Description: Additional community rules
Origin: other
Last-Update: 2011-11-28

--- /dev/null
+++ b/rules/community-web-dos.rules
@@ -0,0 +1,5 @@
+# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# These rules are licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# $Id: community-web-dos.rules,v 1.8 2005/03/08 14:41:42 bmc Exp $
+
--- /dev/null
+++ b/rules/pop2.rules
@@ -0,0 +1,26 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: pop2.rules,v 1.11.2.2.2.1 2005/05/16 22:17:52 mwatchinski Exp $
+#--------------
+# POP2 RULES
+#--------------
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD overflow attempt"; flow:established,to_server; content:"FOLD"; nocase; isdataat:256,relative; pcre:"/^FOLD\s[^\n]{256}/smi"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:1934; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD arbitrary file attempt"; flow:established,to_server; content:"FOLD"; nocase; pcre:"/^FOLD\s+\//smi"; classtype:misc-attack; sid:1935; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux overflow"; flow:established,to_server; content:"|EB|,[|89 D9 80 C1 06|9|D9 7C 07 80 01|"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:284; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux overflow"; flow:established,to_server; content:"|FF FF FF|/BIN/SH|00|"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:285; rev:8;)
--- /dev/null
+++ b/rules/backdoor.rules
@@ -0,0 +1,119 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: backdoor.rules,v 1.44.2.6.2.3 2005/05/31 17:13:02 mwatchinski Exp $
+#---------------
+# BACKDOOR RULES
+#---------------
+#
+
+alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flow:to_server,established; content:"|0D 0A|[RPL]002|0D 0A|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; classtype:misc-activity; sid:103; rev:7;)
+alert tcp $HOME_NET 16959 -> $EXTERNAL_NET any (msg:"BACKDOOR subseven DEFCON8 2.1 access"; flow:from_server,established; content:"PWD"; classtype:trojan-activity; sid:107; rev:6;)
+
+
+alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flow:from_server,established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:109; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:110; rev:4;)
+
+alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"BACKDOOR NetBus Pro 2.0 connection established"; flow:from_server,established; flowbits:isset,backdoor.netbus_2.connect; content:"BN|10 00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; classtype:misc-activity; sid:115; rev:9;)
+
+# 3150, 4120
+alert udp $EXTERNAL_NET any -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1980; rev:4;)
+alert udp $HOME_NET 2140 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:195; rev:7;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt [3150]"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1981; rev:3;)
+alert udp $HOME_NET 3150 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response [3150]"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1982; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 4120 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt [4120]"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1983; rev:3;)
+alert udp $HOME_NET 4120 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response [4120]"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1984; rev:3;)
+
+
+alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any (msg:"BACKDOOR Doly 2.0 access"; flow:established,from_server; content:"Wtzup Use"; depth:32; reference:arachnids,312; classtype:misc-activity; sid:119; rev:5;)
+alert tcp $HOME_NET 1015 -> $EXTERNAL_NET any (msg:"BACKDOOR Doly 1.5 server response"; flow:from_server,established; content:"Connected."; classtype:trojan-activity; sid:1985; rev:2;)
+
+
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 2589 (msg:"BACKDOOR - Dagger_1.4.0_client_connect"; flow:to_server,established; content:"|0B 00 00 00 07 00 00 00|Connect"; depth:16; reference:arachnids,483; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; classtype:misc-activity; sid:104; rev:7;)
+alert tcp $HOME_NET 2589 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR - Dagger_1.4.0"; flow:from_server,established; content:"2|00 00 00 06 00 00 00|Drives|24 00|"; depth:16; reference:arachnids,484; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; classtype:misc-activity; sid:105; rev:7;)
+alert tcp $EXTERNAL_NET 80 -> $HOME_NET 1054 (msg:"BACKDOOR ACKcmdC trojan scan"; flow:stateless; ack:101058054; flags:A,12; seq:101058054; reference:arachnids,445; classtype:misc-activity; sid:106; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 (msg:"BACKDOOR QAZ Worm Client Login access"; flow:to_server,established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:108; rev:6;)
+
+
+alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR Infector.1.x"; flow:established,from_server; content:"WHATISIT"; reference:arachnids,315; classtype:misc-activity; sid:117; rev:6;)
+alert tcp $HOME_NET 666 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR SatansBackdoor.2.0.Beta"; flow:established,from_server; content:"Remote|3A| You are connected to me."; reference:arachnids,316; classtype:misc-activity; sid:118; rev:5;)
+alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1000:1300 (msg:"BACKDOOR Infector 1.6 Server to Client"; flow:established,from_server; content:"WHATISIT"; reference:cve,1999-0660; reference:nessus,11157; classtype:misc-activity; sid:120; rev:8;)
+alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 (msg:"BACKDOOR Infector 1.6 Client to Server Connection Request"; flow:to_server,established; content:"FC "; reference:cve,1999-0660; reference:nessus,11157; classtype:misc-activity; sid:121; rev:8;)
+
+alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (msg:"BACKDOOR HackAttack 1.20 Connect"; flow:established,from_server; content:"host"; classtype:misc-activity; sid:141; rev:5;)
+
+alert tcp $EXTERNAL_NET !80 -> $HOME_NET 21554 (msg:"BACKDOOR GirlFriendaccess"; flow:to_server,established; content:"Girl"; reference:arachnids,98; classtype:misc-activity; sid:145; rev:5;)
+alert tcp $HOME_NET 30100 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere access"; flow:established,from_server; content:"NetSphere"; reference:arachnids,76; classtype:misc-activity; sid:146; rev:5;)
+alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"BACKDOOR GateCrasher"; flow:established,from_server; content:"GateCrasher"; reference:arachnids,99; classtype:misc-activity; sid:147; rev:5;)
+alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Connection"; flow:established,from_server; content:"c|3A 5C|"; classtype:misc-activity; sid:152; rev:6;)
+alert tcp $HOME_NET 23476 -> $EXTERNAL_NET any (msg:"BACKDOOR DonaldDick 1.53 Traffic"; flow:from_server,established; content:"pINg"; reference:mcafee,98575; classtype:misc-activity; sid:153; rev:6;)
+alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere 1.31.337 access"; flow:from_server,established; content:"NetSphere"; reference:arachnids,76; classtype:misc-activity; sid:155; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"BACKDOOR BackConstruction 2.1 Client FTP Open Request"; flow:to_server,established; content:"FTPON"; classtype:misc-activity; sid:157; rev:5;)
+alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Server FTP Open Reply"; flow:from_server,established; content:"FTP Port open"; classtype:misc-activity; sid:158; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5032 (msg:"BACKDOOR NetMetro File List"; flow:to_server,established; content:"--"; reference:arachnids,79; classtype:misc-activity; sid:159; rev:6;)
+# alert tcp $EXTERNAL_NET 5031 -> $HOME_NET !53:80 (msg:"BACKDOOR NetMetro Incoming Traffic"; flow:stateless; flags:A+; reference:arachnids,79; classtype:misc-activity; sid:160; rev:6;)
+alert udp $EXTERNAL_NET 3344 -> $HOME_NET 3345 (msg:"BACKDOOR Matrix 2.0 Client connect"; content:"activate"; reference:arachnids,83; classtype:misc-activity; sid:161; rev:4;)
+alert udp $EXTERNAL_NET 3345 -> $HOME_NET 3344 (msg:"BACKDOOR Matrix 2.0 Server access"; content:"logged in"; reference:arachnids,83; classtype:misc-activity; sid:162; rev:4;)
+alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any (msg:"BACKDOOR WinCrash 1.0 Server Active"; flow:stateless; flags:SA,12; content:"|B4 B4|"; reference:arachnids,36; classtype:misc-activity; sid:163; rev:9;)
+alert icmp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR SIGNATURE - Q ICMP"; dsize:>1; itype:0; reference:arachnids,202; classtype:misc-activity; sid:183; rev:4;)
+alert tcp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR Q access"; flow:stateless; dsize:>1; flags:A+; reference:arachnids,203; classtype:misc-activity; sid:184; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"BACKDOOR CDK"; flow:to_server,established; content:"ypi0ca"; depth:15; nocase; reference:arachnids,263; classtype:misc-activity; sid:185; rev:5;)
+
+
+alert tcp $HOME_NET 555 -> $EXTERNAL_NET any (msg:"BACKDOOR PhaseZero Server Active on Network"; flow:established,from_server; content:"phAse"; classtype:misc-activity; sid:208; rev:5;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR w00w00 attempt"; flow:to_server,established; content:"w00w00"; reference:arachnids,510; classtype:attempted-admin; sid:209; rev:4;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR attempt"; flow:to_server,established; content:"backdoor"; nocase; classtype:attempted-admin; sid:210; rev:3;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC r00t attempt"; flow:to_server,established; content:"r00t"; classtype:attempted-admin; sid:211; rev:3;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC rewt attempt"; flow:to_server,established; content:"rewt"; classtype:attempted-admin; sid:212; rev:3;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"wh00t!"; classtype:attempted-admin; sid:213; rev:4;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt lrkr0x"; flow:to_server,established; content:"lrkr0x"; classtype:attempted-admin; sid:214; rev:4;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"d13hh["; nocase; classtype:attempted-admin; sid:215; rev:4;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit satori attempt"; flow:to_server,established; content:"satori"; reference:arachnids,516; classtype:attempted-admin; sid:216; rev:6;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC sm4ck attempt"; flow:to_server,established; content:"hax0r"; classtype:attempted-admin; sid:217; rev:3;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Solaris 2.5 attempt"; flow:to_server,established; content:"friday"; classtype:attempted-user; sid:218; rev:4;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR HidePak backdoor attempt"; flow:to_server,established; content:"StoogR"; classtype:misc-activity; sid:219; rev:6;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR HideSource backdoor attempt"; flow:to_server,established; content:"wank"; classtype:misc-activity; sid:220; rev:6;)
+alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (msg:"BACKDOOR hack-a-tack attempt"; flow:stateless; flags:A+; content:"A"; depth:1; reference:arachnids,314; classtype:attempted-recon; sid:614; rev:8;)
+alert ip any any -> 216.80.99.202 any (msg:"BACKDOOR fragroute trojan connection attempt"; reference:bugtraq,4898; classtype:trojan-activity; sid:1791; rev:2;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 35555 (msg:"BACKDOOR win-trin00 connection attempt"; content:"png []..Ks l44"; depth:14; reference:cve,2000-0138; reference:nessus,10307; classtype:attempted-admin; sid:1853; rev:6;)
+
+
+# NOTES: this string should be within the first 3 bytes of the connection
+alert tcp $EXTERNAL_NET any -> $HOME_NET 33270 (msg:"BACKDOOR trinity connection attempt"; flow:to_server,established; content:"!@|23|"; depth:3; reference:cve,2000-0138; reference:nessus,10501; classtype:attempted-admin; sid:1843; rev:6;)
+alert tcp any any -> 212.146.0.34 1963 (msg:"BACKDOOR TCPDUMP/PCAP trojan traffic"; flow:stateless; reference:url,hlug.fscker.com; classtype:trojan-activity; sid:1929; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR SubSeven 2.1 Gold server connection response"; flow:from_server,established; content:"connected. time/date|3A| "; depth:22; content:"version|3A| GOLD 2.1"; distance:1; reference:mcafee,10566; reference:nessus,10409; classtype:misc-activity; sid:2100; rev:6;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 34012 (msg:"BACKDOOR Remote PC Access connection attempt"; flow:to_server,established; content:"|28 00 01 00 04 00 00 00 00 00 00 00|"; depth:12; reference:nessus,11673; classtype:trojan-activity; sid:2124; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR typot trojan traffic"; flow:stateless; flags:S,12; window:55808; reference:mcafee,100406; classtype:trojan-activity; sid:2182; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR FsSniffer connection attempt"; flow:to_server,established; content:"RemoteNC Control Password|3A|"; reference:nessus,11854; classtype:trojan-activity; sid:2271; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3199 (msg:"BACKDOOR DoomJuice file upload attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html; classtype:trojan-activity; sid:2375; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BACKDOOR sensepost.exe command shell attempt"; flow:to_server,established; uricontent:"/sensepost.exe"; nocase; reference:nessus,11003; classtype:web-application-activity; sid:989; rev:11;)
+alert tcp $HOME_NET 2000 -> $EXTERNAL_NET any (msg:"BACKDOOR Insane Network 4.0 connection established"; flow:from_server,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; classtype:misc-activity; sid:3015; rev:3;)
+alert tcp $HOME_NET 63536 -> $EXTERNAL_NET any (msg:"BACKDOOR Insane Network 4.0 connection established port 63536"; flow:from_server,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; classtype:misc-activity; sid:3016; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"BACKDOOR RUX the Tick get system directory attempt"; flow:to_server,established; content:"SYSDIR"; depth:6; classtype:misc-activity; sid:3011; rev:1;)
