"GUID="; depth:122;
http_client_body; content:"BUILD="; depth:122; http_client_body; content:"INFO=";
depth:122; http_client_body; content:"IP="; depth:122; http_client_body;
content:"TYPE="; depth:122; http_client_body; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/5ec4ba1a97500e664af6896f4c02846ca6777e671b
b600103dc8d49224e38f48/analysis/1469201551/; classtype:trojan-activity; sid:39800;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 900 (msg:"MALWARE-CNC Win.Trojan.Spyrat
variant outbound connection"; flow:to_server,established; content:"myversion|7C|
2.5.2."; depth:19; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/e64f536556739d50a673a952da7f110f1156fad0f7
360d401794e5a8d65ce63a/analysis/; classtype:trojan-activity; sid:39801; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"FILE-OFFICE Microsoft Windows RTF
file with embedded object package SMTP upload attempt"; flow:to_server,established;
file_data; content:"{|5C|rt"; nocase; content:"{|5C|object|5C|objemb{|5C|*|5C|
objclass Package}"; distance:0; nocase; flowbits:set,file.rtf.embed;
metadata:policy max-detect-ips alert, ruleset community, service smtp;
reference:url,en.wikipedia.org/wiki/Rich_Text_Format; classtype:misc-activity;
sid:39903; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC
Win.Trojan.HawkEye keylogger exfiltration attempt"; flow:to_server,established;
content:"Subject: HawkEye Keylogger |7C|"; fast_pattern:only; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
smtp;
reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f2
84d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:39911; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Locky variant outbound connection"; flow:to_server,established;
urilen:14; content:"/data/info.php"; fast_pattern:only; http_uri; content:"x-
requested-with: XMLHttpRequest"; http_header; content:"Referer|3A| http|3A|";
http_header; content:"/data"; within:25; http_header; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/f29ce76169727ff5a43ef7baa5c4e04f7d3302189e
3d2a31cfc9dec39e84ad03/analysis/; classtype:trojan-activity; sid:40011; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX
Mozilla Firefox about field spoofing attempt"; flow:to_client,established;
file_data; content:"about:"; fast_pattern; nocase; content:"?"; within:15;
content:"<"; within:100; content:"location"; nocase; pcre:"/\babout:[a-z]+?\?[^\n]
+?\</i"; metadata:ruleset community, service http; reference:cve,2016-5268;
reference:url,bugzilla.mozilla.org/show_bug.cgi?id=1253673;
reference:url,www.mozilla.org/en-US/security/advisories/mfsa2016-83/;
classtype:attempted-user; sid:40015; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XLSB
file magic detected"; flow:to_client,established; file_data; content:"PK|03 04|";
depth:4; flowbits:set,file.zip; flowbits:set,file.xlsb; flowbits:noalert;
metadata:ruleset community, service ftp-data, service http, service imap, service
pop3; classtype:misc-activity; sid:40035; rev:7;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XLSB file magic
detected"; flow:to_server,established; file_data; content:"PK|03 04|"; depth:4;
flowbits:set,file.zip; flowbits:set,file.xlsb; flowbits:noalert; metadata:ruleset
community, service smtp; classtype:misc-activity; sid:40036; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux Kernel
Challenge ACK provocation attempt"; flow:to_server,no_stream; flags:R;
detection_filter:track by_src, count 200, seconds 1; metadata:ruleset community;
reference:bugtraq,91704; reference:cve,2016-5696; reference:cve,2017-7285;
classtype:attempted-admin; sid:40063; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPLOIT-KIT
Phoenix Exploit Kit inbound geoip.php bdr exploit attempt";
flow:to_server,established; content:"/geoip.php?bdr="; fast_pattern:only; http_uri;
metadata:policy security-ips drop, ruleset community, service http;
reference:url,github.com/rapid7/metasploit-
framework/blob/master/modules/exploits/multi/http/phoenix_exec.rb; classtype:web-
application-activity; sid:40184; rev:1;)
alert udp $HOME_NET [500,848,4500,4848] -> $EXTERNAL_NET any (msg:"SERVER-OTHER
Cisco IOS Group-Prime memory disclosure exfiltration attempt"; flow:to_client;
dsize:>2000; content:"|0B 10 05 00|"; depth:8; offset:16;
byte_test:4,>,2000,4,relative; metadata:policy balanced-ips drop, policy max-
detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2016-
6415;
reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-
sa-20160916-ikev1; classtype:attempted-recon; sid:40220; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET [500,848,4500,4848] (msg:"SERVER-OTHER
Cisco IOS Group-Prime MD5 memory disclosure attempt"; flow:to_server; dsize:>2000;
content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:8; content:"|00 00 00 01 00 00
00 01|"; depth:8; offset:32; content:"|01 01 04 01|"; within:4; distance:4;
content:"|80 02 00 01 80 04 00 01 00 06|"; distance:0; fast_pattern;
byte_test:2,>,2000,0,relative; metadata:policy balanced-ips drop, policy max-
detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2016-
6415;
reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-
sa-20160916-ikev1; classtype:attempted-recon; sid:40221; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET [500,848,4500,4848] (msg:"SERVER-OTHER
Cisco IOS Group-Prime SHA memory disclosure attempt"; flow:to_server; dsize:>2000;
content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:8; content:"|00 00 00 01 00 00
00 01|"; depth:8; offset:32; content:"|01 01 04 01|"; within:4; distance:4;
content:"|80 02 00 02 80 04 00 01 00 06|"; distance:0; fast_pattern;
byte_test:2,>,2000,0,relative; metadata:policy balanced-ips drop, policy max-
detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2016-
6415;
reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-
sa-20160916-ikev1; classtype:attempted-recon; sid:40222; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent
known malicious user-agent string - Win.Trojan.Perseus";
flow:to_server,established; content:"User-Agent|3A|
bUQ8QmvUpI57udWFxQHPkuyKDfc3T8u5"; fast_pattern:only; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/e88709501e6c8923c7c9bf112f7a824f241f86b001
dd824eb12a4284778c8137/analysis/; classtype:trojan-activity; sid:40251; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Perseus
variant outbound connection"; flow:to_server,established; content:"mashine=";
fast_pattern:only; http_client_body; content:"publickey="; http_client_body;
content:"user="; http_client_body; content:"os="; http_client_body;
content:"processor="; http_client_body; content:"mac="; http_client_body;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/e88709501e6c8923c7c9bf112f7a824f241f86b001
dd824eb12a4284778c8137/analysis/; classtype:trojan-activity; sid:40252; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Osx.Trojan.Keydnap variant initial backdoor download attempt";
flow:to_server,established; content:"/icloudsyncd"; fast_pattern:only; http_uri;
content:"Accept|3A 20|*/*"; http_header; content:!"User-Agent|3A 20|"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,blog.malwarebytes.com/cybercrime/2016/07/mac-malware-osx-keydnap-
steals-keychain/; reference:url,www.welivesecurity.com/2016/07/06/new-osxkeydnap-
malware-hungry-credentials/; classtype:trojan-activity; sid:40260; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Satana ransomware outbound connection"; flow:to_server,established;
content:"/add.php"; fast_pattern:only; http_uri; content:"id="; http_client_body;
content:"code="; http_client_body; content:"sdata="; http_client_body;
content:"name="; http_client_body; content:"md5="; http_client_body;
content:"dlen="; http_client_body; content:!"Connection"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/683a09da219918258c58a7f61f7dc4161a3a7a377c
f82a31b840baabfb9a4a96/analysis/1477327210/; classtype:trojan-activity; sid:40541;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.CryPy ransomware variant outbound connection";
flow:to_server,established; content:"/victim.php?info="; fast_pattern:only;
http_uri; content:"&ip="; http_uri; content:"info="; http_uri; content:"User-Agent|
3A 20|Python-urllib/"; http_header; content:!"Accept"; http_header;
content:!"Connection"; http_header; content:!"Referer"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/de6da70478e7f84cd06ace1a0934cc9d5732f35aa2
0e960dc121fd8cf2388d6e/analysis/1477329470/; classtype:trojan-activity; sid:40549;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Dexter Banker variant second stage download attempt";
flow:to_server,established; content:"/images/"; fast_pattern:only; http_uri;
content:".rar"; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B|
Synapse)|0D 0A|"; http_header; content:!"Accept"; http_header; content:!"Referer";
http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/25657a5b4e65add11d42c59aa854834977ddb3fe96
9f10efa2fa637b0329b3bb/analysis/1477407128/; classtype:trojan-activity; sid:40550;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Dexter Banker variant successful installation report attempt";
flow:to_server,established; content:"/LetsGo.php?A="; fast_pattern:only; http_uri;
content:"Sytem="; http_uri; content:"qual="; http_uri; content:!"Accept";
http_header; content:!"referer"; http_header; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/25657a5b4e65add11d42c59aa854834977ddb3fe96
9f10efa2fa637b0329b3bb/analysis/1477407128/; classtype:trojan-activity; sid:40551;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.iSpy variant outbound connection"; flow:to_server,established;
content:"iSpyKelogger"; fast_pattern:only; http_uri; content:"gate=";
http_client_body; content:"token="; distance:0; http_client_body; content:"name=";
distance:0; http_client_body; content:!"User-Agent"; http_header;
content:!"Connection"; http_header; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/11e611585bfb6ff1f823e3c035ef6cfae39dfe2209
e15ed01a8db8b3f9526519/analysis/1477417828/; classtype:trojan-activity; sid:40559;
rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC
Android.Trojan.SpyNote RAT variant inbound connection"; flow:to_client,established;
content:"Server Prent <please>|0D 0A|"; fast_pattern:only; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/14eb51b26fa4932fc660daf7e803600bf29a8a46fe
3f1d652194bc48e9617bd9/analysis/1478720273/; classtype:trojan-activity; sid:40762;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Android.Trojan.SpyNote RAT variant getSMS command response";
flow:to_server,established; content:"|7C|ge|7C|t|7C|SM|7C|S|7C|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/14eb51b26fa4932fc660daf7e803600bf29a8a46fe
3f1d652194bc48e9617bd9/analysis/1478720273/; classtype:trojan-activity; sid:40763;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Android.Trojan.SpyNote RAT variant getContacts command response";
flow:to_server,established; content:"send|7C|G|7C 7C|Cont|7C|acts|7C|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/14eb51b26fa4932fc660daf7e803600bf29a8a46fe
3f1d652194bc48e9617bd9/analysis/1478720273/; classtype:trojan-activity; sid:40764;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Locky variant outbound connection"; flow:to_server,established;
urilen:12; content:"/message.php"; fast_pattern:only; http_uri; content:"x-
requested-with|3A 20|XMLHttpRequest|0D 0A|"; http_header; content:"Referer|3A 20|";
http_header; content:"Accept|3A 20|*/*|0D 0A|Accept-Language|3A 20|en-us|0D 0A|";
http_header; content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/ab082d6047fb73b9de7ebc59fb12fa1f8c2d547949
d4add3b7a573d48172889b/analysis/1479147777/; classtype:trojan-activity; sid:40816;
rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE MindSpark
framework installer attempt"; flow:to_server,established; content:"User-Agent|3A
20|Mindspark MIP "; fast_pattern:only; http_header; metadata:ruleset community,
service http;
reference:url,www.virustotal.com/en/file/9f2cc1688bee96849ced91ade04d4d51e6fd18fa47
ab1dc2c12a029aa672f7ce/analysis/; classtype:trojan-activity; sid:40827; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini
variant initial outbound connection"; flow:to_server,established;
content:"new_houdini|0D 0A|"; depth:13; offset:4; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community; classtype:trojan-
activity; sid:40831; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini
variant keylogger inbound init command attempt"; flow:to_client,established;
dsize:23; content:"silence_keylogger|0D 0A|"; depth:19; offset:4;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community; classtype:trojan-activity; sid:40832; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini
variant screenshot inbound init command attempt"; flow:to_client;
content:"screenshot_init|0D 0A|"; depth:17; offset:4; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community;
classtype:trojan-activity; sid:40833; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini
variant screenshot inbound silence command attempt"; flow:to_client; dsize:24;
content:"silence_screenshot|0D 0A|"; depth:20; offset:4; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community;
classtype:trojan-activity; sid:40834; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini
variant screen_thumb inbound init command attempt"; flow:to_client,established;
content:"screen_thumb|0D 0A|"; depth:14; offset:4; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community; classtype:trojan-
activity; sid:40835; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini
variant file enumeration inbound init/root/faf command attempt";
flow:to_client,established; dsize:23; content:"file_manager_"; depth:13; offset:4;
pcre:"/file_manager_(init|root|faf)\x0d\x0a/"; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community; classtype:trojan-
activity; sid:40836; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Sokuxuan
outbound connection attempt"; flow:to_server,established; content:"/UpgSvr/";
fast_pattern:only; http_uri; content:".xml"; http_uri; metadata:ruleset community,
service http;
reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dc
daa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:trojan-activity; sid:40839;
rev:1;)
# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"PUA-OTHER Bitcoin Mining
subscribe Stratum protocol client request attempt"; flow:to_server,established;
content:"|7B 22|id|22 3A|"; content:"|22|method|22 3A 22|mining.subscribe|22|";
content:"|22|params|22 3A|"; distance:1; metadata:ruleset community;
reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dc
daa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:policy-violation; sid:40840;
rev:1;)
# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"PUA-OTHER Bitcoin Mining
authorize Stratum protocol client request attempt"; flow:to_server,established;
content:"|7B 22|id|22 3A|"; content:"|22|method|22 3A 22|mining.authorize|22|";
content:"|22|params|22 3A|"; distance:1; metadata:ruleset community;
reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dc
daa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:policy-violation; sid:40841;
rev:1;)
# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"PUA-OTHER Bitcoin Mining
extranonce Stratum protocol subscribe client request attempt";
flow:to_server,established; content:"|7B 22|id|22 3A|"; content:"|22|method|22 3A
22|mining.extranonce.subscribe|22|"; content:"|22|params|22 3A|"; distance:1;
metadata:ruleset community;
reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dc
daa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:policy-violation; sid:40842;
rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1040 (msg:"PROTOCOL-OTHER TP-Link TDDP
SET_CONFIG type buffer overflow attempt"; flow:to_server; dsize:>336; content:"|01
01 00|"; depth:3; byte_test:4,>=,0x0264,4,big; metadata:policy max-detect-ips drop,
policy security-ips drop, ruleset community;
reference:url,www.coresecurity.com/advisories/tp-link-tddp-multiple-
vulnerabilities; classtype:attempted-user; sid:40866; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla
Firefox ESR NotifyTimeChange use after free attempt"; flow:to_client,established;
file_data; content:".createElementNS"; content:"svg"; within:10;
content:".setAttribute"; content:"begin"; within:15; content:".setAttribute";
distance:0; content:"end"; within:10; content:".end"; within:20;
content:".setAttribute"; distance:0; content:"end"; within:10; content:".end";
within:20; content:".pauseAnimations"; fast_pattern:only; metadata:policy balanced-
ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http; reference:cve,2016-9079; reference:url,www.mozilla.org/en-
US/security/advisories/mfsa2016-92/; classtype:attempted-user; sid:40888; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla
Firefox ESR NotifyTimeChange use after free attempt"; flow:to_client,established;
file_data; content:".pauseAnimations"; fast_pattern:only; content:"svg"; nocase;
content:"animate"; nocase; content:"begin"; within:50; nocase; content:"end";
within:50; nocase; content:".end"; within:30; nocase; metadata:policy balanced-ips
drop, policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http; reference:cve,2016-9079; reference:url,www.mozilla.org/en-
US/security/advisories/mfsa2016-92/; classtype:attempted-user; sid:40896; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1040 (msg:"PROTOCOL-OTHER TP-Link TDDP
Get_config configuration leak attempt"; flow:to_server; content:"|01 02 00|";
depth:3; content:"|00 00|"; within:2; distance:7; metadata:policy max-detect-ips
drop, policy security-ips drop, ruleset community;
reference:url,www.coresecurity.com/advisories/tp-link-tddp-multiple-
vulnerabilities; classtype:attempted-recon; sid:40907; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Rootkit.Sednit variant outbound connection"; flow:to_server,established;
urilen:11; content:"/search.php"; fast_pattern:only; http_uri; content:"as_ft=";
http_client_body; content:"as_q="; http_client_body; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,virustotal.com/en/file/471fbdc52b501dfe6275a32f89a8a6b02a2aa9a0e70937
f5de610b4185334668/analysis/1480953133/; classtype:trojan-activity; sid:40911;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"MALWARE-CNC Linux.DDoS.D93
outbound connection"; flow:to_server; content:"|4E 0F 42 07 27|"; depth:5;
dsize:25; metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/2c017c94d9f40cba9a20e92c7c636e98de15c599bf
004fa06508d701ab9e3068/analysis/; classtype:trojan-activity; sid:40991; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear
WNR2000 authentication bypass attempt"; flow:to_server,established;
content:"/apply_noauth.cgi"; depth:17; nocase; http_uri; metadata:policy max-
detect-ips drop, policy security-ips drop, ruleset community, service http;
reference:cve,2016-10176; reference:url,seclists.org/fulldisclosure/2016/Dec/72;
classtype:attempted-admin; sid:41095; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear
WNR2000 hidden_lang_avi stack buffer overflow attempt"; flow:to_server,established;
content:"/lang_check"; nocase; http_uri; content:"hidden_lang_avi="; nocase;
http_client_body; isdataat:36,relative; content:!"&"; within:36; http_client_body;
metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http; reference:cve,2016-10174;
reference:url,seclists.org/fulldisclosure/2016/Dec/72; classtype:attempted-admin;
sid:41096; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Locky variant outbound connection"; flow:to_server,established;
content:"/admin.php?f="; fast_pattern:only; http_uri; content:"UA-CPU|3A 20|";
http_header; content:"MSIE 7.0|3B|"; http_header; content:"Accept|3A 20|*/*";
http_header; content:!"Accept-Language"; http_header; content:!"Referer";
http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-
ips drop, ruleset community, service http;
reference:url,virustotal.com/en/file/b9cf176ddb51fa60c7512cdbafc5a598929ac3d0b3d044
3a80a7f33259aa70f2/analysis/1484673198/; classtype:trojan-activity; sid:41334;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Locky variant outbound connection"; flow:to_server,established;
urilen:12; content:"/checkupdate"; fast_pattern:only; http_uri; content:"x-
requested-with|3A 20|"; http_header; content:"Referer"; http_header; content:"=";
depth:15; http_client_body; content:"%"; within:2; http_client_body;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,virustotal.com/en/file/b9cf176ddb51fa60c7512cdbafc5a598929ac3d0b3d044
3a80a7f33259aa70f2/analysis/1484673198/; classtype:trojan-activity; sid:41335;
rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.Sysch variant outbound connection"; flow:to_server,established;
content:"time|3A 20|"; fast_pattern:only; http_header; content:"User-Agent|3A 20|
HttpEngine"; http_header; content:".do"; http_uri; pcre:"/\.(do|jar)$/Umi";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,virustotal.com/en/file/5a0bb7bba9153801fa88ef1bedfad564d95d2d61a23de8
cb87af8b589207277f/analysis/1484684079/;
reference:url,virustotal.com/en/file/82da35ab3b0a47fe8de8b0cc24d53711e17960f5887a16
769e76650d9556b399/analysis/1484684069/; classtype:trojan-activity; sid:41336;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.Sysch variant outbound connection"; flow:to_server,established;
content:"GZIPOK|3A 20|"; fast_pattern:only; http_header; content:"CompGZ|3A 20|";
http_header; content:"ReqType|3A 20|"; http_header; content:".do"; http_uri;
content:!"Accept"; http_header; content:!"Referer"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,virustotal.com/en/file/5a0bb7bba9153801fa88ef1bedfad564d95d2d61a23de8
cb87af8b589207277f/analysis/1484684079/;
reference:url,virustotal.com/en/file/82da35ab3b0a47fe8de8b0cc24d53711e17960f5887a16
769e76650d9556b399/analysis/1484684069/; classtype:trojan-activity; sid:41337;
rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western
Digital MyCloud command injection attempt"; flow:to_server,established;
content:"/web/google_analytics.php"; fast_pattern:only; http_uri;
content:"cmd=set"; nocase; http_uri; content:"arg="; nocase; http_uri;
content:"isAdmin=1"; nocase; http_cookie; content:"username=admin"; nocase;
http_cookie; content:"local_login=1"; nocase; http_cookie; pcre:"/[?&]arg=[^&]*?