+alert tcp $HOME_NET 23432 -> $EXTERNAL_NET any (msg:"BACKDOOR Asylum 0.1 connection established"; flow:from_server,established; flowbits:isset,backdoor.asylum.connect; content:"GNT"; depth:3; classtype:misc-activity; sid:3014; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"BACKDOOR RUX the Tick get windows directory attempt"; flow:to_server,established; content:"WINDIR"; depth:6; classtype:misc-activity; sid:3010; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 23432 (msg:"BACKDOOR Asylum 0.1 connection request"; flow:to_server,established; content:"RQS"; depth:3; flowbits:set,backdoor.asylum.connect; flowbits:noalert; classtype:misc-activity; sid:3013; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 20034 (msg:"BACKDOOR NetBus Pro 2.0 connection request"; flow:to_server,established; content:"BN |00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; flowbits:set,backdoor.netbus_2.connect; flowbits:noalert; classtype:misc-activity; sid:3009; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"BACKDOOR RUX the Tick upload/execute arbitrary file attempt"; flow:to_server,established; content:"ABCJZDATEIV"; depth:11; classtype:misc-activity; sid:3012; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1020 (msg:"BACKDOOR Vampire 1.2 connection request"; flow:to_server,established; content:"Hello..."; depth:8; flowbits:set,backdoor.vampire_12.connect; flowbits:noalert; classtype:misc-activity; sid:3063; rev:2;)
+alert tcp $HOME_NET 1020 -> $EXTERNAL_NET any (msg:"BACKDOOR Vampire 1.2 connection confirmation"; flow:from_server,established; flowbits:isset,backdoor.vampire_12.connect; content:"Vampire v1.2 Server On-Line....."; depth:32; classtype:misc-activity; sid:3064; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5880 (msg:"BACKDOOR Y3KRAT 1.5 Connect Client Response"; flow:to_server,established; content:"getclient"; depth:9; flowbits:isset,backdoor.y3krat_15.connect; flowbits:set,backdoor.y3krat_15.client.response; flowbits:noalert; classtype:misc-activity; sid:3082; rev:1;)
+alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"BACKDOOR Y3KRAT 1.5 Connect"; flow:from_server,established; content:"connected"; depth:9; flowbits:set,backdoor.y3krat_15.connect; flowbits:noalert; classtype:misc-activity; sid:3081; rev:1;)
+alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"BACKDOOR Y3KRAT 1.5 Connection confirmation"; flow:from_server, established; content:"client"; depth:6; flowbits:isset, backdoor.y3krat_15.client.response; classtype:misc-activity; sid:3083; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR BackOrifice 2000 Inbound Traffic"; flow:to_server,established; content:"1j|D0 D9|"; classtype:trojan-activity; sid:3155; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3198 (msg:"BACKDOOR mydoom.a backdoor upload/execute attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; classtype:trojan-activity; sid:3272; rev:2;)
--- /dev/null
+++ b/rules/telnet.rules
@@ -0,0 +1,42 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: telnet.rules,v 1.35.2.4.2.5 2005/06/29 15:35:04 mwatchinski Exp $
+#-------------
+# TELNET RULES
+#-------------
+#
+# These signatures are based on various telnet exploits and unpassword
+# protected accounts.
+#
+
+
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET Solaris memory mismanagement exploit attempt"; flow:to_server,established; content:"|A0 23 A0 10 AE 23 80 10 EE 23 BF EC 82 05 E0 D6 90|%|E0|"; classtype:shellcode-detect; sid:1430; rev:7;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET SGI telnetd format bug"; flow:to_server,established; content:"_RLD"; content:"bin/sh"; reference:arachnids,304; reference:bugtraq,1572; reference:cve,2000-0733; classtype:attempted-admin; sid:711; rev:8;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET ld_library_path"; flow:to_server,established; content:"ld_library_path"; reference:arachnids,367; reference:bugtraq,459; reference:cve,1999-0073; classtype:attempted-admin; sid:712; rev:8;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET livingston DOS"; flow:to_server,established; content:"|FF F3 FF F3 FF F3 FF F3 FF F3|"; rawbytes; reference:arachnids,370; reference:bugtraq,2225; reference:cve,1999-0218; classtype:attempted-dos; sid:713; rev:10;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET resolv_host_conf"; flow:to_server,established; content:"resolv_host_conf"; reference:arachnids,369; reference:bugtraq,2181; reference:cve,2001-0170; classtype:attempted-admin; sid:714; rev:7;)
+alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET Attempted SU from wrong group"; flow:from_server,established; content:"to su root"; nocase; classtype:attempted-admin; sid:715; rev:6;)
+alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET not on console"; flow:from_server,established; content:"not on system console"; nocase; reference:arachnids,365; classtype:bad-unknown; sid:717; rev:6;)
+alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET root login"; flow:from_server,established; content:"login|3A| root"; classtype:suspicious-login; sid:719; rev:7;)
+alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET bsd telnet exploit response"; flow:from_server,established; content:"|0D 0A|[Yes]|0D 0A FF FE 08 FF FD|&"; rawbytes; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:attempted-admin; sid:1252; rev:15;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET bsd exploit client finishing"; flow:to_client,established; dsize:>200; content:"|FF F6 FF F6 FF FB 08 FF F6|"; depth:50; offset:200; rawbytes; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:successful-admin; sid:1253; rev:13;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET 4Dgifts SGI account attempt"; flow:to_server,established; content:"4Dgifts"; reference:cve,1999-0501; reference:nessus,11243; classtype:suspicious-login; sid:709; rev:9;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET EZsetup account attempt"; flow:to_server,established; content:"OutOfBox"; reference:cve,1999-0501; reference:nessus,11244; classtype:suspicious-login; sid:710; rev:9;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET APC SmartSlot default admin account attempt"; flow:to_server,established; content:"TENmanUFactOryPOWER"; reference:bugtraq,9681; reference:cve,2004-0311; reference:nessus,12066; classtype:suspicious-login; sid:2406; rev:4;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET login buffer non-evasive overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|"; rawbytes; pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/RBi"; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:3274; rev:3;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET login buffer overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|TTYPROMPT|01|"; rawbytes; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:3147; rev:3;)
--- /dev/null
+++ b/rules/experimental.rules
@@ -0,0 +1,27 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: experimental.rules,v 1.78.2.1.2.1 2005/05/16 22:17:51 mwatchinski Exp $
+# ---------------
+# EXPERIMENTAL RULES
+# ---------------
+# These signatures are experimental, new and may trigger way too often.
+#
+# Be forwarned, this is our testing ground.  We put new signatures here for
+# testing before incorporating them into the default signature set.  This is
+# for bleeding edge stuff only.
+#
--- /dev/null
+++ b/rules/web-php.rules
@@ -0,0 +1,162 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: web-php.rules,v 1.21.2.2.2.2 2005/07/22 19:19:54 mwatchinski Exp $
+#--------------
+# WEB-PHP RULES
+#--------------
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP bb_smilies.php access"; flow:to_server,established; uricontent:"/bb_smilies.php"; nocase; reference:url,www.securiteam.com/securitynews/Serious_security_hole_in_PHP-Nuke__bb_smilies_.html; classtype:web-application-activity; sid:1774; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition memchr overflow"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"name=|22 CC CC CC CC CC|"; reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867; classtype:web-application-attack; sid:1423; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"form-data|3B|"; reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867; classtype:web-application-attack; sid:1425; rev:13;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP squirrel mail spell-check arbitrary command attempt"; flow:to_server,established; uricontent:"/squirrelspell/modules/check_me.mod.php"; nocase; content:"SQSPELL_APP["; nocase; reference:bugtraq,3952; classtype:web-application-attack; sid:1736; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP squirrel mail theme arbitrary command attempt"; flow:to_server,established; uricontent:"/left_main.php"; nocase; content:"cmdd="; reference:bugtraq,4385; reference:cve,2002-0516; classtype:web-application-attack; sid:1737; rev:6;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools administrator authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; nocase; content:"user_dnstools_administrator=true"; nocase; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:1739; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:1740; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools access"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-activity; sid:1741; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Blahz-DNS dostuff.php modify user attempt"; flow:to_server,established; uricontent:"/dostuff.php?action=modify_user"; nocase; reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-attack; sid:1742; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Blahz-DNS dostuff.php access"; flow:to_server,established; uricontent:"/dostuff.php"; nocase; reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-activity; sid:1743; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Messagerie supp_membre.php access"; flow:to_server,established; uricontent:"/supp_membre.php"; nocase; reference:bugtraq,4635; classtype:web-application-activity; sid:1745; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP php.exe access"; flow:to_server,established; uricontent:"/php.exe"; nocase; reference:url,www.securitytracker.com/alerts/2002/Jan/1003104.html; classtype:web-application-activity; sid:1773; rev:3;)
+
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP directory.php arbitrary command attempt"; flow:to_server,established; uricontent:"/directory.php"; content:"dir="; content:"|3B|"; reference:bugtraq,4278; reference:cve,2002-0434; classtype:misc-attack; sid:1815; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP directory.php access"; flow:to_server,established; uricontent:"/directory.php"; reference:bugtraq,4278; reference:cve,2002-0434; classtype:misc-attack; sid:1816; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Wiki cross site scripting attempt"; flow:established,to_server; uricontent:"/modules.php?"; uricontent:"name=Wiki"; nocase; uricontent:"<script"; nocase; reference:bugtraq,5254; reference:cve,2002-1070; classtype:web-application-attack; sid:1834; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpbb quick-reply.php arbitrary command attempt"; flow:established,to_server; uricontent:"/quick-reply.php"; content:"phpbb_root_path="; distance:1; reference:bugtraq,6173; classtype:web-application-attack; sid:1967; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpbb quick-reply.php access"; flow:established,to_server; uricontent:"/quick-reply.php"; reference:bugtraq,6173; classtype:web-application-activity; sid:1968; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP read_body.php access attempt"; flow:established,to_server; uricontent:"/read_body.php"; reference:bugtraq,6302; reference:cve,2002-1341; classtype:web-application-activity; sid:1997; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP calendar.php access"; flow:established,to_server; uricontent:"/calendar.php"; reference:bugtraq,5820; reference:bugtraq,9353; reference:nessus,11179; classtype:web-application-activity; sid:1998; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP edit_image.php access"; flow:established,to_server; uricontent:"/edit_image.php"; reference:bugtraq,3288; reference:cve,2001-1020; reference:nessus,11104; classtype:web-application-activity; sid:1999; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP readmsg.php access"; flow:established,to_server; uricontent:"/readmsg.php"; reference:cve,2001-1408; reference:nessus,11073; classtype:web-application-activity; sid:2000; rev:3;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP remote include path"; flow:established,to_server; uricontent:".php"; content:"path="; pcre:"/path=(http|https|ftp)/i"; classtype:web-application-attack; sid:2002; rev:5;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum admin access"; flow:to_server,established; uricontent:"/admin.php3"; nocase; reference:arachnids,205; reference:bugtraq,2271; classtype:attempted-recon; sid:1134; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP piranha passwd.php3 access"; flow:to_server,established; uricontent:"/passwd.php3"; reference:arachnids,272; reference:bugtraq,1149; reference:cve,2000-0322; classtype:attempted-recon; sid:1161; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum read access"; flow:to_server,established; uricontent:"/read.php3"; nocase; reference:arachnids,208; classtype:attempted-recon; sid:1178; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum violation access"; flow:to_server,established; uricontent:"/violation.php3"; nocase; reference:arachnids,209; reference:bugtraq,2272; classtype:attempted-recon; sid:1179; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum code access"; flow:to_server,established; uricontent:"/code.php3"; nocase; reference:arachnids,207; classtype:attempted-recon; sid:1197; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php file upload attempt"; flow:to_server,established; uricontent:"/admin.php"; nocase; content:"file_name="; reference:bugtraq,3361; reference:cve,2001-1032; classtype:attempted-admin; sid:1300; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php access"; flow:to_server,established; uricontent:"/admin.php"; nocase; reference:bugtraq,3361; reference:bugtraq,7532; reference:bugtraq,9270; reference:cve,2001-1032; classtype:attempted-recon; sid:1301; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP smssend.php access"; flow:to_server,established; uricontent:"/smssend.php"; reference:bugtraq,3982; reference:cve,2002-0220; classtype:web-application-activity; sid:1407; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Nuke remote file include attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"file="; pcre:"/file=(http|https|ftp)/i"; reference:bugtraq,3889; reference:cve,2002-0206; classtype:web-application-attack; sid:1399; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum /support/common.php attempt"; flow:to_server,established; uricontent:"/support/common.php"; content:"ForumLang=../"; reference:bugtraq,1997; classtype:web-application-attack; sid:1490; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum /support/common.php access"; flow:to_server,established; uricontent:"/support/common.php"; reference:bugtraq,1997; reference:bugtraq,9361; classtype:web-application-attack; sid:1491; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum authentication access"; flow:to_server,established; content:"PHP_AUTH_USER=boogieman"; nocase; reference:arachnids,206; reference:bugtraq,2274; classtype:attempted-recon; sid:1137; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP strings overflow"; flow:to_server,established; content:"|BA|I|FE FF FF F7 D2 B9 BF FF FF FF F7 D1|"; reference:arachnids,431; reference:bugtraq,802; classtype:web-application-attack; sid:1085; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP strings overflow"; flow:to_server,established; uricontent:"?STRENGUR"; reference:arachnids,430; reference:bugtraq,1786; reference:cve,2000-0967; classtype:web-application-attack; sid:1086; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPLIB remote command