([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy max-detect-ips drop, policy
security-ips drop, ruleset community, service http; reference:cve,2016-10108;
classtype:web-application-attack; sid:41346; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western
Digital MyCloud command injection attempt"; flow:to_server,established;
content:"/web/google_analytics.php"; fast_pattern:only; http_uri;
content:"cmd=set"; nocase; http_raw_uri; content:"arg="; nocase; http_raw_uri;
content:"%26"; distance:0; http_raw_uri; content:"isAdmin=1"; nocase; http_cookie;
content:"username=admin"; nocase; http_cookie; content:"local_login=1"; nocase;
http_cookie; pcre:"/[?&]arg=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http; reference:cve,2016-
10108; classtype:web-application-attack; sid:41347; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western
Digital MyCloud command injection attempt"; flow:to_server,established;
content:"/web/google_analytics.php"; fast_pattern:only; http_uri;
content:"cmd=set"; nocase; http_client_body; content:"arg="; nocase;
http_client_body; content:"isAdmin=1"; nocase; http_cookie;
content:"username=admin"; nocase; http_cookie; content:"local_login=1"; nocase;
http_cookie; pcre:"/(^|&)arg=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|
%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop,
ruleset community, service http; reference:cve,2016-10108; classtype:web-
application-attack; sid:41348; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western
Digital MyCloud command injection attempt"; flow:to_server,established;
content:"/web/google_analytics.php"; fast_pattern:only; http_uri;
content:"cmd=set"; nocase; http_client_body; content:"arg"; nocase;
http_client_body; content:"Content-Disposition"; nocase; http_client_body;
content:"isAdmin=1"; nocase; http_cookie; content:"username=admin"; nocase;
http_cookie; content:"local_login=1"; nocase; http_cookie;
pcre:"/name\s*=\s*[\x22\x27]?arg((?!^--).)*?[\r\n]{2,}((?!^--).)*?
([\x60\x3b\x7c\x26]|\x24\x28)/Psim"; metadata:policy max-detect-ips drop, policy
security-ips drop, ruleset community, service http; reference:cve,2016-10108;
classtype:web-application-attack; sid:41349; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.NetWiredRC variant registration message"; flow:to_server,established;
content:"|41 00 00 00 83|"; depth:5; dsize:<80; metadata:impact_flag red, policy
security-ips drop, ruleset community;
reference:url,virustotal.com/en/file/6f179a4dc1c0393b6f2dac5aaa9c20b120ced4e82ba257
bb45e693472c56a88b/analysis/1484683135/; classtype:trojan-activity; sid:41374;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.NetWiredRC variant check logs"; flow:to_server,established; content:"|38
00 00 00 85|"; depth:5; dsize:<80; metadata:impact_flag red, policy security-ips
drop, ruleset community;
reference:url,virustotal.com/en/file/6f179a4dc1c0393b6f2dac5aaa9c20b120ced4e82ba257
bb45e693472c56a88b/analysis/1484683135/; classtype:trojan-activity; sid:41375;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.NetWiredRC variant keepalive"; flow:to_server,established; content:"|01
00 00 00 81|"; depth:5; dsize:5; metadata:impact_flag red, policy security-ips
drop, ruleset community;
reference:url,virustotal.com/en/file/6f179a4dc1c0393b6f2dac5aaa9c20b120ced4e82ba257
bb45e693472c56a88b/analysis/1484683135/; classtype:trojan-activity; sid:41376;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER Cisco
WebEx explicit use of web plugin"; flow:to_server,established; content:"cwcsf-
nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html"; fast_pattern:only;
http_uri; metadata:ruleset community, service ftp-data, service http, service imap,
service pop3; reference:cve,2017-3823; reference:cve,2017-6753;
reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-
sa-20170717-webex; classtype:policy-violation; sid:41409; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC User-Agent known
malicious user-agent string - X-Mas"; flow:to_server,established; content:"User-
Agent|3A 20|Useragents"; fast_pattern:only; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,virustotal.com/en/file/2aa91ed4e591da10499708bde44b1f9d0000eaee9a8101
8cb0f36bd44844df7a/analysis/1484847335/;
reference:url,virustotal.com/en/file/83a2b429b969fc5cd38b6c5072391c3513b3b914f54ea8
0e245b243dbd5377be/analysis/1484847306/; classtype:trojan-activity; sid:41441;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Ransomware.X-Mas
outbound connection"; flow:to_server,established; content:"WebKitFormBoundary";
content:"|20|form-data|3B 20|name=|22|uid|22|"; fast_pattern; content:"|20|form-
data|3B 20|name=|22|uname|22|"; distance:0; content:"|20|form-data|3B 20|name=|22|
cname|22|"; distance:0; content:"|20|form-data|3B 20|name=|22|ltime|22|";
distance:0; content:"|20|form-data|3B 20|name=|22|uright|22|"; distance:0;
content:"|20|form-data|3B 20|name=|22|sysinfo|22|"; distance:0;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,virustotal.com/en/file/2aa91ed4e591da10499708bde44b1f9d0000eaee9a8101
8cb0f36bd44844df7a/analysis/1484847335/;
reference:url,virustotal.com/en/file/83a2b429b969fc5cd38b6c5072391c3513b3b914f54ea8
0e245b243dbd5377be/analysis/1484847306/; classtype:trojan-activity; sid:41442;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Ransomware.X-Mas variant keylogger outbound connection";
flow:to_server,established; content:"/gate.php"; fast_pattern:only; http_uri;
content:"163="; http_client_body; content:"&x="; distance:0; http_client_body;
content:"&z="; distance:0; http_client_body; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,virustotal.com/en/file/b49d2b3c6978584408f3c668863cc88e892bd333a9db9c
3de14964d59fc3298f/analysis/1484847208/; classtype:trojan-activity; sid:41443;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Ransomware.X-Mas variant keylogger outbound connection";
flow:to_server,established; content:"/gate.php?"; fast_pattern:only; http_uri;
content:"|3C|br|3E 3C|br|3E 3C|b|3E 3C|big|3E 3C|font color=|22|";
http_client_body; content:"|22 3E 20 5B|"; within:12; http_client_body;
content:!"Accept-"; http_header; content:!"Referer"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,virustotal.com/en/file/b49d2b3c6978584408f3c668863cc88e892bd333a9db9c
3de14964d59fc3298f/analysis/1484847208/; classtype:trojan-activity; sid:41444;
rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER QNAP
remote buffer overflow attempt"; flow:to_server,established; content:"/cgi-
bin/cgi.cgi"; fast_pattern:only; http_uri; content:"u="; http_uri; content:"p=";
http_uri; isdataat:263,relative; content:!"&"; within:263; http_uri; content:!"|0D
0A|"; within:263; http_uri; metadata:ruleset community, service http;
reference:url,seclists.org/bugtraq/2017/Jan/5; classtype:attempted-admin;
sid:41445; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress
get_post authentication bypass attempt"; flow:to_server,established; content:"/wp-
json/"; fast_pattern:only; http_uri; content:"id="; nocase; http_uri; pcre:"/[?
&]id=[^&]*?[^\d&]/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips
drop, policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http; reference:url,wordpress.org/news/2017/01/wordpress-4-7-2-security-
release/; classtype:web-application-attack; sid:41495; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress
get_post authentication bypass attempt"; flow:to_server,established; content:"/wp-
json/"; fast_pattern:only; http_uri; content:"id="; nocase; http_client_body;
pcre:"/[?&]id=[^&]*?[^\d&]/Pi"; metadata:policy balanced-ips drop, policy
connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,wordpress.org/news/2017/01/wordpress-4-7-2-security-release/;
classtype:web-application-attack; sid:41496; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress
get_post authentication bypass attempt"; flow:to_server,established; content:"/wp-
json/"; fast_pattern:only; http_uri; content:"|22|id|22|"; nocase;
http_client_body; pcre:"/\x22id\x22\s*\x3A\s*\x22[^\x22]*?[^\d\x22]/Pi";
metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-
ips drop, policy security-ips drop, ruleset community, service http;
reference:url,wordpress.org/news/2017/01/wordpress-4-7-2-security-release/;
classtype:web-application-attack; sid:41497; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Ransomware.CryptoLocker binary download response attempt";
flow:to_client,established; content:"Set-Cookie|3A 20|mediaplanBAK|3D|";
fast_pattern:only; content:"Set-Cookie|3A 20|mediaplan|3D|"; content:"Content-Type|
3A 20|text/plain"; http_header; file_data; content:"MZ";
byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,virustotal.com/en/file/571a7014d1ee4e359e7eb5d2c7b3e6c527f4fcef322781
f1c56a1b5bf28c8eb2/analysis/1485884599/; classtype:trojan-activity; sid:41498;
rev:1;)
alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"SERVER-SAMBA Microsoft
Windows SMBv2/SMBv3 Buffer Overflow attempt"; flow:to_client,established;
content:"|FE|SMB|40 00|"; depth:6; offset:4; content:"|03 00|"; within:2;
distance:6; byte_test:3, >, 200, 1; metadata:policy balanced-ips drop, policy
connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop,
ruleset community; reference:cve,2017-0016; classtype:attempted-dos; sid:41499;
rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear
passwordrecovered.cgi insecure admin password disclosure attempt";
flow:to_server,established; content:"/passwordrecovered.cgi"; fast_pattern:only;
http_uri; content:"id="; nocase; metadata:policy max-detect-ips drop, policy
security-ips drop, ruleset community, service http; reference:bugtraq,95457;
reference:cve,2017-5521; reference:url,kb.netgear.com/30632/Web-GUI-Password-
Recovery-and-Exposure-Security-Vulnerability; classtype:attempted-recon; sid:41504;
rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Osx.Downloader.MacDownloader variant outbound connection";
flow:to_server,established; urilen:14; content:"/Servermac.php"; fast_pattern:only;
http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,virustotal.com/en/file/7a9cdb9d608b88bd7afce001cb285c2bb2ae76f5027977
e8635aa04bd064ffb7/analysis/; classtype:trojan-activity; sid:41663; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear
DGN2200 ping.cgi command injection attempt"; flow:to_server,established;
content:"/ping.cgi"; nocase; http_uri; content:"ping_IPAddr="; fast_pattern:only;
http_client_body; pcre:"/(^|&)ping_IPAddr=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|
%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http; reference:cve,2017-6077;
reference:url,seclists.org/fulldisclosure/2017/Feb/50; classtype:web-application-
attack; sid:41698; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear
DGN2200 ping.cgi command injection attempt"; flow:to_server,established;
content:"/ping.cgi"; nocase; http_uri; content:"ping_IPAddr="; fast_pattern:only;
http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]ping_IPAddr=[^&]*?%26/Ii";
metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http; reference:cve,2017-6077;
reference:url,seclists.org/fulldisclosure/2017/Feb/50; classtype:web-application-
attack; sid:41699; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear
DGN2200 ping.cgi command injection attempt"; flow:to_server,established;
content:"/ping.cgi"; nocase; http_uri; content:"ping_IPAddr="; fast_pattern:only;
http_uri; pcre:"/[?&]ping_IPAddr=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui";
metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http; reference:cve,2017-6077;
reference:url,seclists.org/fulldisclosure/2017/Feb/50; classtype:web-application-
attack; sid:41700; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE
Binary file download request from internationalized domain name using Microsoft
BITS"; flow:to_server,established; content:"User-Agent|3A| Microsoft BITS";
http_header; content:"Host|3A 20|xn--"; fast_pattern:only; http_header; pcre:"/
(\x2ebat|\x2eexe)$/smiU"; metadata:policy max-detect-ips drop, policy security-ips
drop, ruleset community, service http; classtype:trojan-activity; sid:41710;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Houdini
variant initial outbound connection"; flow:to_server,established;
content:"new_slave|0D 0A|"; depth:11; offset:4; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community;
reference:url,virustotal.com/en/file/8d75e47c04bb2cc0f4c2e973475d4ff1fc8f32039794e3
ea5ca2494c66d80d3f/analysis/; classtype:trojan-activity; sid:41711; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Houdini backdoor file download request"; flow:to_server,established;
content:"/ChromeSetup.bat"; fast_pattern:only; http_uri; content:"User-Agent|3A|
Microsoft BITS"; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,virustotal.com/en/file/8d75e47c04bb2cc0f4c2e973475d4ff1fc8f32039794e3
ea5ca2494c66d80d3f/analysis/; classtype:trojan-activity; sid:41712; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
DotNetNuke installation attempt detected"; flow:to_server,established;
content:"/Install/InstallWizard.aspx"; fast_pattern:only; http_uri;
content:"executeinstall"; http_uri; metadata:ruleset community, service http;
reference:cve,2015-2794; reference:url,www.exploit-db.com/exploits/39777;
classtype:attempted-admin; sid:41713; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart
Install protocol backup config command attempt"; flow:to_server,established;
content:"|00 00 00 01 00 00 00 01 00 00 00 08|"; depth:12; content:"://";
metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-
ips drop, policy security-ips drop, ruleset community;
reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-
sr-20170214-smi; classtype:attempted-admin; sid:41722; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart
Install protocol download config command attempt"; flow:to_server,established;
content:"|00 00 00 01 00 00 00 01 00 00 00 03|"; depth:12; content:"tftp://";
nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy
max-detect-ips drop, policy security-ips drop, ruleset community;
reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-
sr-20170214-smi; classtype:attempted-admin; sid:41723; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart
Install protocol download image command attempt"; flow:to_server,established;
content:"|00 00 00 01 00 00 00 01 00 00 00 02|"; depth:12; content:"tftp://";
nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy
max-detect-ips drop, policy security-ips drop, ruleset community;
reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-
sr-20170214-smi; classtype:attempted-admin; sid:41724; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart
Install protocol version command attempt"; flow:to_server,established; content:"|00
00 00 02 00 00 00 01 00 00 00 05|"; depth:12; content:"tftp://"; nocase;
metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-
ips drop, policy security-ips drop, ruleset community; reference:cve,2018-0156;
reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-
sa-20180328-smi;
reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-
sr-20170214-smi; classtype:attempted-admin; sid:41725; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear
DGN2200 dnslookup.cgi command injection attempt"; flow:to_server,established;
content:"/dnslookup.cgi"; fast_pattern:only; http_uri; content:"host_name"; nocase;
http_client_body; content:"Content-Disposition"; nocase; http_client_body;
pcre:"/name\s*=\s*[\x22\x27]?host_name((?!^--).)*?[\r\n]{2,}((?!^--).)*?