attempt"; flow:to_server,established; content:"_PHPLIB[libdir]"; reference:bugtraq,3079; reference:cve,2001-1370; classtype:attempted-user; sid:1254; rev:8;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-PHP PHPLIB remote command attempt"; flow:to_server,established; uricontent:"/db_mysql.inc"; reference:bugtraq,3079; reference:cve,2001-1370; classtype:attempted-user; sid:1255; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo uploadimage.php upload php file attempt"; flow:to_server,established; uricontent:"/uploadimage.php"; content:"userfile_name="; content:".php"; distance:1; reference:bugtraq,6572; classtype:web-application-attack; sid:2074; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo upload.php upload php file attempt"; flow:to_server,established; uricontent:"/upload.php"; content:"userfile_name="; content:".php"; distance:1; reference:bugtraq,6572; classtype:web-application-attack; sid:2075; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo uploadimage.php access"; flow:to_server,established; uricontent:"/uploadimage.php"; reference:bugtraq,6572; classtype:web-application-activity; sid:2076; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo upload.php access"; flow:to_server,established; uricontent:"/upload.php"; reference:bugtraq,6572; classtype:web-application-activity; sid:2077; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpBB privmsg.php access"; flow:to_server,established; uricontent:"/privmsg.php"; reference:bugtraq,6634; classtype:web-application-activity; sid:2078; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP p-news.php access"; flow:to_server,established; uricontent:"/p-news.php"; reference:nessus,11669; classtype:web-application-activity; sid:2140; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP shoutbox.php directory traversal attempt"; flow:to_server,established; uricontent:"/shoutbox.php"; content:"conf="; content:"../"; distance:0; reference:nessus,11668; classtype:web-application-attack; sid:2141; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP shoutbox.php access"; flow:to_server,established; uricontent:"/shoutbox.php"; reference:nessus,11668; classtype:web-application-activity; sid:2142; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt"; flow:to_server,established; uricontent:"/gm-2-b2.php"; content:"b2inc="; pcre:"/b2inc=(http|https|ftp)/i"; reference:nessus,11667; classtype:web-application-attack; sid:2143; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP b2 cafelog gm-2-b2.php access"; flow:to_server,established; uricontent:"/gm-2-b2.php"; reference:nessus,11667; classtype:web-application-activity; sid:2144; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TextPortal admin.php default password admin attempt"; flow:to_server,established; uricontent:"/admin.php"; content:"op=admin_enter"; content:"password=admin"; reference:bugtraq,7673; reference:nessus,11660; classtype:web-application-activity; sid:2145; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TextPortal admin.php default password 12345 attempt"; flow:to_server,established; uricontent:"/admin.php"; content:"op=admin_enter"; content:"password=12345"; reference:bugtraq,7673; reference:nessus,11660; classtype:web-application-activity; sid:2146; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BLNews objects.inc.php4 remote file include attempt"; flow:to_server,established; uricontent:"/objects.inc.php4"; content:"Server[path]="; pcre:"/Server\x5bpath\x5d=(http|https|ftp)/"; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-attack; sid:2147; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BLNews objects.inc.php4 access"; flow:to_server,established; uricontent:"/objects.inc.php4"; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-activity; sid:2148; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Turba status.php access"; flow:to_server,established; uricontent:"/turba/status.php"; reference:nessus,11646; classtype:web-application-activity; sid:2149; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttCMS header.php remote file include attempt"; flow:to_server,established; uricontent:"/admin/templates/header.php"; content:"admin_root="; pcre:"/admin_root=(http|https|ftp)/"; reference:bugtraq,7542; reference:bugtraq,7543; reference:bugtraq,7625; reference:nessus,11636; classtype:web-application-attack; sid:2150; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttCMS header.php access"; flow:to_server,established; uricontent:"/admin/templates/header.php"; reference:bugtraq,7542; reference:bugtraq,7543; reference:bugtraq,7625; reference:nessus,11636; classtype:web-application-activity; sid:2151; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP test.php access"; flow:to_server,established; uricontent:"/test.php"; reference:nessus,11617; classtype:web-application-activity; sid:2152; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP autohtml.php directory traversal attempt"; flow:to_server,established; uricontent:"/autohtml.php"; content:"name="; content:"../../"; distance:0; reference:nessus,11630; classtype:web-application-attack; sid:2153; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP autohtml.php access"; flow:to_server,established; uricontent:"/autohtml.php"; reference:nessus,11630; classtype:web-application-activity; sid:2154; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttforum remote file include attempt"; flow:to_server,established; uricontent:"forum/index.php"; content:"template="; pcre:"/template=(http|https|ftp)/i"; reference:bugtraq,7542; reference:bugtraq,7543; reference:nessus,11615; classtype:web-application-attack; sid:2155; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP pmachine remote file include attempt"; flow:to_server,established; uricontent:"lib.inc.php"; content:"pm_path="; pcre:"/pm_path=(http|https|ftp)/"; reference:bugtraq,7919; reference:nessus,11739; classtype:web-application-attack; sid:2226; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP forum_details.php access"; flow:to_server,established; uricontent:"forum_details.php"; reference:bugtraq,7933; reference:nessus,11760; classtype:web-application-attack; sid:2227; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpMyAdmin db_details_importdocsql.php access"; flow:to_server,established; uricontent:"db_details_importdocsql.php"; reference:bugtraq,7962; reference:bugtraq,7965; reference:nessus,11761; classtype:web-application-attack; sid:2228; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP viewtopic.php access"; flow:to_server,established; uricontent:"viewtopic.php"; reference:bugtraq,7979; reference:cve,2003-0486; reference:nessus,11767; classtype:web-application-attack; sid:2229; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP UpdateClasses.php access"; flow:to_server,established; uricontent:"/UpdateClasses.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2279; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Title.php access"; flow:to_server,established; uricontent:"/Title.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2280; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Setup.php access"; flow:to_server,established; uricontent:"/Setup.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2281; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP GlobalFunctions.php access"; flow:to_server,established; uricontent:"/GlobalFunctions.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2282; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DatabaseFunctions.php access"; flow:to_server,established; uricontent:"/DatabaseFunctions.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2283; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP rolis guestbook remote file include attempt"; flow:to_server,established; uricontent:"/insert.inc.php"; nocase; content:"path="; reference:bugtraq,9057; classtype:web-application-attack; sid:2284; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP rolis guestbook access"; flow:to_server,established; uricontent:"/insert.inc.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2285; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP friends.php access"; flow:to_server,established; uricontent:"/friends.php"; nocase; reference:bugtraq,9088; classtype:web-application-activity; sid:2286; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_comment.php access"; flow:to_server,established; uricontent:"/admin_comment.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2287; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_edit.php access"; flow:to_server,established; uricontent:"/admin_edit.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2288; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_embed.php access"; flow:to_server,established; uricontent:"/admin_embed.