([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http; reference:cve,2017-6334;
classtype:web-application-attack; sid:41748; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear
DGN2200 dnslookup.cgi command injection attempt"; flow:to_server,established;
content:"/dnslookup.cgi"; fast_pattern:only; http_uri; content:"host_name=";
nocase; http_client_body; pcre:"/(^|&)host_name=[^&]*?([\x60\x3b\x7c]|
[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-
detect-ips drop, policy security-ips drop, ruleset community, service http;
reference:cve,2017-6334; classtype:web-application-attack; sid:41749; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear
DGN2200 dnslookup.cgi command injection attempt"; flow:to_server,established;
content:"/dnslookup.cgi"; fast_pattern:only; http_uri; content:"host_name=";
nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]host_name=[^&]*?%26/Ii";
metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http; reference:cve,2017-6334; classtype:web-application-attack; sid:41750;
rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear
DGN2200 dnslookup.cgi command injection attempt"; flow:to_server,established;
content:"/dnslookup.cgi"; fast_pattern:only; http_uri; content:"host_name=";
nocase; http_uri; pcre:"/[?&]host_name=[^&]*?([\x60\x3b\x7c]|
[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips
drop, ruleset community, service http; reference:cve,2017-6334; classtype:web-
application-attack; sid:41751; rev:3;)
alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB remote
code execution attempt"; flow:to_server,established; content:"|FF|SMB3|00 00 00
00|"; depth:9; offset:4; byte_extract:2,26,TotalDataCount,relative,little;
byte_test:2,>,TotalDataCount,20,relative,little; metadata:policy balanced-ips drop,
policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop,
ruleset community, service netbios-ssn; reference:cve,2017-0144;
reference:cve,2017-0146;
reference:url,blog.talosintelligence.com/2017/05/wannacry.html;
reference:url,isc.sans.edu/forums/diary/ETERNALBLUE+Possible+Window+SMB+Buffer+Over
flow+0Day/22304/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-
010; classtype:attempted-admin; sid:41978; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent
known malicious user-agent string - Andr.Trojan.Agent"; flow:to_server,established;
content:"User-Agent|3A| Ray-Downer|0D 0A|"; fast_pattern:only; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca0255
2a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:42019; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.Agent variant outbound connection"; flow:to_server,established;
content:"/wroot/v3"; fast_pattern:only; http_uri; content:".do"; http_uri;
content:"uuid="; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca0255
2a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:42021; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Ransomware.Sage variant outbound connection"; flow:to_server,established;
content:"Host: mbfce24rgn65bx3g."; fast_pattern:only; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/c1c31129a39441607c060a7da57855d3969cf47ce4
119cda9beaf65b63faca60/analysis/; classtype:trojan-activity; sid:42059; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Ismdoor variant outbound connection"; flow:to_server,established;
content:"User-Agent|3A| WinHttpClient"; fast_pattern:only; http_header;
content:"//Home/"; http_raw_uri; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-
attack; classtype:trojan-activity; sid:42128; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Ismdoor variant outbound connection"; flow:to_server,established;
content:"commandId="; fast_pattern:only; http_uri; content:"/Home/"; depth:6;
http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-
attack; classtype:trojan-activity; sid:42129; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [995,80,53,443] (msg:"MALWARE-CNC
Win.Trojan.RedLeaves outbound connection"; flow:established,to_server; dsize:12;
content:"|7A 8D 9B DC|"; depth:4; offset:4; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community;
reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red
%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf; classtype:trojan-activity;
sid:42225; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"OS-WINDOWS Microsoft Windows
empty RDP cookie negotiation attempt"; flow:to_server,established; content:"|08 E0
00 00 00 00|"; depth:6; offset:4; content:"|0D 0A|"; within:2; distance:1;
isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips
drop, ruleset community, service rdp; reference:cve,2017-0176; reference:cve,2017-
9073; reference:url,www.securitytracker.com/id/1038264; classtype:policy-violation;
sid:42255; rev:4;)
alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB anonymous
user session setup request detected"; flow:to_server,established; content:"|FF|SMB|
73 00 00 00 00|"; depth:13; offset:4; content:"|01 00 00 00 00 00 00 00|";
within:8; distance:38; content:"|00 00 00 00 00|"; within:5; distance:6;
flowbits:set,smb.null_session; flowbits:noalert; metadata:ruleset community,
service netbios-ssn; reference:url,msdn.microsoft.com/en-us/library/ee441638.aspx;
classtype:policy-violation; sid:42256; rev:4;)
alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-CNC Win.Trojan.Doublepulsar
variant process injection command"; flow:to_server,established; content:"|FF|SMB|32
00 00 00 00|"; depth:9; offset:4; content:"|42 00|"; within:2; distance:21;
content:"|0E 00|"; within:2; distance:29; content:!"|00 00|"; within:2;
flowbits:set,smb.trans2.mid66; metadata:impact_flag red, policy balanced-ips drop,
policy max-detect-ips alert, policy security-ips drop, ruleset community, service
netbios-ssn; reference:url,countercept.com/our-thinking/analyzing-the-doublepulsar-
kernel-dll-injection-technique/;
reference:url,www.virustotal.com/file/15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe8686
5af445123bc0b770d13/analysis/; classtype:trojan-activity; sid:42331; rev:3;)
alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-CNC Win.Trojan.Doublepulsar
variant ping command"; flow:to_server,established; content:"|FF|SMB|32 00 00 00
00|"; depth:9; offset:4; content:"|41 00|"; within:2; distance:21; content:"|0E 00
0D 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:17; distance:29;
flowbits:set,smb.trans2.mid65; flowbits:noalert; metadata:policy max-detect-ips
alert, ruleset community, service netbios-ssn; reference:url,countercept.com/our-
thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/;
reference:url,www.virustotal.com/file/15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe8686
5af445123bc0b770d13/analysis/; classtype:trojan-activity; sid:42332; rev:6;)
alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB large NT
RENAME transaction request memory leak attempt"; flow:to_server,established;
content:"|FF|SMB|A0|"; depth:5; offset:4; content:"|05 00|"; within:2; distance:64;
byte_test:2,>,1024,0,relative,little; metadata:policy balanced-ips drop, policy
max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-
ssn; reference:url,msdn.microsoft.com/en-us/library/ee441910.aspx;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010;
classtype:attempted-recon; sid:42338; rev:3;)
alert tcp $HOME_NET 445 -> any any (msg:"OS-WINDOWS Microsoft Windows SMB possible
leak of kernel heap memory"; flow:to_client,established; content:"Frag";
fast_pattern; content:"Free"; content:"|FA FF FF|"; content:"|F8 FF FF|"; within:3;
distance:5; content:"|F8 FF FF|"; within:3; distance:5; metadata:policy balanced-
ips alert, policy max-detect-ips drop, policy security-ips drop, ruleset community,
service netbios-ssn; reference:cve,2017-0147;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010;
classtype:attempted-recon; sid:42339; rev:3;)
# alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB
anonymous session IPC share access attempt"; flow:to_server,established;
flowbits:isset,smb.null_session; content:"|FF|SMB|75 00 00 00 00|"; depth:9;
offset:4; content:"|00 5C 00|I|00|P|00|C|00|$|00 00 00|"; fast_pattern:only;
metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community,
service netbios-ssn; reference:url,msdn.microsoft.com/en-us/library/ee441910.aspx;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010;
classtype:attempted-recon; sid:42340; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [995,80,53,443] (msg:"MALWARE-CNC
Win.Trojan.RedLeaves outbound connection"; flow:to_server,established;
content:"856"; depth:3; offset:1; content:"856|9A F3 EC 89|"; within:7; distance:1;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community; reference:url,github.com/nccgroup/Cyber-
Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note
%20v1.0.pdf; classtype:trojan-activity; sid:42398; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS
Microsoft Malware Protection Engine type confusion attempt";
flow:to_client,established; file_data; content:"Error"; content:".toString.call";
within:50; fast_pattern; content:"message"; within:25; metadata:policy balanced-ips
drop, policy max-detect-ips drop, policy security-ips drop, ruleset community,
service ftp-data, service http, service imap, service pop3; reference:cve,2017-
0290; reference:url,technet.microsoft.com/en-us/library/security/4022344.aspx;
classtype:attempted-admin; sid:42820; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Malware
Protection Engine type confusion attempt"; flow:to_server,established; file_data;
content:"Error"; content:".toString.call"; within:50; fast_pattern;
content:"message"; within:25; metadata:policy balanced-ips drop, policy max-detect-
ips drop, policy security-ips drop, ruleset community, service smtp;
reference:cve,2017-0290; reference:url,technet.microsoft.com/en-
us/library/security/4022344.aspx; classtype:attempted-admin; sid:42821; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-
Forwarded-For"; nocase; http_header; content:"z9=base64%5fdecode";
fast_pattern:only; http_client_body; content:"=%40eval"; http_client_body;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; reference:url,www.fireeye.com/blog/threat-
research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html;
classtype:trojan-activity; sid:42834; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-
Forwarded-For"; nocase; http_header; content:"=edoced_46esab"; fast_pattern:only;
http_client_body; content:"z0="; http_client_body; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-
chopper-web-shell-part-ii.html; classtype:trojan-activity; sid:42835; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Backdoor.Chopper web shell connection"; flow:to_server,established;
content:"=@eval(get_magic_quotes_gpc()?stripslashes($_POST["; fast_pattern:only;
http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-
chopper-web-shell-part-ii.html; classtype:trojan-activity; sid:42836; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MVPower
DVR Shell arbitrary command execution attempt"; flow:to_server,established;
content:"/shell?"; fast_pattern:only; http_uri; urilen:>16,norm; metadata:policy
balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset
community, service http; reference:url,www.pentestpartners.com/blog/pwning-cctv-
cameras/; classtype:attempted-admin; sid:42857; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Deputy Dog
implant outbound connection"; flow:established,to_server; content:"Connect.php?
id="; fast_pattern:only; http_uri; content:"SessionID:"; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http; classtype:trojan-activity; sid:42880; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Deputy Dog
implant outbound connection"; flow:to_server,established; content:"/JP-ja/js?";
fast_pattern:only; http_uri; content:"SessionID:"; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service http;
classtype:trojan-activity; sid:42881; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ZoxPNG
initial outbound connection"; flow:established, to_server; content:"/search?
q=Google&go=&qs=n&form="; fast_pattern:only; http_uri; content:"pq=google&sc=8-
1&sp=-1&sk="; http_uri; content:"Cookie|3A 20|SESSIONID="; nocase; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; classtype:trojan-activity; sid:42882; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.MadMax implant outbound connection attempt"; flow:established,to_server;
content:"/mm.jpg"; depth:7; fast_pattern; http_uri; content:"User-Agent|3A 20|
Mozilla/5.0 (compatible"; http_header; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, ruleset community, service http;
classtype:trojan-activity; sid:42883; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.MadMax implant outbound connection"; flow:established,to_server;
content:"/logon.aspx?Id="; fast_pattern:only; http_uri; content:"Cookie|3A 20|
SessionData="; http_header; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http; classtype:trojan-
activity; sid:42884; rev:2;)
alert tcp $HOME_NET any <> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC WashingTon
ssl certificate negotiation attempt"; flow:to_server,established;
content:"WashingTon"; fast_pattern:only; content:"[email protected]";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; classtype:trojan-activity; sid:42885; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent
Win.Trojan.Agent malicious user agent"; flow:to_server,established; content:"User-
Agent|3A| HttpBrowser/1.0"; fast_pattern:only; http_header; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
http; classtype:trojan-activity; sid:42886; rev:2;)
alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB remote
code execution attempt"; flow:to_server,established; content:"|FF|SMB|A0 00 00 00
00|"; depth:9; offset:4; content:"|01 00 00 00 00|"; within:5; distance:59;
byte_test:4,>,0x8150,-33,relative,little; metadata:policy balanced-ips drop, policy
connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop,
ruleset community, service netbios-ssn; reference:cve,2017-0144;
reference:cve,2017-0146;
reference:url,isc.sans.edu/forums/diary/ETERNALBLUE+Possible+Window+SMB+Buffer+Over
flow+0Day/22304/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-
010; classtype:attempted-admin; sid:42944; rev:2;)
alert tcp any any -> $HOME_NET 445 (msg:"PROTOCOL-OTHER NETBIOS SMB IPC share
access attempt"; flow:to_server,established; content:"|FF|SMB|75 00 00 00 00|";
depth:9; offset:4; content:"IPC$|00|"; fast_pattern:only;
flowbits:set,smb.tree.connect.ipc; flowbits:noalert; metadata:ruleset community,
service netbios-ssn; classtype:misc-activity; sid:43002; rev:4;)
alert tcp any any -> $HOME_NET 445 (msg:"PROTOCOL-OTHER NETBIOS SMB IPC share
access attempt"; flow:to_server,established; content:"|FF|SMB|75 00 00 00 00|";
depth:9; offset:4; content:"I|00|P|00|C|00|$|00 00 00|"; fast_pattern:only;
flowbits:set,smb.tree.connect.ipc; flowbits:noalert; metadata:ruleset community,
service netbios-ssn; classtype:misc-activity; sid:43003; rev:4;)
alert tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary
module load code execution attempt"; flow:to_server,established;
flowbits:isset,smb.tree.connect.ipc; content:"|FF|SMB|A2 00 00 00 00|"; depth:9;
offset:4; byte_extract:2,72,len,relative,little; content:"/"; within:1;
content:"/"; within:len; distance:1; metadata:policy balanced-ips drop, policy max-
detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn;
reference:cve,2017-7494; reference:url,www.samba.org/samba/security/CVE-2017-
7494.html; classtype:attempted-user; sid:43004; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Kabob outbound connection"; flow:to_server,established; content:"@|E9 03
00 00 00 00 00 00 00 00 64|"; fast_pattern:only; http_client_body;
pcre:"/\/\d{8}\/\w{4}\/[A-F0-9]{4}\/[A-F0-9]{4}\/[A-Z0-9\-_~]{12}\.[aj]sp/Ui";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; classtype:trojan-activity; sid:43063; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.HiddenCobra variant outbound connection"; flow:to_server,established;
content:"|18 17 E9 E9 E9 E9|"; fast_pattern:only; isdataat:!7; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community;
reference:url,www.us-cert.gov/ncas/alerts/TA17-164A; classtype:trojan-activity;
sid:43193; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.HiddenCobra variant outbound connection"; flow:to_server,established;
content:"|1B 17 E9 E9 E9 E9|"; depth:6; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, ruleset community; reference:url,www.us-
cert.gov/ncas/alerts/TA17-164A; classtype:trojan-activity; sid:43194; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
/.svn/entries file access attempt"; flow:to_server,established;
content:"/.svn/entries"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; classtype:attempted-recon; sid:43285; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
/cgi-bin/sh file access attempt"; flow:to_server,established; content:"/cgi-
bin/sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:attempted-recon; sid:43286; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
/etc/inetd.conf file access attempt"; flow:to_server,established;
content:"/etc/inetd.conf"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; classtype:attempted-recon; sid:43287; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
/etc/motd file access attempt"; flow:to_server,established; content:"/etc/motd";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:attempted-recon; sid:43288; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
/etc/shadow file access attempt"; flow:to_server,established;
content:"/etc/shadow"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; classtype:attempted-recon; sid:43289; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
/ws_ftp.log file access attempt"; flow:to_server,established;
content:"/ws_ftp.log"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; classtype:attempted-recon; sid:43290; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP
Oracle Application Server 9i unauthenticated application deployment attempt";
flow:to_server,established; content:"/soap/soaplet/soaprouter"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:cve,2001-1371;
classtype:attempted-recon; sid:43291; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Teleopti
WFM database information request detected"; flow:to_server,established;
content:"/TeleoptiWFM/Administration/GetOneTenant"; fast_pattern:only; http_uri;
metadata:ruleset community, service http;
reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-recon;
sid:43562; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Teleopti
WFM administrative user credentials request detected"; flow:to_server,established;
content:"/TeleoptiWFM/Administration/Users"; fast_pattern:only; http_uri;
metadata:ruleset community, service http;
reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-recon;
sid:43563; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Teleopti
WFM administrative user creation detected"; flow:to_server,established;
content:"/TeleoptiWFM/Administration/AddFirstUser"; fast_pattern:only; http_uri;
metadata:ruleset community, service http;
reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-admin;
sid:43564; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"SERVER-OTHER WSFTP IpSwitch
custom SITE command execution attempt"; flow:to_server,established; content:"SITE
SETC"; nocase; metadata:ruleset community, service ftp; reference:cve,2004-1885;
classtype:attempted-admin; sid:43663; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9080 (msg:"SERVER-WEBAPP Kaspersky Linux
File Server WMC cross site request forgery attempt"; flow:to_server,established;
content:"/cgi-bin/cgictl?action=setTaskSettings"; fast_pattern:only; http_uri;
content:"settings={|22|"; nocase; http_client_body; content:"taskId=";
http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop,
ruleset community, service http; reference:bugtraq,99330; reference:cve,2017-9810;
reference:url,coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-
Multiple-Vulnerabilities; classtype:web-application-attack; sid:43809; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9080 (msg:"SERVER-WEBAPP Kaspersky Linux
File Server WMC directory traversal attempt"; flow:to_server,established;
content:"/cgi-bin/cgictl"; fast_pattern:only; http_uri; content:"reportId=";
nocase; http_uri; content:"../"; http_uri; pcre:"/[?
&]reportId=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy
security-ips drop, ruleset community, service http; reference:bugtraq,99330;
reference:cve,2017-9812; reference:url,coresecurity.com/advisories/Kaspersky-Anti-
Virus-File-Server-Multiple-Vulnerabilities; classtype:web-application-attack;
sid:43810; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
Kaspersky Linux File Server WMC directory traversal attempt";
flow:to_server,established; content:"/cgi-bin/cgictl"; fast_pattern:only; http_uri;
content:"reportId="; nocase; http_client_body; pcre:"/(^|&)reportId=[^&]*?(\x2e|
%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy
security-ips drop, ruleset community, service http; reference:bugtraq,99330;
reference:cve,2017-9812; reference:url,coresecurity.com/advisories/Kaspersky-Anti-
Virus-File-Server-Multiple-Vulnerabilities; classtype:web-application-attack;
sid:43811; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
Kaspersky Linux File Server WMC directory traversal attempt";
flow:to_server,established; content:"/cgi-bin/cgictl"; fast_pattern:only; http_uri;
content:"reportId"; nocase; http_client_body; content:"Content-Disposition";
nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?reportId((?!
^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy
security-ips drop, ruleset community, service http; reference:bugtraq,99330;
reference:cve,2017-9812; reference:url,coresecurity.com/advisories/Kaspersky-Anti-
Virus-File-Server-Multiple-Vulnerabilities; classtype:web-application-attack;
sid:43812; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
Kaspersky Linux File Server WMC cross site scripting attempt";
flow:to_server,established; content:"/cgi-bin/cgictl"; fast_pattern:only; http_uri;
content:"scriptName="; nocase; http_uri; pcre:"/[?&]scriptName=[^&]*?
([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:ruleset community,
service http; reference:bugtraq,99330; reference:cve,2017-9813;
reference:url,coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-
Multiple-Vulnerabilities; classtype:attempted-user; sid:43813; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Osx.Trojan.XAgent outbound connection"; flow:to_server,established;
content:"(unknown version)"; http_header; content:"Darwin/"; within:30;
http_header; content:"Accept|3A 20|*/*|0D 0A|"; http_header; pcre:"/\/(search|find|
results|open|search|close|watch)\/\x3f[a-zA-Z0-9]{2,8}\x3d/Ui"; content:!"Referer";
http_header; metadata:impact_flag red, ruleset community, service http;
reference:url,contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-
samples.html;
reference:url,download.bitdefender.com/resources/files/News/CaseStudies/study/143/B
itdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf; classtype:trojan-activity;
sid:43825; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ubiquiti
Networks UniFi Cloud Key Firm v0.6.1 Host Remote Command Execution attempt";
flow:to_server,established; urilen:11,norm; content:"/api/status";
fast_pattern:only; http_uri; pcre:"/^Host\x3A[^\x0a]*?([\x60\x3b\x7c]|
[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Him"; metadata:ruleset
community, service http; reference:url,cxsecurity.com/issue/WLB-2017080038;
classtype:web-application-attack; sid:43957; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Fareit variant outbound connection"; flow:to_server,established;
content:"/gate.php"; fast_pattern:only; http_uri; content:"WebKitFormBoundary";
http_header; content:"name=|22|getconfig|22|"; content:"Referer|3A 20|";
http_header; content:"Connection|3A 20|close|0D 0A|"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,virustotal.com/#/file/01092ea6b5eb749254cf61a58c7c8fe5f67001976432712
02fe420ac7cc68d1f/detection; classtype:trojan-activity; sid:43972; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.Femas variant outbound connection"; flow:to_server,established;
content:"did="; http_client_body; content:"/update/upfolder/updatefun.php";
fast_pattern:only; http_uri; content:"Dalvik/"; http_header; content:"Android";
within:25; http_header; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/;
reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-
strongest-chain/; classtype:trojan-activity; sid:43981; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.Femas variant outbound connection"; flow:to_server,established;
content:"did="; http_client_body; content:"/pockemon/squirtle/functions.php";
fast_pattern:only; http_uri; content:"Dalvik/"; http_header; content:"Android";
within:25; http_header; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/;
reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-
strongest-chain/; classtype:trojan-activity; sid:43982; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Cisco
DDR2200 ASDL gateway file download detected"; flow:to_server,established;
content:"download.conf"; fast_pattern:only; http_uri; content:"filename="; nocase;
http_uri; metadata:ruleset community, service http; reference:cve,2017-11587;
reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-
attack; sid:44004; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco
DDR2200 ADSL gateway command injection attempt"; flow:to_server,established;
content:"waitPingqry"; fast_pattern:only; http_uri; content:"pingAddr="; nocase;
http_uri; pcre:"/[?&]pingAddr=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui";
metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http; reference:cve,2017-11588;
reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-
attack; sid:44005; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco
DDR2200 ADSL gateway command injection attempt"; flow:to_server,established;
content:"waitPingqry"; fast_pattern:only; http_uri; content:"pingAddr="; nocase;
http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]pingAddr=[^&]*?%26/Ii";
metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http; reference:cve,2017-11588;
reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-
attack; sid:44006; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco
DDR2200 ADSL gateway command injection attempt"; flow:to_server,established;
content:"waitPingqry"; fast_pattern:only; http_uri; content:"pingAddr="; nocase;
http_client_body; pcre:"/(^|&)pingAddr=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|
%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http; reference:cve,2017-
11588; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-
application-attack; sid:44007; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco
DDR2200 ADSL gateway command injection attempt"; flow:to_server,established;
content:"waitPingqry"; fast_pattern:only; http_uri; content:"pingAddr"; nocase;
http_client_body; content:"Content-Disposition"; nocase; http_client_body;
pcre:"/name\s*=\s*[\x22\x27]?pingAddr((?!^--).)*?[\r\n]{2,}((?!^--).)*?
([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-
attack; sid:44008; rev:2;)
alert tcp $EXTERNAL_NET [443,447,449] -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Trickbot self-signed certificate exchange"; flow:to_client,established;
content:"|16 03|"; content:"|30 82|"; distance:13; content:"3t2t3rgeg";
content:"fg2eq34df"; fast_pattern:only; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, ruleset community, service ssl;
reference:url,virustotal.com/#/file/604bd405cf8edd910b25c52b63ab7e4b6c2242bc6eaf6ec
a4cccb718e1d291e2; classtype:trojan-activity; sid:44399; rev:1;)
alert tcp $EXTERNAL_NET [443,447,449] -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Trickbot self-signed certificate exchange"; flow:to_client,established;
content:"|16 03|"; content:"|30 82|"; distance:13; content:"f2tee4";
content:"rvgvtfdf"; fast_pattern:only; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, ruleset community, service ssl;
reference:url,virustotal.com/#/file/604bd405cf8edd910b25c52b63ab7e4b6c2242bc6eaf6ec
a4cccb718e1d291e2; classtype:trojan-activity; sid:44400; rev:1;)
alert tcp $EXTERNAL_NET [443,447,449] -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Trickbot self-signed certificate exchange"; flow:to_client,established;
content:"|16 03|"; content:"|30 82|"; distance:13; content:"|00 92 93 45 3A 42 8B
15 4C|"; fast_pattern:only; content:"London"; content:"example.com";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service ssl; reference:url,malware-traffic-
analysis.net/2017/08/12/index.html; classtype:trojan-activity; sid:44401; rev:1;)
alert tcp $EXTERNAL_NET [443,447,449] -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Trickbot self-signed certificate exchange"; flow:to_client,established;
content:"|16 03|"; content:"|30 82|"; distance:13; content:"|00 DC 5E AE E6 3E EC
78 EC|"; content:"Alaska"; content:"[email protected]"; fast_pattern:only;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service ssl;
reference:url,virustotal.com/en/file/70041c335a374d84f64c6c31d59ff09bd8473fd049cfcb
46fe085d1eb92ac0b8/analysis/1502073944/; classtype:trojan-activity; sid:44402;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential
hostile executable served from compromised or malicious WordPress site attempt";
flow:to_server,established; content:"/wp-admin"; fast_pattern:only; http_uri;
pcre:"/(exe|dll|scr|rar|ps1|bat)$/Ui"; metadata:impact_flag red, policy security-
ips drop, ruleset community, service http;
reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-
malware; classtype:trojan-activity; sid:44469; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential
hostile executable served from compromised or malicious WordPress site attempt";
flow:to_server,established; content:"/wp-includes"; fast_pattern:only; http_uri;
pcre:"/(exe|dll|scr|rar|ps1|bat)$/Ui"; metadata:impact_flag red, policy security-
ips drop, ruleset community, service http;
reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-
malware; classtype:trojan-activity; sid:44470; rev:1;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.PandaZeus
malicious certificate exchange"; flow:to_client,established; content:"|16 03|";
content:"|30 82|"; within:2; distance:13; content:"Let's Encrypt";
content:"gloverkentok.us"; fast_pattern:only; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service ssl;
reference:url,virustotal.com/#/file/220a2b2d7353a697496abcabf1b4c1990b8c9b7143e6dad
a17782ddd9ee2c232; classtype:trojan-activity; sid:44591; rev:1;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.PandaZeus
self-signed certificate exchange"; flow:to_client,established; content:"|16 03|";
content:"|30 82|"; within:2; distance:13; content:"My Company Name LTD.";
content:"domain.com"; fast_pattern:only; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, ruleset community, service ssl;
reference:url,virustotal.com/#/file/00fa65c8fced0abfab3f544801014a349f7d960819d8d79
c47abe090bd75ccfc; classtype:trojan-activity; sid:44592; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8291 (msg:"SERVER-OTHER Mikrotik
RouterOS denial of service attempt"; flow:to_server,established; content:"|12 02|";
depth:2; content:"|FF ED 00 00 00 00|"; distance:0; metadata:ruleset community;
reference:cve,2012-6050; classtype:denial-of-service; sid:44643; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Zusy
variant outbound connection"; flow:to_server,established;
content:"/QualityCheck/ni6.php"; fast_pattern:only; http_uri; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/5dea4247e021eeeb1347ff269a357dee77e8ac1837
383b0ef37fb123339639a1/analysis/; classtype:trojan-activity; sid:44652; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-OTHER NetSupport
Manager RAT outbound connection detected"; flow:to_server,established;
content:"User-Agent|3A| NetSupport Manager/"; fast_pattern:only; content:"CMD=";
metadata:ruleset community, service http;
reference:url,www.virustotal.com/#/file/b87ef28981defd135496e25233cc7a47a376a75ddea
97fcd4c0927995dd22e47/detection; classtype:trojan-activity; sid:44678; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear
DGN1000 series routers authentication bypass attempt"; flow:to_server,established;
content:"/setup.cgi"; nocase; http_uri; content:"currentsetting.htm";
fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-
ips drop, policy security-ips drop, ruleset community, service http;
reference:bugtraq,60281; reference:url,www.exploit-db.com/exploits/25978/;
classtype:attempted-admin; sid:44687; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear
DGN1000 series routers arbitrary command execution attempt";
flow:to_server,established; content:"/setup.cgi"; nocase; http_uri;
content:"todo=syscmd"; fast_pattern:only; content:"cmd="; nocase; metadata:policy
balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset
community, service http; reference:bugtraq,60281; reference:url,www.exploit-
db.com/exploits/25978/; classtype:attempted-admin; sid:44688; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Gen variant outbound connection"; flow:established,to_server;
content:"/aspnet_client/system_web/4_0_30319/update/"; fast_pattern:only; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; reference:url,us-cert.gov/ncas/alerts/TA17-293A;
classtype:trojan-activity; sid:44689; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Internal
field separator use in HTTP URI attempt"; flow:to_server,established;
content:"$IFS"; http_uri; metadata:ruleset community, service http; classtype:web-
application-attack; sid:44698; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Internal
field separator use in HTTP URI attempt"; flow:to_server,established; content:"$
{IFS}"; http_uri; metadata:ruleset community, service http; classtype:web-
application-attack; sid:44699; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER libupnp command
buffer overflow attempt"; flow:to_server; content:"NOTIFY "; depth:7; content:"|3A|
device|3A|"; isdataat:180,relative; content:!"|3A|"; within:180; metadata:policy
security-ips drop, ruleset community, service ssdp; reference:cve,2012-5958;
reference:cve,2012-5962; classtype:attempted-admin; sid:44743; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.KopiLuwak variant outbound request detected";
flow:to_server,established; content:"User-Agent|3A|"; http_header;
content:"Mozilla/5.0 (Windows NT 6.1|3B| Win64|3B| x64)|3B| "; distance:0;
fast_pattern; http_header; pcre:"/Win64\x3B\sx64\x29\x3B\s[0-9]
{16}\w{16}\x0D\x0A/iH"; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-
payload-from-turla/; classtype:trojan-activity; sid:44762; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.KopiLuwak variant outbound request detected";
flow:to_server,established; content:"%D0%8BTl%DC"; depth:11; http_client_body;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; reference:url,www.proofpoint.com/us/threat-
insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-
themed-attack; classtype:trojan-activity; sid:44763; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MikroTik
RouterOS cross site request forgery attempt"; flow:to_server,established;
content:"/cfg"; fast_pattern:only; http_uri; content:"process=password"; nocase;
http_uri; content:"password1="; nocase; http_uri; content:"password2="; nocase;
http_uri; content:"button="; nocase; http_uri; metadata:ruleset community, service
http; reference:bugtraq,73013; reference:cve,2015-2350; classtype:policy-violation;
sid:44790; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9251 (msg:"SERVER-OTHER QNAP transcode
server command injection attempt"; flow:to_server,established; content:"|01 00 00
00|"; depth:4; content:"|7C|"; distance:0; content:"|09|"; within:50;
metadata:ruleset community; reference:url,www.qnap.com/en-us/; classtype:attempted-
admin; sid:44971; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear
WNR2000 information leak attempt"; flow:to_server,established;
content:"/BRS_netgear_success.html"; fast_pattern:only; http_uri; metadata:policy
max-detect-ips drop, policy security-ips drop, ruleset community, service http;
reference:cve,2016-10175; reference:url,seclists.org/fulldisclosure/2016/Dec/72;
classtype:attempted-recon; sid:45001; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Neuron variant inbound service request detected";
flow:to_server,established; content:"/ews/exchange/"; fast_pattern:only; http_uri;
content:"cadata="; http_client_body; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.ncsc.gov.uk/alerts/turla-group-malware; classtype:trojan-
activity; sid:45062; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Neuron variant inbound service request detected";
flow:to_server,established; content:"/ews/exchange/"; fast_pattern:only; http_uri;
content:"cadata="; http_client_body; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.ncsc.gov.uk/alerts/turla-group-malware; classtype:trojan-
activity; sid:45063; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Neuron variant inbound service request detected";
flow:to_server,established; content:"/W3SVC"; fast_pattern:only; http_uri;
content:"cadata="; http_client_body; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.ncsc.gov.uk/alerts/turla-group-malware; classtype:trojan-
activity; sid:45064; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Neuron variant inbound service request detected";
flow:to_server,established; content:"/W3SVC"; fast_pattern:only; http_uri;
content:"cadata="; http_client_body; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.ncsc.gov.uk/alerts/turla-group-malware; classtype:trojan-
activity; sid:45065; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Backdoor.StoneDrill server selection outbound connection";
flow:to_server,established; content:"public/Check_Exist.php"; fast_pattern:only;
http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf;
classtype:trojan-activity; sid:45090; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Backdoor.StoneDrill login outbound connection"; flow:to_server,established;
content:"username=MD5Sum"; fast_pattern:only; http_client_body;
content:"password=MD5Sum"; http_client_body; content:"button=Login";
http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf;
classtype:trojan-activity; sid:45091; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Backdoor.StoneDrill get commands outbound connection";
flow:to_server,established; content:"/insert/index?"; fast_pattern:only; http_uri;
content:"id="; http_uri; content:"hst="; http_uri; content:"ttype="; http_uri;
content:"state="; http_uri; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf;
classtype:trojan-activity; sid:45092; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER SSDP M-SEARCH
ssdp-all potential amplified distributed denial-of-service attempt";
flow:to_server,no_stream; content:"M-SEARCH"; depth:9; content:"ssdp:all";
fast_pattern:only; detection_filter:track by_src,count 50,seconds 1;
metadata:ruleset community, service ssdp; reference:cve,2013-5211;
reference:url,www.us-cert.gov/ncas/alerts/TA14-017A; classtype:attempted-dos;
sid:45157; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
Osx.Adware.SurfBuyer adware outbound connection detected";
flow:to_server,established; content:"/report/?application="; fast_pattern:only;
http_uri; content:"guid="; http_uri; content:"details="; http_uri;
content:"action="; http_uri; metadata:policy security-ips drop, ruleset community,
service http;
reference:url,virustotal.com/en/file/baed00c6e6b157f3a53c76a200de84927f5c9d448cf764
38c55d62c18033ba1b/analysis/; classtype:trojan-activity; sid:45397; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
Osx.Adware.SurfBuyer adware outbound connection detected";
flow:to_server,established; urilen:>1000; content:"/click?h="; fast_pattern:only;
http_uri; content:"subid="; http_uri; content:"data_fb="; http_uri;
content:"data_rtt="; http_uri; content:"data_proto="; http_uri; content:"data_ic=";
http_uri; content:"data_ss="; http_uri; metadata:policy security-ips drop, ruleset
community, service http;
reference:url,virustotal.com/en/file/baed00c6e6b157f3a53c76a200de84927f5c9d448cf764
38c55d62c18033ba1b/analysis/; classtype:trojan-activity; sid:45398; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established;
content:"/sigstore.db?"; fast_pattern:only; content:"k="; http_uri; content:"?q=";
distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-
application-bundle-pretending-to-be-an-adobe-flash-update; classtype:trojan-
activity; sid:45400; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER
TrendMicro ServerProtect server configuration file download detected";
flow:to_server,established; content:"/activeupdate/ini_xml.zip"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; reference:cve,2017-9035;
reference:url,www.coresecurity.com/advisories/trend-micro-serverprotect-multiple-
vulnerabilities; classtype:attempted-recon; sid:45411; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Asus RT-
AC88U deleteOfflineClients memory corruption attempt"; flow:to_server,established;
urilen:>64; content:"/deleteOfflineClient.cgi"; fast_pattern:only; http_uri;
content:"delete_offline_client="; http_uri; pcre:"/[?&]delete_offline_client=[^&]
{14}/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset
community, service http; reference:cve,2017-12754; classtype:attempted-admin;
sid:45412; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
Osx.Adware.Mughthesec outbound connection attempt"; flow:to_server,established;
content:"/screens/"; fast_pattern; http_uri; content:"/"; within:1; distance:8;
http_uri; content:"=="; within:2; distance:6; http_uri; metadata:ruleset community,
service http; reference:url,objective-see.com/blog/blog_0x20.html;
classtype:trojan-activity; sid:45545; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MikroTik
RouterOS jsproxy readPostData memory corruption attempt";
flow:to_server,established; content:"/jsproxy"; depth:8; fast_pattern; nocase;
http_uri; content:"|0D 0A|Content-Length: "; nocase;
byte_test:10,>,0x20000,0,relative,string,dec; metadata:policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,forum.mikrotik.com/viewtopic.php?t=119308; classtype:attempted-admin;
sid:45555; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Unix.Trojan.Vpnfilter variant outbound connection attempt";
flow:to_server,established; content:"User-Agent: Mozilla/6.1 (compatible|3B| MSIE
9.0|3B| Windows NT 5.3|3B| Trident/5.0)|0D 0A|"; fast_pattern:only; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-
activity; sid:45563; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Unix.Trojan.Vpnfilter variant outbound connection attempt";
flow:to_server,established; content:"User-Agent: Mozilla/5.0|0D 0A|Host: ";
fast_pattern:only; http_header; content:"Accept: */*|0D 0A|Content-Type:
application/x-www-form-urlencoded|0D 0A 0D 0A|"; http_header; content:!"Cookie:";
http_header; content:!"Referer:"; http_header; metadata:impact_flag red, policy
balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset
community, service http;
reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-
activity; sid:45564; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Rokrat variant outbound connection detected";
flow:to_server,established; content:".php?id="; http_uri; content:"fp_vs=";
fast_pattern:only; http_uri; content:"os_vs="; http_uri; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/#/file/3004196da6055c6f062c94a9aae8dc357fa19b953b0
71049083e69e840083cf9/detection; classtype:trojan-activity; sid:45607; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1025: (msg:"MALWARE-CNC Vbs.Trojan.Agent
outbound connection"; flow:to_server,established; content:"Content-Length: 0";
fast_pattern:only; content:"User-Agent"; content:"|2D 7C 2D|"; within:10;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community;
reference:url,blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-
east.html;
reference:url,virustotal.com/en/file/15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653
b8d6b8d54dc7e5926b/analysis/; classtype:trojan-activity; sid:45642; rev:2;)
alert tcp $EXTERNAL_NET 1025: -> $HOME_NET any (msg:"MALWARE-CNC Vbs.Trojan.Agent
inbound payload download"; flow:to_client,established; content:"s0|2D 7C 2D|";
fast_pattern:only; content:"Content-Length"; content:"s0|2D 7C 2D|"; within:200;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community;
reference:url,blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-
east.html;
reference:url,virustotal.com/en/file/15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653
b8d6b8d54dc7e5926b/analysis/; classtype:trojan-activity; sid:45643; rev:3;)
alert tcp $EXTERNAL_NET 1025: -> $HOME_NET any (msg:"MALWARE-CNC Vbs.Trojan.Agent
inbound payload download"; flow:to_client,established; content:"s1|2D 7C 2D|";
fast_pattern:only; content:"Content-Length"; content:"s1|2D 7C 2D|"; within:200;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community;
reference:url,blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-
east.html;
reference:url,virustotal.com/en/file/15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653
b8d6b8d54dc7e5926b/analysis/; classtype:trojan-activity; sid:45644; rev:3;)
alert tcp $EXTERNAL_NET 1025: -> $HOME_NET any (msg:"MALWARE-CNC Vbs.Trojan.Agent
inbound payload download"; flow:to_client,established; content:"s2|2D 7C 2D|";
fast_pattern:only; content:"Content-Length"; content:"s3|2D 7C 2D|"; within:200;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community;
reference:url,blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-
east.html;
reference:url,virustotal.com/en/file/15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653
b8d6b8d54dc7e5926b/analysis/; classtype:trojan-activity; sid:45645; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1025: (msg:"MALWARE-CNC Vbs.Trojan.Agent
outbound system information disclosure"; flow:to_server,established;
content:"POST /is-return "; depth:16; fast_pattern; content:"User-Agent";
content:"|2D 7C 2D|"; within:10; metadata:impact_flag red, policy balanced-ips
drop, policy max-detect-ips drop, policy security-ips drop, ruleset community;
reference:url,blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-
east.html;
reference:url,virustotal.com/en/file/15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653
b8d6b8d54dc7e5926b/analysis/; classtype:trojan-activity; sid:45646; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.Silverstar outbound connection"; flow:to_server,established;
content:"response=fallback"; fast_pattern:only; http_uri; content:"/api.php?";
depth:9; http_uri; content:"gpu="; nocase; http_uri; metadata:impact_flag red,
policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/#/file/3f751799a501532f43ca5f12fe80aa0bad78f9f5d57
e76bf49b401bb99f355df/detection; classtype:trojan-activity; sid:45960; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Revenge
RAT initial outbound connection"; flow:to_server,established;
content:"Information"; depth:11; content:"false|2A 2D 5D|NK|5B 2D 2A|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-