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2289; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_help.php access"; flow:to_server,established; uricontent:"/admin_help.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2290; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_license.php access"; flow:to_server,established; uricontent:"/admin_license.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2291; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_logout.php access"; flow:to_server,established; uricontent:"/admin_logout.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2292; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_password.php access"; flow:to_server,established; uricontent:"/admin_password.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2293; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_preview.php access"; flow:to_server,established; uricontent:"/admin_preview.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2294; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_settings.php access"; flow:to_server,established; uricontent:"/admin_settings.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2295; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_stats.php access"; flow:to_server,established; uricontent:"/admin_stats.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2296; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_templates_misc.php access"; flow:to_server,established; uricontent:"/admin_templates_misc.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2297; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_templates.php access"; flow:to_server,established; uricontent:"/admin_templates.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2298; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_tpl_misc_new.php access"; flow:to_server,established; uricontent:"/admin_tpl_misc_new.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2299; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_tpl_new.php access"; flow:to_server,established; uricontent:"/admin_tpl_new.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2300; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll booth.php access"; flow:to_server,established; uricontent:"/booth.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2301; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll poll_ssi.php access"; flow:to_server,established; uricontent:"/poll_ssi.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2302; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll popup.php access"; flow:to_server,established; uricontent:"/popup.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2303; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP files.inc.php access"; flow:to_server,established; uricontent:"/files.inc.php"; nocase; reference:bugtraq,8910; classtype:web-application-activity; sid:2304; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP chatbox.php access"; flow:to_server,established; uricontent:"/chatbox.php"; nocase; reference:bugtraq,8930; classtype:web-application-activity; sid:2305; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP gallery remote file include attempt"; flow:to_server,established; uricontent:"/setup/"; content:"GALLERY_BASEDIR="; pcre:"/GALLERY_BASEDIR=(http|https|ftp)/i"; reference:bugtraq,8814; reference:nessus,11876; classtype:web-application-attack; sid:2306; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PayPal Storefront remote file include attempt"; flow:to_server,established; content:"do=ext"; content:"page="; pcre:"/page=(http|https|ftp)/i"; reference:bugtraq,8791; reference:nessus,11873; classtype:web-application-attack; sid:2307; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP authentication_index.php access"; flow:to_server,established; uricontent:"/authentication_index.php"; nocase; reference:cve,2004-0032; reference:nessus,11982; classtype:web-application-activity; sid:2328; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP MatrikzGB privilege escalation attempt"; flow:to_server,established; content:"new_rights=admin"; nocase; reference:bugtraq,8430; classtype:web-application-activity; sid:2331; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DCP-Portal remote file include attempt"; flow:to_server,established; uricontent:"/library/editor/editor.php"; nocase; content:"root="; reference:bugtraq,6525; classtype:web-application-attack; sid:2341; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DCP-Portal remote file include attempt"; flow:to_server,established; uricontent:"/library/lib.php"; nocase; content:"root="; reference:bugtraq,6525; classtype:web-application-attack; sid:2342; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView search.php access"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"action=soundex"; nocase; uricontent:"firstname="; nocase; reference:bugtraq,9369; reference:cve,2004-0032; classtype:web-application-activity; sid:2345; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myPHPNuke chatheader.php access"; flow:to_server,established; uricontent:"/chatheader.php"; nocase; reference:bugtraq,6544; classtype:web-application-activity; sid:2346; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myPHPNuke partner.php access"; flow:to_server,established; uricontent:"/partner.php"; nocase; reference:bugtraq,6544; classtype:web-application-activity; sid:2347; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IdeaBox cord.php file include"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"ideaDir"; nocase; content:"cord.php"; nocase; reference:bugtraq,7488; classtype:web-application-activity; sid:2353; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IdeaBox notification.php file include"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"gorumDir"; nocase; content:"notification.php"; nocase; reference:bugtraq,7488; classtype:web-application-activity; sid:2354; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Invision Board emailer.php file include"; flow:to_server,established; uricontent:"/ad_member.php"; nocase; content:"emailer.php"; nocase; reference:bugtraq,7204; classtype:web-application-activity; sid:2355; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WebChat db_mysql.php file include"; flow:to_server,established; uricontent:"/defines.php"; nocase; content:"WEBCHATPATH"; nocase; content:"db_mysql.php"; nocase; reference:bugtraq,7000; classtype:web-application-attack; sid:2356; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WebChat english.php file include"; flow:to_server,established; uricontent:"/defines.php"; nocase; content:"WEBCHATPATH"; nocase; content:"english.php"; nocase; reference:bugtraq,7000; classtype:web-application-attack; sid:2357; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Typo3 translations.php file include"; flow:to_server,established; uricontent:"/translations.php"; nocase; content:"ONLY"; nocase; reference:bugtraq,6984; classtype:web-application-attack; sid:2358; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Invision Board ipchat.php file include"; flow:to_server,established; uricontent:"/ipchat.php"; nocase; content:"root_path"; nocase; content:"conf_global.php"; nocase; reference:bugtraq,6976; classtype:web-application-attack; sid:2359; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myphpPagetool pt_config.inc file include"; flow:to_server,established; uricontent:"/doc/admin"; nocase; content:"ptinclude"; nocase; content:"pt_config.inc"; nocase; reference:bugtraq,6744; classtype:web-application-attack; sid:2360; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP news.php file include"; flow:to_server,established; uricontent:"/news.php"; nocase; content:"template"; nocase; reference:bugtraq,6674; classtype:web-application-attack; sid:2361; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP YaBB SE packages.php file include"; flow:to_server,established; uricontent:"/packages.php"; nocase; content:"packer.php"; nocase; reference:bugtraq,6663; classtype:web-application-attack; sid:2362; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Cyboards default_header.php access"; flow:to_server,established; uricontent:"/default_header.php"; nocase; reference:bugtraq,6597; classtype:web-application-activity; sid:2363; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Cyboards options_form.php access"; flow:to_server,established; uricontent:"/options_form.php"; nocase; reference:bugtraq,6597; classtype:web-application-activity; sid:2364; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP newsPHP Language file include attempt"; flow:to_server,established; uricontent:"/nphpd.php"; nocase; content:"LangFile"; nocase; reference:bugtraq,8488; classtype:web-application-activity; sid:2365; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/authentication_index.