detect-ips drop, policy security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/518f7803ad1b8e630f50719d7cb3638ea5d67fa4d4
387a55f44ddca4ef55a3ee/analysis/;
reference:url,www.virustotal.com/en/file/79bdbf9ec639d5ccf3992e9c9fe9eeba21d191dc16
8194a80b50f3aa8068892a/analysis/;
reference:url,www.virustotal.com/en/file/edb115dd5ca7c7f9dd069746daa0a4ee6298bf94de
62510d3f8bebfa5f5a8bcd/analysis/; classtype:trojan-activity; sid:45961; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Revenge
RAT inbound heartbeat check"; flow:to_client,established; content:"PNC|2A 2D 5D|NK|
5B 2D 2A|"; depth:11; metadata:impact_flag red, policy balanced-ips drop, policy
max-detect-ips drop, policy security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/518f7803ad1b8e630f50719d7cb3638ea5d67fa4d4
387a55f44ddca4ef55a3ee/analysis/;
reference:url,www.virustotal.com/en/file/79bdbf9ec639d5ccf3992e9c9fe9eeba21d191dc16
8194a80b50f3aa8068892a/analysis/;
reference:url,www.virustotal.com/en/file/edb115dd5ca7c7f9dd069746daa0a4ee6298bf94de
62510d3f8bebfa5f5a8bcd/analysis/; classtype:trojan-activity; sid:45962; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.UDPOS outbound command and control IP address check";
flow:to_server,established; content:"/index.php?udpool="; fast_pattern:only;
http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-
data-dns;
reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac48019598
52f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45963; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS
outbound system information disclousre"; flow:to_server; isdataat:150; content:"|
0F|"; content:"|03|bin"; within:4; distance:15; fast_pattern; metadata:impact_flag
red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips
drop, ruleset community, service dns; reference:url,blogs.forcepoint.com/security-
labs/udpos-exfiltrating-credit-card-data-dns;
reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac48019598
52f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45964; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS
outbound heartbeat"; flow:to_server; isdataat:150; content:"|0F|"; content:"|04|
ping"; within:5; distance:15; fast_pattern; metadata:impact_flag red, policy
balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset
community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-
exfiltrating-credit-card-data-dns;
reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac48019598
52f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45966; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS
outbound data exfiltration"; flow:to_server; isdataat:150; content:"|0F|";
content:"|03|trp"; within:4; distance:15; fast_pattern; metadata:impact_flag red,
policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop,
ruleset community, service dns; reference:url,blogs.forcepoint.com/security-
labs/udpos-exfiltrating-credit-card-data-dns;
reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac48019598
52f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45967; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS
outbound data exfiltration"; flow:to_server; isdataat:150; content:"|0F|";
content:"|04|note"; within:5; distance:15; fast_pattern; metadata:impact_flag red,
policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop,
ruleset community, service dns; reference:url,blogs.forcepoint.com/security-
labs/udpos-exfiltrating-credit-card-data-dns;
reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac48019598
52f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45968; rev:1;)
alert tcp $HOME_NET 445 -> any any (msg:"OS-WINDOWS Microsoft Windows SMB kernel
heap memory leak attempt"; flow:to_client,established; content:"|FF|SMB|A0|";
depth:5; offset:4; isdataat:127; content:"|FF FF FF FF|"; within:4; distance:123;
byte_extract:4,28,ids; byte_test:4,=,ids,174,relative;
byte_extract:2,0,uid,relative; byte_test:2,=,uid,172,relative; metadata:policy
balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, ruleset
community, service netbios-ssn; reference:cve,2017-0143; reference:cve,2017-0146;
reference:cve,2017-0147; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS17-010; classtype:attempted-recon; sid:45977; rev:1;)
alert tcp $HOME_NET 445 -> any any (msg:"OS-WINDOWS Microsoft Windows SMB kernel
heap memory leak attempt"; flow:to_client,established; content:"|FF|SMB|A0|";
depth:5; offset:4; isdataat:111; content:"|FA FF FF|"; within:3; distance:108;
content:"|FA FF FF|"; distance:0; byte_extract:4,28,ids;
byte_test:4,=,ids,242,relative; byte_extract:2,0,uid,relative;
byte_test:2,=,uid,240,relative; metadata:policy balanced-ips alert, policy max-
detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn;
reference:cve,2017-0143; reference:cve,2017-0146; reference:cve,2017-0147;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010;
classtype:attempted-recon; sid:45978; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
MultiOS.Trojan.OSCelestial variant outbound connection";
flow:to_server,established; content:"|72 00 17|com.net.LoginDataPacket";
fast_pattern:only; content:"|74 00 13|Lcom/net/LoginData"; nocase;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a298
5a480575810f4f64442742/analysis/; classtype:trojan-activity; sid:45979; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC
MultiOS.Trojan.OSCelestial variant inbound connection"; flow:to_client,established;
content:"|74 00 29|net.oscp.client.keylogger.KeystrokeLogger"; fast_pattern:only;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a298
5a480575810f4f64442742/analysis/; classtype:trojan-activity; sid:45980; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Sandvine
PacketLogic http redirection attempt"; flow:to_client,established;
content:"Temporary Redirect"; fast_pattern:only; id:13330; fragbits:!MDR; flags:FA;
content:"307"; depth:3; http_stat_code; content:"Temporary Redirect"; nocase;
http_stat_msg; metadata:ruleset community, service http;
reference:url,citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-
deploy-government-spyware-turkey-syria;
reference:url,github.com/citizenlab/badtraffic; classtype:misc-activity; sid:45983;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Gen variant outbound communication"; flow:established,to_server;
content:"/A56WY"; fast_pattern:only; http_uri; metadata:impact_flag red, policy
balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset
community, service http; reference:url,us-cert.gov/ncas/alerts/TA17-293A;
classtype:trojan-activity; sid:46048; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.CrossRAT
outbound connection attempt"; flow:to_server,established; content:"[^8]&&&";
fast_pattern:only; content:"[^8]&&&"; isdataat:!0,relative; metadata:impact_flag
red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips
drop, ruleset community;
reference:url,www.virustotal.com/#/file/da81aec00b563123d2fbd14fb6a76619c90f81e83c5
bd8aa0676922cae96b9ad/detection; classtype:trojan-activity; sid:46050; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.Bandook/Anbacas outbound connection attempt";
flow:to_server,established; content:"QDAwMD"; depth:6; fast_pattern; content:"&&&";
within:200; isdataat:!0,relative; metadata:impact_flag red, policy balanced-ips
drop, policy max-detect-ips drop, policy security-ips drop, ruleset community;
reference:url,info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-
Caracal_srr_20180118_us_v.1.0.pdf;
reference:url,www.virustotal.com/#/file/bf600e7b27bdd9e396e5c396aba7f079c244bfb92ee
45c721c2294aa36586206/detection; classtype:trojan-activity; sid:46051; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent
known malicious user-agent string Uploador - Win.Trojan.CrossRAT";
flow:to_server,established; content:"User-Agent|3A| Uploador|0D 0A|";
fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop,
policy max-detect-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/#/file/da81aec00b563123d2fbd14fb6a76619c90f81e83c5
bd8aa0676922cae96b9ad/detection; classtype:trojan-activity; sid:46052; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.yty second stage downloader initial outbound connection";
flow:to_server,established; content:"/football/goal"; fast_pattern:only; http_uri;
content:"ball="; http_client_body; content:"score="; http_client_body;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-
malware-framework-south-asia/; classtype:trojan-activity; sid:46066; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.yty plugin downloader initial outbound connection";
flow:to_server,established; content:"Expect: 100-continue"; fast_pattern:only;
http_header; content:"pc="; http_client_body; content:"pc_data="; http_client_body;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-
malware-framework-south-asia/; classtype:trojan-activity; sid:46067; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.yty module download request"; flow:to_server,established;
content:"/football/download/"; depth:19; http_uri; content:!"User-Agent|3A|";
nocase; http_header; content:!"Accept|3A|"; nocase; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-
malware-framework-south-asia/; classtype:trojan-activity; sid:46068; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.yty module request"; flow:to_server,established; content:"Expect: 100-
continue"; fast_pattern:only; http_header; content:"cnumber="; http_uri;
content:"orname="; http_uri; metadata:impact_flag red, policy balanced-ips drop,
policy max-detect-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-
modular-malware-framework-south-asia/; classtype:trojan-activity; sid:46069;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.yty file exfiltration outbound request"; flow:to_server,established;
content:"Expect: 100-continue"; fast_pattern:only; http_header; content:"id=";
depth:3; http_client_body; content:"&pc="; http_client_body; metadata:impact_flag
red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-
malware-framework-south-asia/; classtype:trojan-activity; sid:46070; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS MikroTik
RouterOS buffer overflow attempt"; flow:to_server,established; content:"|81 00|";
depth:2; byte_test:2,>,75,0,relative; byte_extract:2,0,len,relative; isdataat:!
len,relative; isdataat:len; metadata:policy max-detect-ips drop, policy security-
ips drop, ruleset community, service netbios-ssn; reference:bugtraq,103427;
reference:cve,2018-7445; classtype:attempted-user; sid:46076; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys
E-Series apply.cgi cross site scripting attempt"; flow:to_server,established;
content:"apply.cgi"; http_uri; content:"action="; distance:0; http_uri; pcre:"/[?&]
(wait_time|ping_ip|ping_size|submit_type|traceroute_ip)=[^&]*?
([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:ruleset community,
service http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:attempted-user;
sid:46080; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys
E-Series apply.cgi cross site scripting attempt"; flow:to_server,established;
content:"apply.cgi"; fast_pattern:only; http_uri; content:"action=";
http_client_body; pcre:"/(^|&)(wait_time|ping_ip|ping_size|submit_type|
traceroute_ip)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Pim";
metadata:ruleset community, service http; reference:url,s3cur1ty.de/m1adv2013-004;
classtype:attempted-user; sid:46081; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys
E-Series apply.cgi ping function command injection attempt";
flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri;
content:"ping"; nocase; http_client_body; pcre:"/(^|&)ping(\x5f|%5f)(ip|size|
times)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|
%24%28)/Pim"; metadata:ruleset community, service http; reference:cve,2013-3307;
classtype:web-application-attack; sid:46082; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys
E-Series apply.cgi directory traversal attempt"; flow:to_server,established;
content:"apply.cgi"; fast_pattern:only; http_uri; content:"next_page="; nocase;
http_client_body; pcre:"/(^|&)next_page=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|
%5c)/Pim"; metadata:ruleset community, service http;
reference:url,s3cur1ty.de/m1adv2013-004; classtype:web-application-attack;
sid:46083; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys
E-Series apply.cgi directory traversal attempt"; flow:to_server,established;
content:"apply.cgi"; fast_pattern:only; http_uri; content:"next_page="; nocase;
http_uri; content:"../"; http_uri; pcre:"/[?&]next_page=[^&]*?\x2e\x2e\x2f/Ui";
metadata:ruleset community, service http; reference:url,s3cur1ty.de/m1adv2013-004;
classtype:web-application-attack; sid:46084; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys
E-Series apply.cgi ping function command injection attempt";
flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri;
content:"ping_"; nocase; http_uri; pcre:"/[?&]ping_(ip|size|times)=[^&]*?
([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:ruleset community, service http;
reference:cve,2013-3307; classtype:web-application-attack; sid:46085; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys
E-Series apply.cgi ping function command injection attempt";
flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri;
content:"ping_"; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?
&]ping(\x5f|%5f)(ip|size|times)=[^&]*?%26/Ii"; metadata:ruleset community, service
http; reference:cve,2013-3307; classtype:web-application-attack; sid:46086; rev:2;)
# alert tcp $EXTERNAL_NET 32764 -> $HOME_NET any (msg:"PROTOCOL-OTHER use of
undocumented ScMM test interface in Cisco small business devices detected";
flow:to_client,established; isdataat:6; content:"MMcS"; depth:4; metadata:ruleset
community; reference:cve,2014-0659; classtype:misc-activity; sid:46121; rev:2;)
# alert tcp $EXTERNAL_NET 32764 -> $HOME_NET any (msg:"PROTOCOL-OTHER use of
undocumented ScMM test interface in Cisco small business devices detected";
flow:to_client,established; isdataat:6; content:"ScMM"; depth:4; metadata:ruleset
community; reference:cve,2014-0659; classtype:misc-activity; sid:46122; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32764 (msg:"PROTOCOL-OTHER use of
undocumented ScMM test interface in Cisco small business devices detected";
flow:to_server,established; isdataat:6; content:"MMcS"; depth:4; metadata:ruleset
community; reference:cve,2014-0659; classtype:misc-activity; sid:46123; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32764 (msg:"PROTOCOL-OTHER use of
undocumented ScMM test interface in Cisco small business devices detected";
flow:to_server,established; isdataat:6; content:"ScMM"; depth:4; metadata:ruleset
community; reference:cve,2014-0659; classtype:misc-activity; sid:46124; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.HW32 variant outbound connection"; flow:to_server,established;
content:"Cpa=+EXEC+"; depth:10; http_client_body; content:"%27%2C%27";
http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-
detect-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/0b2e8a9413d3b34d532d553922bd402830c1784302
fc8ecaeeee17e826798d46/analysis/; classtype:trojan-activity; sid:46129; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Banbra variant outbound connection"; flow:to_server,established;
content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; http_header;
content:"remetente="; depth:10; fast_pattern; http_client_body;
content:"&destinatario"; distance:0; http_client_body; metadata:impact_flag red,
policy max-detect-ips drop, policy security-ips drop, ruleset community, service
http; classtype:trojan-activity; sid:46136; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Cidox
variant outbound connection attempt"; flow:to_server,established; content:"POST
/b/req/"; depth:12; content:" HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type:
application/octet-stream|0D 0A|Connection: Close|0D 0A|User-Agent: Mozilla/";
within:103; distance:24; content:")|0D 0A|Host: "; distance:0; metadata:impact_flag
red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips
drop, ruleset community; classtype:trojan-activity; sid:46137; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys
E series denial of service attempt"; flow:to_server,established;
content:"mfgtst.cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; classtype:denial-of-service; sid:46287; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP
VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established;
content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping_ip=";
nocase; http_uri; pcre:"/[?&]ping_ip=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui";
metadata:ruleset community, service http; reference:cve,2013-0143; classtype:web-
application-attack; sid:46297; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP
VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established;
content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping_ip=";
nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]ping(\x5f|%5f)ip=[^&]*?
%26/Ii"; metadata:ruleset community, service http; reference:cve,2013-0143;
classtype:web-application-attack; sid:46298; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP
VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established;
content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping";
nocase; http_client_body; pcre:"/(^|&)ping(\x5f|%5f)ip=[^&]*?([\x60\x3b\x7c]|
[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:ruleset
community, service http; reference:cve,2013-0143; classtype:web-application-attack;
sid:46299; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP
VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established;
content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping_ip";
nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body;
pcre:"/name\s*=\s*[\x22\x27]?ping_ip((?!^--).)*?[\r\n]{2,}((?!^--).)*?
([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:ruleset community, service
http; reference:cve,2013-0143; classtype:web-application-attack; sid:46300; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER QNAP QTS
X-Forwarded-For buffer overflow"; flow:to_server,established; content:"/cgi-
bin/filemanager/wfm2Login.cgi"; fast_pattern:only; http_uri; content:"X-Forwarded-
For"; nocase; http_raw_header; isdataat:90,relative; pcre:"/X-Forwarded-For:[^\n\r]
{90}/Hsmi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset
community, service http; reference:url,www.qnap.com/en/security-advisory/nas-
201712-15; classtype:web-application-attack; sid:46301; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP WTS
4.2.1 command injection attempt"; flow:to_server,established; content:"/cgi-
bin/wizReq.cgi"; fast_pattern:only; http_uri; content:"SMB_"; nocase; http_uri;
pcre:"/[?&]SMB_(LOCATION|USERNAME)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui";
metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http; classtype:web-application-attack; sid:46305; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP WTS
4.2.1 command injection attempt"; flow:to_server,established; content:"/cgi-
bin/wizReq.cgi"; fast_pattern:only; http_uri; content:"SMB_"; nocase; http_uri;
content:"%26"; http_raw_uri; pcre:"/[?&]SMB(\x5f|%5f)(LOCATION|USERNAME)=[^&]*?
%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset
community, service http; classtype:web-application-attack; sid:46306; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP WTS
4.2.1 command injection attempt"; flow:to_server,established; content:"/cgi-
bin/wizReq.cgi"; fast_pattern:only; http_uri; content:"SMB"; nocase;
http_client_body; pcre:"/(^|&)SMB(\x5f|%5f)(LOCATION|USERNAME)=[^&]*?
([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim";
metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http; classtype:web-application-attack; sid:46307; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP WTS
4.2.1 command injection attempt"; flow:to_server,established; content:"/cgi-
bin/wizReq.cgi"; fast_pattern:only; http_uri; content:"SMB_"; nocase;
http_client_body; content:"Content-Disposition"; nocase; http_client_body;
pcre:"/name\s*=\s*[\x22\x27]?SMB_(LOCATION|USERNAME)((?!^--).)*?[\r\n]{2,}((?!