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2366; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/functions.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2367; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/config_gedcom.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2368; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Photopost PHP Pro showphoto.php access"; flow:to_server,established; uricontent:"/showphoto.php"; nocase; reference:bugtraq,9557; classtype:web-application-activity; sid:2372; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP /_admin access"; flow:to_server,established; uricontent:"/_admin/"; nocase; reference:bugtraq,9537; reference:nessus,12032; classtype:web-application-activity; sid:2393; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WAnewsletter newsletter.php file include attempt"; flow:to_server,established; uricontent:"newsletter.php"; nocase; content:"waroot"; nocase; content:"start.php"; nocase; reference:bugtraq,6965; classtype:web-application-attack; sid:2398; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WAnewsletter db_type.php access"; flow:to_server,established; uricontent:"/sql/db_type.php"; nocase; reference:bugtraq,6964; classtype:web-application-activity; sid:2399; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phptest.php access"; flow:to_server,established; uricontent:"/phptest.php"; nocase; reference:bugtraq,9737; classtype:web-application-activity; sid:2405; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IGeneric Free Shopping Cart page.php access"; flow:to_server,established; uricontent:"/page.php"; nocase; reference:bugtraq,9773; classtype:web-application-activity; sid:2410; rev:2;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP modules.php access"; flow:to_server,established; uricontent:"/modules.php"; nocase; reference:bugtraq,9879; classtype:web-application-activity; sid:2565; rev:1;)
+
+
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPBB viewforum.php access"; flow:to_server,established; uricontent:"/viewforum.php"; nocase; reference:bugtraq,9865; reference:bugtraq,9866; reference:nessus,12093; classtype:web-application-activity; sid:2566; rev:4;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Opt-X header.php remote file include attempt"; flow:to_server,established; uricontent:"/header.php"; nocase; content:"systempath="; pcre:"/systempath=(http|https|ftp)/i"; reference:bugtraq,9732; classtype:web-application-attack; sid:2575; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TUTOS path disclosure attempt"; flow:to_server,established; uricontent:"/note_overview.php"; content:"id="; reference:bugtraq,10129; reference:url,www.securiteam.com/unixfocus/5FP0J15CKE.html; classtype:web-application-activity; sid:2588; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP PHPNuke Forum viewtopic SQL insertion attempt"; flow:to_server,established; uricontent:"/modules.php"; nocase; content:"name=Forums"; content:"file=viewtopic"; pcre:"/forum=.*'/"; reference:bugtraq,7193; classtype:web-application-attack; sid:2654; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV base directory manipulation"; flow:to_server,established; uricontent:"_conf.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; classtype:web-application-attack; sid:2926; rev:1;)
--- /dev/null
+++ b/rules/web-coldfusion.rules
@@ -0,0 +1,58 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: web-coldfusion.rules,v 1.27.2.2.2.1 2005/05/16 22:17:52 mwatchinski Exp $
+#---------------------
+# WEB-COLDFUSION RULES
+#---------------------
+#
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfcache.map access"; flow:to_server,established; uricontent:"/cfcache.map"; nocase; reference:bugtraq,917; reference:cve,2000-0057; classtype:attempted-recon; sid:903; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exampleapp application.cfm"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/email/application.cfm"; nocase; reference:bugtraq,1021; reference:cve,2000-0189; classtype:attempted-recon; sid:904; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION application.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/publish/admin/application.cfm"; nocase; reference:bugtraq,1021; reference:cve,2000-0189; classtype:attempted-recon; sid:905; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getfile.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/email/getfile.cfm"; nocase; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-recon; sid:906; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION addcontent.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/publish/admin/addcontent.cfm"; nocase; classtype:attempted-recon; sid:907; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION administrator access"; flow:to_server,established; uricontent:"/cfide/administrator/index.cfm"; nocase; reference:bugtraq,1314; reference:cve,2000-0538; classtype:attempted-recon; sid:908; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:909; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION fileexists.cfm access"; flow:to_server,established; uricontent:"/cfdocs/snippets/fileexists.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:910; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exprcalc access"; flow:to_server,established; uricontent:"/cfdocs/expeval/exprcalc.cfm"; nocase; reference:bugtraq,115; reference:bugtraq,550; reference:cve,1999-0455; classtype:attempted-recon; sid:911; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION parks access"; flow:to_server,established; uricontent:"/cfdocs/examples/parks/detail.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:912; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfappman access"; flow:to_server,established; uricontent:"/cfappman/index.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:913; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION beaninfo access"; flow:to_server,established; uricontent:"/cfdocs/examples/cvbeans/beaninfo.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:914; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION evaluate.cfm access"; flow:to_server,established; uricontent:"/cfdocs/snippets/evaluate.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:915; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getodbcdsn access"; flow:to_server,established; content:"CFUSION_GETODBCDSN|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:916; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION db connections flush attempt"; flow:to_server,established; content:"CFUSION_DBCONNECTIONS_FLUSH|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:917; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION expeval access"; flow:to_server,established; uricontent:"/cfdocs/expeval/"; nocase; reference:bugtraq,550; reference:cve,1999-0477; classtype:attempted-user; sid:918; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource passwordattempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:919; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:920; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION admin encrypt attempt"; flow:to_server,established; content:"CFUSION_ENCRYPT|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:921; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION displayfile access"; flow:to_server,established; uricontent:"/cfdocs/expeval/displayopenedfile.cfm"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:922; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:923; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION admin decrypt attempt"; flow:to_server,established; content:"CFUSION_DECRYPT|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:924; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION mainframeset access"; flow:to_server,established; uricontent:"/cfdocs/examples/mainframeset.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:925; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION set odbc ini attempt"; flow:to_server,established; content:"CFUSION_SETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:926; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION settings refresh attempt"; flow:to_server,established; content:"CFUSION_SETTINGS_REFRESH|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:927; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exampleapp access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/"; nocase; classtype:attempted-recon; sid:928; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION CFUSION_VERIFYMAIL access"; flow:to_server,established; content:"CFUSION_VERIFYMAIL|28 29|"; nocase; reference:bugtraq,550; classtype:attempted-user; sid:929; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION snippets attempt"; flow:to_server,established; uricontent:"/cfdocs/snippets/"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:930; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfmlsyntaxcheck.cfm access"; flow:to_server,established; uricontent:"/cfdocs/cfmlsyntaxcheck.