^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-
ips drop, policy security-ips drop, ruleset community, service http; classtype:web-
application-attack; sid:46308; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER QNAP
NVR/NAS Heap/Stack Overflow attempt"; flow:to_server,established; content:"/cgi-
bin/cgi.cgi"; fast_pattern:only; http_uri; content:"u="; nocase; http_uri;
content:"p="; nocase; http_uri; isdataat:260,relative; pcre:"/[?&]p=[^&\s]
{260}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset
community, service http; classtype:attempted-admin; sid:46309; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER QNAP
NVR/NAS Heap/Stack Overflow attempt"; flow:to_server,established; content:"/cgi-
bin/cgi.cgi"; fast_pattern:only; http_uri; content:"u="; nocase; http_uri;
isdataat:35,relative; pcre:"/[?&]u=[^&\s]{35}/smi"; metadata:policy max-detect-ips
drop, policy security-ips drop, ruleset community, service http;
classtype:attempted-admin; sid:46310; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear
WNR2000 information disclosure attempt"; flow:to_server,established; content:"/cgi-
bin/NETGEAR_WNR2000.cfg"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:url,www.netgear.com/home/products/networking/wifi-
routers/WNR2000.aspx; classtype:attempted-recon; sid:46312; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear
WNR2000 information disclosure attempt"; flow:to_server,established; content:"/cgi-
bin/upg_restore.cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:url,www.netgear.com/home/products/networking/wifi-
routers/WNR2000.aspx; classtype:attempted-recon; sid:46313; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear
WNR2000 information disclosure attempt"; flow:to_server,established;
content:"/router-info.htm"; fast_pattern:only; http_uri; metadata:ruleset
community, service http;
reference:url,www.netgear.com/home/products/networking/wifi-routers/WNR2000.aspx;
classtype:attempted-recon; sid:46314; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla
restore.php PHP object injection attempt"; flow:to_server,established;
content:"/administrator/components/com_joomlaupdate/restore.php";
fast_pattern:only; http_uri; content:"factory="; nocase; http_uri;
content:"OjI2OiJraWNrc3RhcnQuc2V0dXAuc291cmNlZmlsZSI7"; content:"aHR0cDovL";
metadata:ruleset community, service http; reference:cve,2014-7228; classtype:web-
application-attack; sid:46315; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Drupal 8
remote code execution attempt"; flow:to_server,established;
content:"element_parents="; fast_pattern:only; http_uri; content:"#value";
http_uri; content:"drupal_ajax"; http_uri; pcre:"/(%23|#)(submit|validate|
access_callback|pre_render|post_render|lazy_builder)/Pi"; metadata:policy balanced-
ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy
security-ips drop, ruleset community, service http; reference:cve,2018-7600;
reference:url,www.drupal.org/sa-core-2018-002; classtype:attempted-admin;
sid:46316; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"SERVER-OTHER NETGEAR
TelnetEnable attempt"; flow:to_server,established; content:"|C0 F3 AC 2A 40 79 49
0C A3 6E 89 64 73 66 0F 0B|"; content:"|5D FC 67 3A 16 DC 00 56 A3 6E 89 64 73 66
0F 0B|"; metadata:ruleset community; classtype:attempted-admin; sid:46317; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"SERVER-OTHER NETGEAR
TelnetEnable attempt"; flow:to_server; content:"|59 0D B1 E7 67 23 51 BA 5B 5D 52
33 91 0D 09 7F|"; content:"|09 44 80 0E DE B6 FA 3B 5B 5D 52 33 91 0D 09 7F|";
metadata:ruleset community; classtype:attempted-admin; sid:46318; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear
DGN2200B stored cross-site scripting attempt"; flow:to_server,established;
content:"/wlg_sec_profile_main.cgi"; fast_pattern:only; http_uri; content:"ssid=";
nocase; http_client_body; pcre:"/ssid=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|
onload|src)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.netgear.com/home/products/networking/dsl-modems-
routers/dgn2200.aspx; classtype:attempted-user; sid:46322; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear
DGN2200B stored cross-site scripting attempt"; flow:to_server,established;
content:"/fw_serv_add.cgi"; fast_pattern:only; http_uri; content:"userdefined=";
nocase; http_client_body; pcre:"/userdefined=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|
script|onload|src)/Pi"; metadata:policy max-detect-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.netgear.com/home/products/networking/dsl-modems-
routers/dgn2200.aspx; classtype:attempted-user; sid:46323; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"SERVER-OTHER QNAP QTS
hard coded credential access attempt"; flow:to_server,established; content:"PASS
joxu06wj/|0D 0A|"; fast_pattern:only; metadata:ruleset community, service ftp;
reference:cve,2015-7261; classtype:default-login-attempt; sid:46335; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Ransomware.Matrix outbound connection"; flow:to_server,established;
content:"add.php?apikey="; http_uri; content:"&compuser="; http_uri;
content:"&sid="; http_uri; content:"&phase="; http_uri; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,"www.virustotal.com/#/file/996ea85f12a17e8267dcc32eae9ad20cff44115182
e707153006162711fbe3c9/detection"; classtype:trojan-activity; sid:46339; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Akeeba
Kickstart restoration.php reconnaissance attempt"; flow:to_server,established;
content:"administrator/components/com_joomlaupdate/restoration.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,2014-7229; classtype:web-application-attack; sid:46340; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP
Akeeba Kickstart cross site request forgery attempt"; flow:to_client,established;
file_data; content:"administrator/index.php"; fast_pattern:only;
content:"option=com_joomlaupdate"; nocase; content:"task=update.install"; nocase;
metadata:ruleset community, service ftp-data, service http, service imap, service
pop3; reference:cve,2014-7229; classtype:web-application-attack; sid:46341; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER QNAP
QTS cross site request forgery attempt"; flow:to_client,established; file_data;
content:"cgi-bin/create_user.cgi"; fast_pattern:only; content:"function="; nocase;
content:"subfun="; nocase; content:"NAME="; nocase; content:"PASSWD="; nocase;
content:"VERIFY="; nocase; metadata:ruleset community, service ftp-data, service
http, service imap, service pop3; reference:cve,2013-0144; classtype:attempted-
admin; sid:46342; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER libgd
heap-overflow attempt"; flow:to_server,established; content:"gd2|00 00 02|";
fast_pattern; content:"|02|"; within:1; distance:7; byte_test:1,>,128,16,relative;
metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http; reference:cve,2016-3074; classtype:web-application-attack; sid:46376;
rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER libgd
heap-overflow attempt"; flow:to_server,established; content:"gd2|00 00 02|";
fast_pattern; content:"|02|"; within:1; distance:7; byte_test:1,>,128,8,relative;
metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http; reference:cve,2016-3074; classtype:web-application-attack; sid:46377;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $FILE_DATA_PORTS (msg:"MALWARE-CNC
Win.Trojan.Dropper variant outbound connection"; flow:established,to_server;
content:"IHkoeWRrcnkpIikqNy95ZCB5LSl5ZCB5"; depth:40; fast_pattern;
http_client_body; content:!"Referer|3A|"; nocase; http_header; metadata:impact_flag
red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/#/file/fd08f6bc823cbfa495f0568ba4284e02f1cad57e56b
d04ef0a0b948ea9dddee4/details; classtype:trojan-activity; sid:46378; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Spyware.Autoit outbound connection"; flow:to_server,established;
content:"win32=FFD8FFE000104A464946"; fast_pattern:only; http_client_body;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/8ac4e164b463c313af059760ce1f830c19b0d5a280
ec80554e8f77939143e24e; classtype:trojan-activity; sid:46416; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Kraens delivery attempt"; flow:to_client,established;
flowbits:isset,file.exe; file_data; content:"{|22|i|22|:|22|%s|22|,|22|l|22|:[";
fast_pattern:only; content:"RES_OK"; metadata:impact_flag red, policy balanced-ips
drop, policy max-detect-ips drop, policy security-ips drop, ruleset community,
service ftp-data, service http, service imap, service pop3;
reference:url,www.virustotal.com/#/file/426d7bb2f4b362c6ff6b982565aa2bdb47e70320da0
f60ba6c9bf04049e08829; classtype:trojan-activity; sid:46421; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Kraens
delivery attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data;
content:"{|22|i|22|:|22|%s|22|,|22|l|22|:["; fast_pattern:only; content:"RES_OK";
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service smtp;
reference:url,www.virustotal.com/#/file/426d7bb2f4b362c6ff6b982565aa2bdb47e70320da0
f60ba6c9bf04049e08829; classtype:trojan-activity; sid:46422; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Kraens initial outbound request"; flow:to_server,established;
content:"/up_d.php"; fast_pattern:only; http_uri; content:"{|22|i|22|:"; depth:5;
http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/426d7bb2f4b362c6ff6b982565aa2bdb47e70320da
0f60ba6c9bf04049e08829; classtype:trojan-activity; sid:46423; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Adware.Doyo initial connection"; flow:established, to_server;
content:"data=85702b2fccafcb2f"; depth:21; http_client_body; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/#/file/0692bfe17754036b12b862cd5618051d8b2def85aca
2a910188a12baa1ed0060; classtype:trojan-activity; sid:46433; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Adware.Doyo client outbound connection"; flow:established,to_server; content:"|
01 00 00 00 01 01 00 00 01 00 00 00 00 00 04 00 03 00 00 00 00 00 00 00 00 00 00
00|"; depth:28; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/#/file/0692bfe17754036b12b862cd5618051d8b2def85aca
2a910188a12baa1ed0060; classtype:trojan-activity; sid:46434; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Vbs.Downloader.Kryptik known malicious user-agent string ";
flow:to_server,established; content:"User-Agent|3A| USR-KL"; fast_pattern:only;
http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-
ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/7975cbaa5657d89b45126bf739fd84acd5bbe724f3
72a20360bd4fc038b67541; classtype:trojan-activity; sid:46435; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Vbs.Downloader.Agent inbound connection"; flow:to_client,established;
flowbits:isset,file.ole; file_data; content:"3832D640-CF90-11CF-8E43-00A0C911005A";
fast_pattern:only; content:"Workbook_Open"; nocase; content:"Document_Open";
nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy
security-ips drop, ruleset community, service ftp-data, service http, service imap,
service pop3;
reference:url,www.virustotal.com/#/file/7975cbaa5657d89b45126bf739fd84acd5bbe724f37
2a20360bd4fc038b67541; classtype:trojan-activity; sid:46436; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC
Vbs.Downloader.Agent inbound connection"; flow:to_server,established;
flowbits:isset,file.ole; file_data; content:"3832D640-CF90-11CF-8E43-00A0C911005A";
fast_pattern:only; content:"Workbook_Open"; nocase; content:"Document_Open";
nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy
security-ips drop, ruleset community, service smtp;
reference:url,www.virustotal.com/#/file/7975cbaa5657d89b45126bf739fd84acd5bbe724f37
2a20360bd4fc038b67541; classtype:trojan-activity; sid:46437; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Vbs.Downloader.Agent inbound connection"; flow:to_client,established;
flowbits:isset,file.ole; file_data; content:"Shell"; nocase; content:"vbHide";
within:100; fast_pattern; content:"Chr"; nocase; content:"Asc"; within:100; nocase;
metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips
drop, ruleset community, service ftp-data, service http, service imap, service
pop3;
reference:url,www.virustotal.com/#/file/7975cbaa5657d89b45126bf739fd84acd5bbe724f37
2a20360bd4fc038b67541; classtype:trojan-activity; sid:46438; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC
Vbs.Downloader.Agent inbound delivery attempt"; flow:to_server,established;
flowbits:isset,file.ole; file_data; content:"Shell"; nocase; content:"vbHide";
within:100; fast_pattern; content:"Chr"; nocase; content:"Asc"; within:100; nocase;
metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips
drop, ruleset community, service smtp;
reference:url,www.virustotal.com/#/file/7975cbaa5657d89b45126bf739fd84acd5bbe724f37
2a20360bd4fc038b67541; classtype:trojan-activity; sid:46439; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Installation
Keylogger Osx.Trojan.Mokes data exfiltration";
flow:established,to_server,only_stream; content:"GET /v1 HTTP/1.1"; depth:16;
fast_pattern; content:"Connection: "; http_header; content:"User-Agent: ";
http_header; content:"Accept-Encoding: "; http_header; content:"Accept-Language: ";
http_header; content:"Host: "; http_header; detection_filter:track by_src,count
3,seconds 6; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-
ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/664e0a048f61a76145b55d1f1a5714606953d69edc
cec5228017eb546049dc8c/analysis/; classtype:trojan-activity; sid:46482; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
TwonkyMedia server directory listing attempt"; flow:to_server,established;
content:"/rpc/dir"; fast_pattern:only; http_uri; content:"path="; nocase; http_uri;
metadata:ruleset community, service http; reference:cve,2018-7171; classtype:web-
application-attack; sid:46485; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Ammy
heartbeat"; flow:to_server,established; content:"id="; depth:3; offset:5;
content:"&os="; within:4; distance:8; content:"&priv="; distance:0;
content:"&cred="; distance:0; content:"&pcname="; distance:0;
content:"&build_time="; distance:0; fast_pattern; content:"&card="; distance:0;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http; classtype:trojan-
activity; sid:46487; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Ammy download attempt"; flow:to_server,established;
content:"/q2/index.php?"; fast_pattern:only; http_uri; content:"id="; http_uri;
content:"&c="; http_uri; content:"&mk="; http_uri; content:"&il="; http_uri;
content:"&vr="; http_uri; content:"&bt="; http_uri; metadata:impact_flag red,
policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop,
ruleset community, service http; classtype:trojan-activity; sid:46488; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Agent outbound request"; flow:to_server,established; content:".php?
&1001="; fast_pattern:only; http_uri; content:"99="; http_uri; content:"f1=";
http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/123275cc76ef377986715c98abb0fec50cbd53f01d
c3976080009dc7cdafbe86/analysis/; classtype:trojan-activity; sid:46501; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Agent outbound request"; flow:to_server,established; content:".php?
&1001="; fast_pattern:only; http_uri; content:"1="; http_client_body; content:"2=";
http_client_body; pcre:"/(^|&)\d{1,2}=[^&]*?\d{4}/Pm"; metadata:impact_flag red,
policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/123275cc76ef377986715c98abb0fec50cbd53f01d
c3976080009dc7cdafbe86/analysis/; classtype:trojan-activity; sid:46502; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin
N750 F9K1103 wireless router command injection attempt";
flow:to_server,established; content:"/twonky_cmd.cgi"; fast_pattern:only; http_uri;
content:"path="; nocase; http_uri; pcre:"/[?&]path=[^&]*?([\x60\x3b\x7c]|
[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips
drop, ruleset community, service http; reference:cve,2018-1143; classtype:web-
application-attack; sid:46510; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin
N750 F9K1103 wireless router command injection attempt";
flow:to_server,established; content:"/twonky_cmd.cgi"; fast_pattern:only; http_uri;
content:"path="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?
&]path=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips
drop, ruleset community, service http; reference:cve,2018-1143; classtype:web-
application-attack; sid:46511; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin
N750 F9K1103 wireless router command injection attempt";
flow:to_server,established; content:"/twonky_cmd.cgi"; fast_pattern:only; http_uri;
content:"path="; nocase; http_client_body; pcre:"/(^|&)path=[^&]*?([\x60\x3b\x7c]|
[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-
detect-ips drop, policy security-ips drop, ruleset community, service http;
reference:cve,2018-1143; classtype:web-application-attack; sid:46512; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin
N750 F9K1103 wireless router command injection attempt";
flow:to_server,established; content:"/twonky_cmd.cgi"; fast_pattern:only; http_uri;
content:"path"; nocase; http_client_body; content:"Content-Disposition"; nocase;
http_client_body; pcre:"/name\s*=\s*[\x22\x27]?path((?!^--).)*?[\r\n]{2,}((?!
^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-
ips drop, policy security-ips drop, ruleset community, service http;
reference:cve,2018-1143; classtype:web-application-attack; sid:46513; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin
N750 F9K1103 wireless router command injection attempt";
flow:to_server,established; content:"/proxy.cgi"; fast_pattern:only; http_uri;
content:"url="; nocase; http_uri; pcre:"/[?&]url=[^&]*?([\x60\x3b\x7c]|
[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips
drop, ruleset community, service http; reference:cve,2018-1144; classtype:web-
application-attack; sid:46514; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin
N750 F9K1103 wireless router command injection attempt";
flow:to_server,established; content:"/proxy.cgi"; fast_pattern:only; http_uri;
content:"url="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?
&]url=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop,
ruleset community, service http; reference:cve,2018-1144; classtype:web-
application-attack; sid:46515; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin
N750 F9K1103 wireless router command injection attempt";
flow:to_server,established; content:"/proxy.cgi"; fast_pattern:only; http_uri;
content:"url="; nocase; http_client_body; pcre:"/(^|&)url=[^&]*?([\x60\x3b\x7c]|
[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-
detect-ips drop, policy security-ips drop, ruleset community, service http;
reference:cve,2018-1144; classtype:web-application-attack; sid:46516; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin
N750 F9K1103 wireless router command injection attempt";
flow:to_server,established; content:"/proxy.cgi"; fast_pattern:only; http_uri;
content:"url"; nocase; http_client_body; content:"Content-Disposition"; nocase;
http_client_body; pcre:"/name\s*=\s*[\x22\x27]?url((?!^--).)*?[\r\n]{2,}((?!
^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-
ips drop, policy security-ips drop, ruleset community, service http;
reference:cve,2018-1144; classtype:web-application-attack; sid:46517; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin
N750 F9K1103 wireless router remote telnet enable attempt";
flow:to_server,established; content:"/set.cgi"; fast_pattern:only; http_uri;
content:"n=TLNET_EN"; nocase; http_uri; content:"v=1"; nocase; http_uri;
metadata:ruleset community, service http; reference:cve,2018-1146;
classtype:policy-violation; sid:46518; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin
N750 F9K1103 wireless router remote telnet enable attempt";
flow:to_server,established; content:"/set.cgi"; fast_pattern:only; http_uri;
content:"n=TLNET_EN"; nocase; http_client_body; content:"v=1"; nocase;
http_client_body; metadata:ruleset community, service http; reference:cve,2018-
1146; classtype:policy-violation; sid:46519; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Banload second stage download request"; flow:established,to_server;
isdataat:!100; content:!"Referer|3A|"; http_header; content:!"Accept"; http_header;
content:!"User-Agent|3A 20|http"; http_header; content:".zip HTTP/1.1|0D 0A|Host|3A
20|"; fast_pattern:only; pcre:"/GET \/\w*.zip
HTTP\/1.1\r\nHost\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r\n/i";
metadata:impact_flag red, ruleset community, service http; classtype:trojan-
activity; sid:46611; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Unruy outbound callout"; flow:to_server,established; content:".php?q=";
fast_pattern:only; http_uri; content:"Accept-Language: en-us"; http_header;
content:"Accept-Encoding: gzip, deflate"; http_header; content:"Connection: Keep-
Alive"; http_header; content:"Referer: http://www.google.com"; http_header;
pcre:"/.php\?q=\d{1,4}\.\d{2,4}\.\d{1,3}\.\d{1,3}\.\d{1,3}\.[0-9a-f]
{64}\.1.\d{4,6}/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-
detect-ips drop, policy security-ips drop, ruleset community, service http;
classtype:trojan-activity; sid:46612; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Digital
Guardian Management Console arbitrary file upload attempt";
flow:to_server,established;
content:"/DigitalGuardian/Management/ServerSettingsPDFTemplates.aspx";
fast_pattern:only; http_uri; content:"inputFilePath"; nocase; http_client_body;
content:".asp"; distance:0; nocase; http_client_body; content:"Content-
Disposition"; nocase; http_client_body;
pcre:"/name\s*=\s*[\x22\x27]inputFilePath[\x22\x27]\x3b((?!^--).)*?
filename\s*=\s*[\x22\x27]\S+?\x2easpx?[\x22\x27][\r\n]{2,}/Psim"; metadata:policy
max-detect-ips drop, policy security-ips drop, ruleset community, service http;
reference:cve,2018-10173; classtype:web-application-attack; sid:46665; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Digital
Guardian Management Console arbitrary file upload attempt";
flow:to_server,established; content:"/DigitalGuardian/Policies/PromptSkin.aspx";
fast_pattern:only; http_uri; content:"skinFile"; nocase; http_client_body;
content:".asp"; distance:0; nocase; http_client_body; content:"Content-
Disposition"; nocase; http_client_body;
pcre:"/name\s*=\s*[\x22\x27]skinFile[\x22\x27]\x3b((?!^--).)*?
filename\s*=\s*[\x22\x27]\S+?\x2easpx?[\x22\x27][\r\n]{2,}/Psim"; metadata:policy
max-detect-ips drop, policy security-ips drop, ruleset community, service http;
reference:cve,2018-10173; classtype:web-application-attack; sid:46666; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Dropper malicious script download attempt"; flow:to_client,established;
file_data; content:"<script"; nocase; content:"ActiveXObject"; nocase;
content:"WScript.Shell"; fast_pattern; nocase; content:"p o w e r s h e l l";
nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips
drop, policy security-ips drop, ruleset community, service ftp-data, service http,
service imap, service pop3;
reference:url,virustotal.com/#/file/76afa767b0374bde95d9a93074aceaec88228ba234caa13
dd01313076baf02ee/detection; classtype:trojan-activity; sid:46742; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $FILE_DATA_PORTS (msg:"MALWARE-CNC
Win.Trojan.Dropper initial outbound connection attempt";
flow:to_server,established; content:".php?utma"; fast_pattern:only; http_uri;
content:!"Referer:"; nocase; http_header; pcre:"/(stem|slick)\.php\?utma/iU";
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service ftp-data, service http,
service imap, service pop3;
reference:url,virustotal.com/#/file/76afa767b0374bde95d9a93074aceaec88228ba234caa13
dd01313076baf02ee/detection; classtype:trojan-activity; sid:46743; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Dropper malicious executable download attempt";
flow:to_client,established; content:"Content-Type:"; nocase; http_header;
content:"application/java-vm"; within:50; fast_pattern; http_header; file_data;
content:"MZ"; depth:2; metadata:impact_flag red, policy balanced-ips drop, policy
max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data,
service http, service imap, service pop3;
reference:url,virustotal.com/#/file/76afa767b0374bde95d9a93074aceaec88228ba234caa13
dd01313076baf02ee/detection; classtype:trojan-activity; sid:46744; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Qarallax
outbound connection"; flow:established,to_server; content:"|00 07|nemesis";
depth:10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips
drop, policy security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/658f67dbf509fc017ace6db7ed38b3591fe72b9ba9
50a59054869cd718b4da2b/analysis; classtype:trojan-activity; sid:46747; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Qarallax
outbound connection"; flow:established,to_server; content:"|00 05|child|01 00 16|";
depth:11; content:"|22|magic|22|"; within:100; metadata:impact_flag red, policy
balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset
community;
reference:url,www.virustotal.com/en/file/658f67dbf509fc017ace6db7ed38b3591fe72b9ba9
50a59054869cd718b4da2b/analysis; classtype:trojan-activity; sid:46748; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios
XI SQL injection attempt"; flow:to_server,established;
content:"/nagiosql/admin/helpedit.php"; fast_pattern:only; http_uri;
content:"selInfoKey1="; nocase; http_uri; pcre:"/[?&]selInfoKey1=[^&]*?
([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http; reference:cve,2018-8734;
classtype:web-application-attack; sid:46773; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NagiosXI
SQL injection attempt"; flow:to_server,established;
content:"/nagiosql/admin/helpedit.php"; fast_pattern:only; http_uri;
content:"selInfoKey1="; nocase; http_client_body; pcre:"/(^|&)selInfoKey1=[^&]*?
([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim";
metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http; reference:cve,2018-8734; classtype:web-application-attack; sid:46774;
rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios
XI command injection attempt"; flow:to_server,established;
content:"/nagiosxi/backend/index.php"; fast_pattern:only; http_uri;
content:"command_data="; nocase; http_uri; pcre:"/[?&]command_data=[^&]*?
([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http; reference:cve,2018-8734;
classtype:web-application-attack; sid:46775; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios
XI command injection attempt"; flow:to_server,established;
content:"/nagiosxi/backend/index.php"; fast_pattern:only; http_uri;
content:"command_data="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?
&]command(\x5f|%5f)data=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy
security-ips drop, ruleset community, service http; reference:cve,2018-8734;
classtype:web-application-attack; sid:46776; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios
XI command injection attempt"; flow:to_server,established;
content:"/nagiosxi/backend/index.php"; fast_pattern:only; http_uri;
content:"command"; nocase; http_client_body; pcre:"/(^|&)command(\x5f|
%5f)data=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|
%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop,
ruleset community, service http; reference:cve,2018-8734; classtype:web-
application-attack; sid:46777; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios
XI command injection attempt"; flow:to_server,established;
content:"/nagiosxi/backend/index.php"; fast_pattern:only; http_uri;
content:"command_data"; nocase; http_client_body; content:"Content-Disposition";
nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?command_data((?!^--).)*?
[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim";
metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http; reference:cve,2018-8734; classtype:web-application-attack; sid:46778;
rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios
XI database settings modification attempt"; flow:to_server,established;
content:"/nagiosql/admin/settings.php"; fast_pattern:only; http_uri;
content:"txtDBname=nagiosql"; nocase; metadata:ruleset community, service http;
reference:cve,2018-8734; classtype:web-application-attack; sid:46779; rev:1;)
alert tcp $EXTERNAL_NET [443,8443] -> $HOME_NET any (msg:"MALWARE-CNC
Unix.Trojan.Vpnfilter variant SSL connection attempt"; flow:to_client,established;
content:"|09 4D 69 63 72 6F 73 6F 66 74 31 10 30 0E 06 03 55 04 0B 13 07 53 75 70
70 6F 72 74 31 0B 30 09 06 03 55 04 03 13 02 63 61|"; fast_pattern:only;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-
activity; sid:46782; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [443,8443] (msg:"MALWARE-CNC
Unix.Trojan.Vpnfilter variant SSL connection attempt"; flow:to_server,established;
content:"|09 4D 69 63 72 6F 73 6F 66 74 31 10 30 0E 06 03 55 04 0B 13 07 53 75 70
70 6F 72 74 31 0B 30 09 06 03 55 04 03 13 02 63 61|"; fast_pattern:only;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-
activity; sid:46783; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Downloader.Zebrocy known malicious user-agent string";
flow:to_server,established; content:"User-Agent|3A| Mozilla v5.1";
fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop,
policy max-detect-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/#/file/5fab4d08348b4ef080ba91bdb0d769d31797f5092bf
f3b24b3c23d091fccc8a7; classtype:trojan-activity; sid:46785; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Downloader.Zebrocy initial outbound request"; flow:to_server,established;
content:"?fort="; fast_pattern:only; http_uri; content:"pol="; depth:4;
http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-
detect-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/#/file/5fab4d08348b4ef080ba91bdb0d769d31797f5092bf
f3b24b3c23d091fccc8a7; classtype:trojan-activity; sid:46786; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.ZooPark outbound connection attempt"; flow:to_server,established;
content:"/telg/sv/sv.php"; fast_pattern:only; http_uri; content:"id";
http_client_body; content:"data"; http_client_body; metadata:impact_flag red,
policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b355
04cf6c475eac4cfa95fe3a/analysis; classtype:trojan-activity; sid:46787; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.ZooPark outbound connection attempt"; flow:to_server,established;
content:"/telg/index.php?set=show"; fast_pattern:only; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b355
04cf6c475eac4cfa95fe3a/analysis; classtype:trojan-activity; sid:46788; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.ZooPark outbound connection attempt"; flow:to_server,established;
content:"/get/index.php"; http_uri; content:"id=Z29nbw=="; fast_pattern:only;
http_uri; content:"user="; http_uri; content:"pass="; http_uri; content:"data=";
http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b355
04cf6c475eac4cfa95fe3a/analysis; classtype:trojan-activity; sid:46789; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.ZooPark outbound connection attempt"; flow:to_server,established;
content:"/spyMobile/upload.php"; fast_pattern:only; http_uri; content:"iemi=";
http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b355
04cf6c475eac4cfa95fe3a/analysis; classtype:trojan-activity; sid:46790; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Anti-Web
directory traversal attempt"; flow:to_server,established; content:"/cgi-
bin/write.cgi"; fast_pattern:only; http_uri; content:"template="; nocase;
http_client_body; pcre:"/(^|&)template=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|
%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset
community, service http; reference:cve,2017-9097; classtype:web-application-attack;
sid:46802; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Anti-Web
directory traversal attempt"; flow:to_server,established; content:"/cgi-
bin/write.cgi"; fast_pattern:only; http_uri; content:"template="; nocase; http_uri;
content:"../"; http_uri; pcre:"/[?&]template=[^&]*?\x2e\x2e\x2f/Ui";
metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http; reference:cve,2017-9097; classtype:web-application-attack; sid:46803;
rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Anti-Web
directory traversal attempt"; flow:to_server,established; content:"/cgi-
bin/write.cgi"; fast_pattern:only; http_uri; content:"template"; nocase;
http_client_body; content:"Content-Disposition"; nocase; http_client_body;
pcre:"/name\s*=\s*[\x22\x27]?template((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim";
metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http; reference:cve,2017-9097; classtype:web-application-attack; sid:46804;
rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP BA Systems
BAS Web information disclosure attempt"; flow:to_server,established;
content:"/isc/get_sid.aspx"; fast_pattern:only; http_uri; metadata:policy balanced-
ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http; reference:cve,2017-17974; classtype:attempted-user; sid:46805;
rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP BA Systems
BAS Web information disclosure attempt"; flow:to_server,established;
content:"/isc/get_sid_js.aspx"; fast_pattern:only; http_uri; metadata:policy
balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset
community, service http; reference:cve,2017-17974; classtype:attempted-user;
sid:46806; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"MALWARE-OTHER DNS request for known malware
domain toknowall.com - Unix.Trojan.Vpnfilter"; flow:to_server; byte_test:1,!
&,0xF8,2; content:"|09|toknowall|03|com|00|"; fast_pattern:only;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service dns;
reference:url,www.virustotal.com/en/domain/toknowall.com/information/;
classtype:trojan-activity; sid:46807; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FLIR
Breakstream 2300 unauthenticated information disclosure attempt";
flow:to_server,established; content:"/getConfigExportFile.cgi"; fast_pattern:only;
http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset
community, service http; reference:cve,2018-3813; classtype:attempted-user;
sid:46817; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Ransomware.Satan outbound connection"; flow:to_server,established;
content:"/data/token.php"; fast_pattern:only; http_uri; content:"status="; nocase;
http_uri; content:"code="; nocase; http_uri; content:"Winnet Client"; nocase;
http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-
ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/b686cba1894f8ab5cec0ce5db195022def00204f6c
d143a325608ec93e8b74ee/analysis/; classtype:trojan-activity; sid:46818; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER
Win.Ransomware.Satan payload download"; flow:to_server,established;
content:"/cab/sts.exe"; fast_pattern:only; http_uri; metadata:impact_flag red,
policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/b686cba1894f8ab5cec0ce5db195022def00204f6c
d143a325608ec93e8b74ee/analysis/; classtype:trojan-activity; sid:46819; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
DotNetNuke DreamSlider arbitrary file download attempt";
flow:to_server,established;
content:"/DesktopModules/DreamSlider/DownloadProvider.aspx"; fast_pattern:only;
nocase; http_uri; content:"file="; nocase; http_uri; metadata:ruleset community,
service http; classtype:web-application-attack; sid:46824; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Dunihi
outbound connection"; flow:to_server,established; content:"|00 00 A2 30 81 9F 30 0D
06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 81 00|";
depth:32; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips
drop, policy security-ips drop, ruleset community;
reference:url,www.virustotal.com/en/file/be442a5f8be3bf720236f71a613a534b8aa82b16b0
daf8ff84a59bcb92e19e7d/analysis/; classtype:trojan-activity; sid:46827; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.RedLeaves variant outbound connection"; flow:to_server,established;
content:".NET CLR 3.0.30729|3B| .NET4.0C|3B| .NET4.0E)|0D 0A|Content-Length";
fast_pattern:only; http_header; urilen:<20; content:"/index.php"; http_uri;
content:"POST"; http_method; content:"Connection: Keep-Alive|0D 0A|Accept: */*|0D
0A|"; http_header; content:!"Content-Type"; http_header; content:!"Referer";
http_header; content:!"Accept-"; http_header; metadata:impact_flag red, policy max-
detect-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/f6449e255bc1a9d4a02391be35d0dd37def19b7e20
cfcc274427a0b39cb21b7b/analysis/; classtype:trojan-activity; sid:46839; rev:1;)
# alert udp any 67 -> $HOME_NET 68 (msg:"OS-LINUX Red Hat NetworkManager DHCP
client command injection attempt"; content:"|63 82 53 63 35|"; content:"|FC|";
within:50; pcre:"/([\xfc]).{0,50}([\x27])([\x20\x26\x3b\x7c]|
[\x3c\x3e\x24]\x28)+/i"; metadata:policy max-detect-ips drop, ruleset community,
service dhcp; reference:cve,2018-1111;
reference:url,access.redhat.com/security/cve/cve-2018-1111; classtype:attempted-
user; sid:46847; rev:1;)
alert tcp $EXTERNAL_NET 20480 -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.CowerSnail command and control response detected";
flow:to_client,established; content:"pk"; depth:2; content:"R|00|e|00|q|00|u|00|e|
00|s|00|t|00|"; fast_pattern:only; content:"|00|a|00|r|00|g|00|";
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service irc;
reference:url,www.virustotal.com/#/file/3fb8a4d2ed4f662a4cb4270bb5f488b79c8758aa6fc
5c8b119c78fba38d6b7d1/detection; classtype:trojan-activity; sid:46872; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 20480 (msg:"MALWARE-CNC
Win.Trojan.CowerSnail initial outbound connection attempt";
flow:to_server,established; content:"+CHANNEL|0B|"; fast_pattern:only;
content:"line-client"; metadata:impact_flag red, policy balanced-ips drop, policy
max-detect-ips drop, policy security-ips drop, ruleset community, service irc;
reference:url,www.virustotal.com/#/file/3fb8a4d2ed4f662a4cb4270bb5f488b79c8758aa6fc
5c8b119c78fba38d6b7d1/detection; classtype:trojan-activity; sid:46873; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Trojan.Joanap
variant outbound connection"; flow:to_server,established; content:"TO: Joana
<[email protected]>"; fast_pattern:only; content:"SUBJECT: |5B|T|5D|";
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service smtp;
reference:url,www.virustotal.com/#/file/077d9e0e12357d27f7f0c336239e961a7049971446f
7a3f10268d9439ef67885/detection;
reference:url,www.virustotal.com/#/file/4c5b8c3e0369eb738686c8a111dfe460e26eb370083
7c941ea2e9afd3255981e/detection; classtype:trojan-activity; sid:46885; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Nocturnal outbound connection"; flow:to_server,established;
content:"/server/gate.php"; fast_pattern:only; http_uri; content:"name=|22|hwid|
22|"; http_client_body; content:"name=|22|platform|22|"; http_client_body;
content:"name=|22|pcount|22|"; http_client_body; content:"name=|22|cccount|22|";
http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-
detect-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/ae7e5a7b34dc216e9da384fcf9868ab2c1a1d731f5
83f893b2d2d4009da15a4e/analysis/; classtype:trojan-activity; sid:46895; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Fareit variant outbound connection"; flow:to_server,established;
content:"/panel/logout.php"; depth:17; http_uri; content:!"Accept"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,virustotal.com/en/file/6de535e8d4b82e5554a138ec1d6c6b530943ff08d5e043
08d695f473e74f9600/analysis/; classtype:trojan-activity; sid:46922; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Dropper outbound connection"; flow:to_server,established; content:"User-
Agent: HTTPREAD|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red,
policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/782cc4188618cf0c4815f85ea7873a004464095f5e
d459b8d1579fa27ce5810e/analysis/; classtype:trojan-activity; sid:46936; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Danabot outbound connection"; flow:to_server,established;
content:"/index.php?m=S&"; fast_pattern:only; http_uri; content:"&a="; http_uri;
content:"&b="; http_uri; content:"&d="; http_uri; content:"&e="; http_uri;
content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips
drop, policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http;
reference:url,www.virustotal.com/en/file/f60c6c45ff27d1733d8ab03393ab88e3a2d7c75c7d
9fce3169417e8c9fd3df12/analysis; classtype:trojan-activity; sid:46966; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Danabot outbound connection"; flow:to_server,established;
content:"/index.php?m=F&"; fast_pattern:only; http_uri; content:"&a="; http_uri;
content:"&b="; http_uri; content:"&d="; http_uri; content:"&e="; http_uri;
content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips
drop, policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http;
reference:url,www.virustotal.com/en/file/f60c6c45ff27d1733d8ab03393ab88e3a2d7c75c7d
9fce3169417e8c9fd3df12/analysis; classtype:trojan-activity; sid:46967; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Danabot outbound connection"; flow:to_server,established;
content:"/index.php?m=T&"; fast_pattern:only; http_uri; content:"&a="; http_uri;
content:"&b="; http_uri; content:"&d="; http_uri; content:"&e="; http_uri;
content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips
drop, policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http;
reference:url,www.virustotal.com/en/file/f60c6c45ff27d1733d8ab03393ab88e3a2d7c75c7d
9fce3169417e8c9fd3df12/analysis; classtype:trojan-activity; sid:46968; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Autophyte dropper variant outbound connection";
flow:to_server,established; urilen:10; content:"/mainls.cs"; fast_pattern:only;
http_uri; content:"Content-Type: application/octet-stream"; nocase; http_header;
content:!"User-Agent"; nocase; http_header; metadata:impact_flag red, policy max-
detect-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/#/file/086a50476f5ceee4b10871c1a8b0a794e96a3379663
82248a8289598b732bd47/detection; classtype:trojan-activity; sid:46969; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Autophyte RAT variant outbound connection"; flow:to_server,established;
content:"Content-Disposition: form-data|3B| name=|22|board_id|22|";
fast_pattern:only; http_client_body; content:"Content-Disposition: form-data|3B|
name=|22|user_id|22|"; http_client_body; content:"Content-Disposition: form-data|
3B| name=|22|file1|22|"; http_client_body; content:!"Referer"; http_header;
metadata:ruleset community, service http;
reference:url,www.virustotal.com/#/file/c10363059c57c52501c01f85e3bb43533ccc639f0ea
57f43bae5736a8e7a9bc8/detection;
reference:url,www.virustotal.com/#/file/e98991cdd9ddd30adf490673c67a4f8241993f26810
da09b52d8748c6160a292/detection; classtype:trojan-activity; sid:46970; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE
Microsoft Office Discovery User-Agent to a potential URL shortener service";
flow:to_server,established; urilen:<10; content:"Host: "; http_header; content:"|0D
0A|"; within:14; http_header; content:"OPTIONS"; http_method; content:"User-Agent:
Microsoft Office "; http_header; content:"Discovery|0D 0A|"; within:25;
http_header; content:!"Accept"; http_header; content:!"Referer|3A|"; http_header;
content:!"Cookie|3A|"; http_header; metadata:ruleset community, service http;
reference:url,virustotal.com/en/file/d615a205d92898896b0f553a027ffd9b7b7cde0c29ebe0
b1f9364e1cf2831236/analysis/; classtype:misc-activity; sid:46979; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE
Microsoft Office Discovery User-Agent to a potential URL shortener service";
flow:to_server,established; urilen:<10; content:"Host: "; http_header; content:"|0D
0A|"; within:14; http_header; content:"HEAD"; http_method; content:"User-Agent:
Microsoft Office "; http_header; content:"Discovery|0D 0A|"; within:25;
http_header; content:!"Accept"; http_header; content:!"Content-"; http_header;
content:!"Referer|3A|"; http_header; content:!"Cookie|3A|"; http_header;
metadata:ruleset community, service http;
reference:url,virustotal.com/en/file/d615a205d92898896b0f553a027ffd9b7b7cde0c29ebe0
b1f9364e1cf2831236/analysis/; classtype:misc-activity; sid:46980; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Orcus RAT
inbound SSL certificate"; flow:to_client,established; content:"|16 03|"; depth:2;
content:"|02|"; within:1; distance:3; content:"|0C|Orcus Server";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-
detect-ips drop, policy security-ips drop, ruleset community, service ssl;
reference:url,virustotal.com/en/file/8d880758549220154d2ff4ee578f2b49527c5fb76a07d5
5237b61e30bcc09e3a/analysis/; classtype:trojan-activity; sid:46981; rev:1;)
# alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE
Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows"; depth:18;
content:"Microsoft Corp"; within:250; metadata:policy max-detect-ips drop, ruleset
community; reference:nessus,11633; classtype:successful-admin; sid:46983; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,3000,5156,7218]
(msg:"MALWARE-CNC Win.Trojan.SocketPlayer outbound connection";
flow:to_server,established; content:"POST /cl/uplod/"; fast_pattern:only;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/de38e74b2cd493d0f014fc6ca5d2834cea213778c2
e056a7c84e9547fe275889/analysis/; classtype:trojan-activity; sid:47005; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,1337,5156] (msg:"MALWARE-CNC
Win.Trojan.SocketPlayer outbound connection"; flow:to_server,established;
content:"/uploads/excutbls/h/"; fast_pattern:only; metadata:impact_flag red, policy
balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset
community, service http;
reference:url,www.virustotal.com/en/file/de38e74b2cd493d0f014fc6ca5d2834cea213778c2
e056a7c84e9547fe275889/analysis/; classtype:trojan-activity; sid:47006; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Spyware.Invisimole CnC outbound connection"; flow:to_server,established;
content:"/www/"; depth:5; fast_pattern; http_uri; content:"/00"; distance:0;
http_uri; content:!"Accept|3A|"; http_header; pcre:"/\/www\/(%[A-F0-9]{2})
{5,}\/00/I"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-
ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/be554e706f6b8ab8f4bbea209b669e9dca98bf647f
aa55c46756f322dadab32f/analysis/; classtype:trojan-activity; sid:47016; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.TechSupportScam installed binary outbound connection";
flow:to_server,established; content:"/show_new.php?"; fast_pattern:only; http_uri;
content:"code="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips
drop, policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http;
reference:url,www.virustotal.com/#/file/c9adabc7516e38ce611cbde5856fbe6b06e8afee442
2d754aa810aec59ecd8d8/detection; classtype:trojan-activity; sid:47067; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.TechSupportScam installed binary outbound connection";
flow:to_server,established; content:"/register.php?"; fast_pattern:only; http_uri;
content:"p="; nocase; http_uri; content:"&code="; nocase; http_uri; content:!"User-
Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy
max-detect-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/#/file/c9adabc7516e38ce611cbde5856fbe6b06e8afee442
2d754aa810aec59ecd8d8/detection; classtype:trojan-activity; sid:47068; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.TechSupportScam installed binary outbound connection";
flow:to_server,established; content:"/update_new.php?"; fast_pattern:only;
http_uri; content:"code="; nocase; http_uri; content:!"User-Agent"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/#/file/c9adabc7516e38ce611cbde5856fbe6b06e8afee442
2d754aa810aec59ecd8d8/detection; classtype:trojan-activity; sid:47069; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
Win.Adware.Pbot variant outbound connection"; flow:to_server,established;
content:"/installstarted"; fast_pattern:only; http_uri; content:"de="; nocase;
http_uri; content:"_v="; nocase; http_uri; content:"_s="; nocase; http_uri;
metadata:ruleset community, service http;
reference:url,www.virustotal.com/#/file/5e3dc49c1f4b57ab27000befd128fad77eba9a6e07f
8766c7e1393cae890fdf6/detection; classtype:misc-activity; sid:47093; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
Win.Adware.Pbot variant outbound connection"; flow:to_server,established;
content:"/collect.php"; fast_pattern:only; http_uri; content:"pid="; http_uri;
content:"cid="; http_uri; content:"sid="; http_uri; content:"act="; http_uri;
metadata:ruleset community, service http;
reference:url,www.virustotal.com/#/file/5e3dc49c1f4b57ab27000befd128fad77eba9a6e07f
8766c7e1393cae890fdf6/detection; classtype:misc-activity; sid:47094; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
Win.Adware.Pbot variant outbound connection"; flow:to_server,established;
content:"/installended"; fast_pattern:only; http_uri; content:"de="; nocase;
http_uri; content:"_v="; nocase; http_uri; content:"_s="; nocase; http_uri;
metadata:ruleset community, service http;
reference:url,www.virustotal.com/#/file/5e3dc49c1f4b57ab27000befd128fad77eba9a6e07f
8766c7e1393cae890fdf6/detection; classtype:misc-activity; sid:47095; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Trojan.NukeSped RAT variant outbound communication";
flow:to_server,established; content:"|B0 00 B0 00 B0 00 B0 00 26 00 26 00 26 00|";
depth:15; metadata:impact_flag red, ruleset community;
reference:url,www.virustotal.com/#/file/4a740227eeb82c20286d9c112ef95f0c1380d0e90ff
b39fc75c8456db4f60756/; classtype:trojan-activity; sid:47177; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [9000:] (msg:"MALWARE-CNC
Win.Trojan.NukeSped RAT variant outbound connection"; flow:to_server,established;
content:"|50 00 00 00|"; depth:4; byte_test:1,>,2,0,relative; content:!"|0A|";
within:1; distance:1; isdataat:79,relative; metadata:impact_flag red, ruleset
community;
reference:url,www.virustotal.com/#/file/4a740227eeb82c20286d9c112ef95f0c1380d0e90ff
b39fc75c8456db4f60756/; classtype:trojan-activity; sid:47178; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Js.Trojan.Agent JS Sniffer beacon connection"; flow:established,to_server;
content:".php?"; http_uri; content:"=WyJ1cmw"; fast_pattern:only; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http; classtype:trojan-
activity; sid:47320; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.ARS VBS loader outbound connection"; flow:to_server,established;
content:"?os="; http_uri; content:"&user="; http_uri; content:"&av="; http_uri;
content:"&fw="; http_uri; content:"&hwid="; http_uri; metadata:impact_flag red,
policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop,
ruleset community, service http; reference:url,www.flashpoint-intel.com/blog/meet-
ars-vbs-loader/; classtype:trojan-activity; sid:47338; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC
Unix.Trojan.Vpnfilter plugin variant connection attempt";
flow:to_client,established; content:"|00 AC D3 62 78 26 76 31 E5 E7 E5 1D C2 3C 15
40 25 2F 90 BD 1F 7F 0E 5E 33 77 EC 0C 1E 6B 61 47|"; fast_pattern:only;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community;
reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-
activity; sid:47377; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle WebLogic
Server unauthenticated modified JSP access attempt"; flow:to_server,established;
content:"/ws_utc/css/config/keystore/"; fast_pattern:only; http_uri;
content:".jsp"; http_uri; metadata:ruleset community, service http;
reference:bugtraq,104763; reference:cve,2018-2894;
reference:url,www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html;
classtype:attempted-recon; sid:47386; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle WebLogic
Server potential unauthenticated reconnaissance attempt";
flow:to_server,established; content:"/ws_utc/resources/setting/options/general";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,104763; reference:cve,2018-2894;
reference:url,www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html;
classtype:attempted-recon; sid:47387; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle WebLogic
Server potential precursor to keystore attack attempt"; flow:to_server,established;
content:"/ws_utc/resources/setting/keystore"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,104763;
reference:cve,2018-2894; reference:url,www.oracle.com/technetwork/security-
advisory/cpujul2018-4258247.html; classtype:attempted-recon; sid:47388; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Osx.Trojan.Calisto outbound connection"; flow:to_server,established;
content:"/calisto/upload.php"; fast_pattern:only; http_uri; metadata:impact_flag
red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,virustotal.com/en/file/81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd
991abf39db828661cc/analysis/; classtype:trojan-activity; sid:47414; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Osx.Trojan.Calisto outbound connection"; flow:to_server,established;
content:"/calisto/listenyee.php"; fast_pattern:only; http_uri; metadata:impact_flag
red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,virustotal.com/en/file/81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd
991abf39db828661cc/analysis/; classtype:trojan-activity; sid:47415; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Mapoyun
variant outbound connection attempt"; flow:to_server,established;
content:"Connection:Close|3B|"; fast_pattern:only; http_header; content:"X-CA-";
nocase; http_header; content:!"User-Agent|3A|"; nocase; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,virustotal.com/en/file/34cbcbbbc4b538f30bc3d57dd587f1b604d29f113c149b
f1ab53898464ad9c80/analysis/; classtype:trojan-activity; sid:47427; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.PLEAD
downloader outbound connection"; flow:to_server,established; content:"GET /logo.png
HTTP/1.1|0D 0A|"; depth:24; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE
8.0)|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips
drop, policy max-detect-ips drop, policy security-ips drop, ruleset community;
reference:url,blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html;
classtype:trojan-activity; sid:47556; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.PLEAD
downloader outbound connection"; flow:to_server,established; content:"GET
/index.php?id="; depth:18; content:"HTTP/1.1|0D 0A|"; within:10; distance:11;
nocase; content:"Cookie:"; isdataat:50,relative; content:!"="; within:50;
content:!"|3B|"; within:50; metadata:impact_flag red, policy balanced-ips drop,
policy max-detect-ips drop, policy security-ips drop, ruleset community;
reference:url,blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html;
classtype:trojan-activity; sid:47557; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Zegost
variant outbound connection"; flow:to_server,established; content:"|2A 00 00 00|";
depth:4; isdataat:37,relative; isdataat:!38,relative; metadata:impact_flag red,
policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop,
ruleset community;
reference:url,www.virustotal.com/#/file/108bbc4ff7b7da4f0de1225094964d03b19fc38b939
33f739c475f08ae17915e/detection; classtype:trojan-activity; sid:47567; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla
Proclaim biblestudy backup access attempt"; flow:to_server,established;
content:"/media/com_biblestudy/backup/"; fast_pattern:only; http_uri;
content:".sql"; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips
drop, policy security-ips drop, ruleset community, service http;
classtype:attempted-recon; sid:47613; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.KeyPass variant inbound connection attempt"; flow:to_client,established;
file_data; content:"|7B 22|line1|22 3A 22|"; depth:10; fast_pattern; content:"|22|
line2|22 3A 22|"; within:30; distance:30; metadata:impact_flag red, policy
balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset
community, service http;
reference:url,virustotal.com/#/file/901d893f665c6f9741aa940e5f275952/detection;
classtype:trojan-activity; sid:47627; rev:1;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION DNS TXT
response record tunneling"; flow:to_client; dsize:>300; content:"|00 10 00 01 00 00
00 00 01 00 FF|"; fast_pattern:only; detection_filter:track by_src, count 25,
seconds 1; metadata:ruleset community, service dns;
reference:url,attack.mitre.org/wiki/Technique/T1048; classtype:misc-activity;
sid:47639; rev:1;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-WEBAPP SSL certificate
with null issuer rdnSequence fields detected"; flow:to_client,established;
ssl_state:server_hello; content:"|30 07 06 03 55 04 06 13 00 31 09 30 07 06 03 55
04 08 13 00 31 09 30 07 06 03 55 04 07 13 00 31 09 30 07 06 03 55 04 0A 13 00 31 09
30 07 06 03 55 04 0B 13 00 31 09 30 07 06 03 55 04 03 13 00|"; fast_pattern:only;
metadata:ruleset community, service ssl; classtype:misc-activity; sid:47640;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Marap outbound beacon detected"; flow:to_server,established;
content:"/dot.php"; fast_pattern:only; http_uri; content:"param="; depth:6;
http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-
detect-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/bc1fc69f9747dc034ece7d9bb795c5e596d9be6ca7
1efe75c6c0fd18f3cbfbf5/analysis/; classtype:trojan-activity; sid:47650; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.MysteryBot outbound connection"; flow:to_server,established;
content:"/site/gate.php?i=eyAiYWN0aW9uIjog"; fast_pattern:only; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/334f1efd0b347d54a418d1724d51f8451b7d0bebbd
05f648383d05c00726a7ae/analysis/; classtype:trojan-activity; sid:47723; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.AnubisCrypt variant outbound post detected"; flow:to_server,
established; content:"/private/"; fast_pattern; http_uri; content:".php";
distance:0; http_uri; content:"p="; http_client_body; content:"User-Agent:";
http_header; content:"Android"; within:100; http_header; metadata:impact_flag red,
policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/#/file/d27034b9f58aa71f08f3c57d893fe07cdd395c9b4e4
94fbcca2a1d1ca3dce88e/detection; classtype:trojan-activity; sid:47876; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.AnubisCrypt variant outbound post detected"; flow:to_server,
established; content:"/private/checkPanel.php"; fast_pattern:only; http_uri;
content:"User-Agent:"; http_header; content:"Android"; within:100; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/#/file/d27034b9f58aa71f08f3c57d893fe07cdd395c9b4e4
94fbcca2a1d1ca3dce88e/detection; classtype:trojan-activity; sid:47877; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.OilRig variant outbound connection"; flow:to_server,established;
content:"GET /tahw?"; fast_pattern:only; pcre:"/\x2ftahw\x3f[A-F0-9]{3,84}$/U";
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/#/file/055b7607848777634b2b17a5c51da7949829ff88084
c3cb30bcb3e58aae5d8e9; classtype:attempted-user; sid:47898; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.OilRig variant outbound connection"; flow:to_server,established;
content:"GET /khc?"; fast_pattern:only; pcre:"/\x2fkhc\x3f[A-F0-9]{3,84}$/U";
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/#/file/055b7607848777634b2b17a5c51da7949829ff88084
c3cb30bcb3e58aae5d8e9; classtype:attempted-user; sid:47899; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.OilRig variant outbound connection"; flow:to_server,established;
content:"GET /pser?"; fast_pattern:only; pcre:"/\x2fpser\x3f[A-F0-9]{3,84}(BBZ|
BBY)/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/#/file/055b7607848777634b2b17a5c51da7949829ff88084
c3cb30bcb3e58aae5d8e9; classtype:attempted-user; sid:47900; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.MSDownloader variant outbound connection"; flow:to_server,established;
content:"MS_D0wnl0ad3r"; fast_pattern:only; http_header; metadata:impact_flag red,
policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/#/file/c3c5d7961381c202c98badc7ff0739b4f381c10b4e7
6d153ad2a978118a4b505/detection; classtype:trojan-activity; sid:47934; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.MSDownloader variant download"; flow:to_client,established; file_data;
content:"Content-Type|3A 20|multipart/form-data|3B| boundary=MS_D0wnl0ad3r";
fast_pattern:44,13; metadata:impact_flag red, policy balanced-ips drop, policy max-
detect-ips drop, policy security-ips drop, ruleset community, service ftp-data,
service http, service imap, service pop3;
reference:url,www.virustotal.com/#/file/c3c5d7961381c202c98badc7ff0739b4f381c10b4e7
6d153ad2a978118a4b505/detection; classtype:trojan-activity; sid:47935; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC
Win.Trojan.MSDownloader variant download"; flow:to_server,established; file_data;
content:"Content-Type|3A 20|multipart/form-data|3B| boundary=MS_D0wnl0ad3r";
fast_pattern:44,13; metadata:impact_flag red, policy balanced-ips drop, policy max-
detect-ips drop, policy security-ips drop, ruleset community, service smtp;
reference:url,www.virustotal.com/#/file/c3c5d7961381c202c98badc7ff0739b4f381c10b4e7
6d153ad2a978118a4b505/detection; classtype:trojan-activity; sid:47936; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.AcridRain outbound connection"; flow:to_server,established;
content:"browser/Vivaldi.txtPK"; fast_pattern:only; http_client_body;
content:"/Upload/"; http_uri; urilen:8; content:!"User-Agent|3A 20|"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/#/file/3d28392d2dc1292a95b6d8f394c982844a9da0cdd84
101039cf6ca3cf9874c1c/analysis/; classtype:trojan-activity; sid:48035; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.AcridRain outbound connection"; flow:to_server,established;
content:"/Libs.zip"; fast_pattern:only; http_uri; urilen:9; content:!"User-Agent|3A
20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-
detect-ips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/#/file/3d28392d2dc1292a95b6d8f394c982844a9da0cdd84
101039cf6ca3cf9874c1c/analysis/; classtype:trojan-activity; sid:48036; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.MirageFox variant outbound connection"; flow:to_server,established;
content:"/image_download.php?uid="; fast_pattern:only; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/#/file/016948ec7743b09e41b6968b42dfade5480774df3ba
f915e4c8753f5f90d1734/analysis; classtype:trojan-activity; sid:48092; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.MirageFox variant outbound connection"; flow:to_server,established;
content:"/search?gid="; fast_pattern:only; http_uri; content:"Accept:*/*";
http_header; content:"POST"; http_method; metadata:impact_flag red, policy
balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset
community, service http;
reference:url,www.virustotal.com/#/file/97813e76564aa829a359c2d12c9c6b824c532de0fc1
5f43765cf6b106a32b9a5/analysis; classtype:trojan-activity; sid:48093; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established;
content:"/dl.itranslator.info/"; fast_pattern:only; http_uri; metadata:impact_flag
red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0
d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48115; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established;
content:"/gl.php?uid="; fast_pattern:only; http_uri; content:"&v="; http_uri;
content:"&x="; within:20; http_uri; metadata:impact_flag red, policy balanced-ips
drop, policy max-detect-ips drop, policy security-ips drop, ruleset community,
service http;
reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0
d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48116; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established;
content:"/ufiles/"; fast_pattern:only; http_uri; content:".dll"; http_uri;
content:"UID: "; http_header; metadata:impact_flag red, policy balanced-ips drop,
policy max-detect-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0
d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48117; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established;
content:"User-Agent: ITRANSLATOR|0D 0A|"; fast_pattern:only; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0
d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48118; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established;
content:"UID: P002|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag
red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0
d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48119; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established;
content:"/cfg?cb="; fast_pattern:only; http_uri; content:"&guid="; http_uri;
content:"&uid="; distance:0; http_uri; content:"&ua="; distance:0; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0
d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48120; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Downloader.XAgent variant outbound connection"; flow:to_server,established;
content:"&itwm="; fast_pattern:only; http_header; metadata:impact_flag red, policy
balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset
community, service http;
reference:url,www.virustotal.com/#/file/b814fdbb7cfe6e5192fe1126835b903354d75bfb15a
6c262ccc2caf13a8ce4b6; classtype:trojan-activity; sid:48140; rev:1;)
You might also like
- Links Magnectic Torrent - Coleção Cursos de Inglês83% (6)Links Magnectic Torrent - Coleção Cursos de Inglês2 pages
- FBI Liaison Alert System (Flash) Message M-000045-Tt TLP GreenNo ratings yetFBI Liaison Alert System (Flash) Message M-000045-Tt TLP Green10 pages
- AA LAB 26.1.7. Snort and Firewall RulesNo ratings yetAA LAB 26.1.7. Snort and Firewall Rules11 pages
- Ipfire - Localdomain - Intrusion Prevention System-192-382No ratings yetIpfire - Localdomain - Intrusion Prevention System-192-382191 pages
- Intrusion Policy Report: Modified by Admin Last Modified 2017-01-15 18:56:52 (UTC)No ratings yetIntrusion Policy Report: Modified by Admin Last Modified 2017-01-15 18:56:52 (UTC)312 pages
- ETHICAL HACKING GUIDE-Part 3: Comprehensive Guide to Ethical Hacking worldFrom EverandETHICAL HACKING GUIDE-Part 3: Comprehensive Guide to Ethical Hacking worldNo ratings yet
- Bypassing Anti Viruses by C#.NET Programming Chapter 3No ratings yetBypassing Anti Viruses by C#.NET Programming Chapter 319 pages
- Lab - Investigating A Malware Exploit: ObjectivesNo ratings yetLab - Investigating A Malware Exploit: Objectives19 pages
- Threat Prevention Apr 23 2020 9-29-50 AMNo ratings yetThreat Prevention Apr 23 2020 9-29-50 AM13 pages
- XOR DDoS Malware Cloud Security Threat Advisory SlideshowNo ratings yetXOR DDoS Malware Cloud Security Threat Advisory Slideshow12 pages
- Modified Slides From Martin Roesch Sourcefire IncNo ratings yetModified Slides From Martin Roesch Sourcefire Inc31 pages
- IntrusionDetection - Lab2 - Suricata-Part 1No ratings yetIntrusionDetection - Lab2 - Suricata-Part 112 pages
- Cisco's Talos Intelligence Group Blog - Player 3 Has Entered The Game - Say Hello To 'WannaCry'No ratings yetCisco's Talos Intelligence Group Blog - Player 3 Has Entered The Game - Say Hello To 'WannaCry'19 pages
- Module12 Evading IDS Firewalls and HoneypotsNo ratings yetModule12 Evading IDS Firewalls and Honeypots2 pages
- Footprinting, Reconnaissance, Scanning and Enumeration Techniques of Computer NetworksFrom EverandFootprinting, Reconnaissance, Scanning and Enumeration Techniques of Computer NetworksNo ratings yet
- Feature Extraction: Associate Dean School of Electrical and Electronics Engineering SASTRA University, Thanjavur-613 401No ratings yetFeature Extraction: Associate Dean School of Electrical and Electronics Engineering SASTRA University, Thanjavur-613 4018 pages
- Internet and Web Programming: Ex No: 2 Date: 12.12.18No ratings yetInternet and Web Programming: Ex No: 2 Date: 12.12.186 pages
- Cloud Network and Security Services: What Is Cloud Computing?No ratings yetCloud Network and Security Services: What Is Cloud Computing?10 pages
- Cloud Network and Security Services: Google Amazon AzureNo ratings yetCloud Network and Security Services: Google Amazon Azure27 pages
- Virtual Private Cloud (Amazon VPC) : Naresh I Technologies Amazon Web Services Avinash Reddy TNo ratings yetVirtual Private Cloud (Amazon VPC) : Naresh I Technologies Amazon Web Services Avinash Reddy T33 pages
- Packet Tracer - Troubleshoot Inter-VLAN Routing: Addressing TableNo ratings yetPacket Tracer - Troubleshoot Inter-VLAN Routing: Addressing Table2 pages
- 1.4.1.3 Packet Tracer - Skills Integration Challenge EIGRP Instructions - IGNo ratings yet1.4.1.3 Packet Tracer - Skills Integration Challenge EIGRP Instructions - IG9 pages
- Protecting A Web Server On A DMZ NetworkNo ratings yetProtecting A Web Server On A DMZ Network8 pages
- 8.1 Cloud Solution Architect Sec 04 Chap 002 VPC V03 - DEMO Slides PDFNo ratings yet8.1 Cloud Solution Architect Sec 04 Chap 002 VPC V03 - DEMO Slides PDF7 pages
- Why Can't I Browse The Internet When Using A GRE TunnelNo ratings yetWhy Can't I Browse The Internet When Using A GRE Tunnel4 pages
- NAT Interview Questions and Answers (Network Address Translation) - Networker InterviewNo ratings yetNAT Interview Questions and Answers (Network Address Translation) - Networker Interview2 pages
- JN0-103.prepaway - Premium.exam.92q: Number: JN0-103 Passing Score: 800 Time Limit: 120 Min File Version: 2.0No ratings yetJN0-103.prepaway - Premium.exam.92q: Number: JN0-103 Passing Score: 800 Time Limit: 120 Min File Version: 2.033 pages
- Chapter 7 Demonstrate The Pan in Linux System: 7.1 DemonstrationNo ratings yetChapter 7 Demonstrate The Pan in Linux System: 7.1 Demonstration14 pages
- 8.1 8 BPB-Cisco-CCNP-Switch-300-115 - VLAN DatabaseNo ratings yet8.1 8 BPB-Cisco-CCNP-Switch-300-115 - VLAN Database6 pages