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:931; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION application.cfm access"; flow:to_server,established; uricontent:"/application.cfm"; nocase; reference:arachnids,268; reference:bugtraq,550; reference:cve,2000-0189; classtype:attempted-recon; sid:932; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION onrequestend.cfm access"; flow:to_server,established; uricontent:"/onrequestend.cfm"; nocase; reference:arachnids,269; reference:bugtraq,550; reference:cve,2000-0189; classtype:attempted-recon; sid:933; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION startstop DOS access"; flow:to_server,established; uricontent:"/cfide/administrator/startstop.html"; nocase; reference:bugtraq,247; classtype:web-application-attack; sid:935; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION gettempdirectory.cfm access "; flow:to_server,established; uricontent:"/cfdocs/snippets/gettempdirectory.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:936; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION sendmail.cfm access"; flow:to_server,established; uricontent:"/sendmail.cfm"; nocase; classtype:attempted-recon; sid:1659; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION ?Mode=debug attempt"; flow:to_server,established; uricontent:"Mode=debug"; nocase; reference:nessus,10797; classtype:web-application-activity; sid:1540; rev:7;)
--- /dev/null
+++ b/rules/community-web-iis.rules
@@ -0,0 +1,10 @@
+# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# These rules are licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# $Id: community-web-iis.rules,v 1.2 2005/10/20 13:49:44 akirk Exp $
+
+#Rules submitted by rmkml
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt localhost"; flow:to_server,established; content:"localhost"; nocase; pcre:"/http\x3A\/\/localhost\/.*\.asp/i"; reference:cve,2005-2678; classtype:web-application-activity; sid:100000138; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt loopback IP"; flow:to_server,established; content:"127.0.0.1"; pcre:"/http\x3A\/\/127\.0\.0\.1\/.*\.asp/i"; reference:cve,2005-2678; classtype:web-application-activity; sid:100000139; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS RSA WebAgent Redirect Overflow attempt"; flow:to_server,established; uricontent:"/WebID/IISWebAgentIF.dll"; nocase; pcre:"/\x3fRedirect\x3f[^\s]{100,}/smi"; classtype:web-application-activity; sid:100000173; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS RSA WebAgent access"; flow:to_server,established; uricontent:"/WebID/IISWebAgentIF.dll"; nocase; reference:cve,2005-1118; reference:bugtraq,13168; classtype:web-application-activity; sid:100000174; rev:1;)
--- /dev/null
+++ b/rules/community-mail-client.rules
@@ -0,0 +1,4 @@
+# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# These rules are licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# $Id: community-mail-client.rules,v 1.6 2005/03/08 14:41:42 bmc Exp $
--- /dev/null
+++ b/rules/deleted.rules
@@ -0,0 +1,451 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: deleted.rules,v 1.37.2.1.2.1 2005/05/16 22:17:51 mwatchinski Exp $
+#-------------
+# DELETED RULES
+#-------------
+# These signatures have been deleted for various reasons, but we are keeping
+# them here for historical purposes.
+
+# Duplicate to 332
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER probe 0 attempt"; flow:to_server,established; content:"0"; reference:arachnids,378; classtype:attempted-recon; sid:325; rev:4;)
+
+# Duplicate of 512
+alert tcp $HOME_NET 5631 -> $EXTERNAL_NET any (msg:"MISC Invalid PCAnywhere Login"; flow:from_server,established; content:"Invalid login"; depth:13; offset:5; classtype:unsuccessful-user; sid:511; rev:5;)
+
+# Duplicate of 514
+alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg:"MISC ramen worm incoming"; flow:established; content:"GET "; depth:8; nocase; reference:arachnids,460; classtype:bad-unknown; sid:506; rev:4;)
+
+# Duplicate of 557
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INFO Outbound GNUTella client request"; flow:established; content:"GNUTELLA OK"; depth:40; classtype:misc-activity; sid:558; rev:5;)
+
+# Duplicate of 559
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"P2P Inbound GNUTella client request"; flags:A+; flow:established; content:"GNUTELLA CONNECT"; depth:40; classtype:misc-activity; sid:559; rev:6;)
+
+# Duplicate of 844
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC O'Reilly args.bat access"; flow:to_server,established; uricontent:"/cgi-dos/args.bat"; nocase; classtype:attempted-recon; sid:1121; rev:5;)
+
+# Yeah, so the one site that was vulnerable to edit.pl aint no more.
+# http://packetstorm.widexs.nl/new-exploits/freestats-cgi.txt
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI edit.pl access"; flow:to_server,established; uricontent:"/edit.pl"; nocase; reference:bugtraq,2713; classtype:attempted-recon; sid:855; rev:6;)
+
+# duplicate of 987
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"EXPERIMENTAL WEB-IIS .htr request"; flow:to_server,established; uricontent:".htr"; nocase; reference:bugtraq,4474; reference:cve,2002-0071; reference:nessus,10932; classtype:web-application-activity; sid:1619; rev:8;)
+
+# webmasters suck, so this happens ever so often.  Its really not that bad,
+# so lets disable it.
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC prefix-get //"; flow:to_server,established; uricontent:"get //"; nocase; classtype:attempted-recon; sid:1114; rev:6;)
+
+# dup of 1660
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"EXPERIMENTAL WEB-IIS .NET trace.axd access"; flow:to_server,established; uricontent:"/traace.axd"; nocase; classtype:web-application-attack; sid:1749; rev:4;)
+
+# dup
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC iPlanet ../../ DOS attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/../../../../../../../../../../../"; reference:bugtraq,2282; reference:cve,2001-0252; classtype:web-application-attack; sid:1049; rev:11;)
+
+
+# Falses WAAAYYY too often.
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES directory listing"; flow:from_server,established; content:"Directory of"; nocase; classtype:unknown; sid:496; rev:8;)
+
+# Replaced with 1801,1802,1803,1804
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS header field buffer overflow attempt"; flow:to_server,established; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; classtype:web-application-attack; sid:1768; rev:7;)
+
+# duplicate of sid:1673
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE execute_system attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:protocol-command-decode; sid:1698; rev:4;)
+
+# Port based only sigs suck, this is why stream4 has flow logs
+alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11 outbound client connection detected"; flow:established; reference:arachnids,126; classtype:misc-activity; sid:1227; rev:5;)
+
+# basically duplicate of 330
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cybercop redirection"; dsize:11; flow:to_server,established; content:"@localhost|0A|"; reference:arachnids,11; classtype:attempted-recon; sid:329; rev:8;)
+
+# duplicate of 1478
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI swc attempt"; flow:to_server,established; uricontent:"/swc"; nocase; classtype:attempted-recon; sid:1477; rev:5;)
+
+# duplicate of 1248
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad overflow attempt"; dsize:>258; flow:to_server,established; uricontent:"/fp30reg.dll"; nocase; reference:arachnids,555; reference:bugtraq,2906; reference:cve,2001-0341; reference:url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx; classtype:web-application-attack; sid:1246; rev:14;)
+
+# duplicate of 1249
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad overflow attempt"; dsize:>259; flow:to_server,established; uricontent:"/fp4areg.dll"; nocase; reference:bugtraq,2906; reference:cve,2001-0341; classtype:web-application-attack; sid:1247; rev:11;)
+
+# duplicate of 1755
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT partial body overflow attempt"; dsize:>1092; flow:to_server,established; content:" x PARTIAL 1 BODY["; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:1780; rev:9;)
+
+# duplicate of 1538
+alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP Cassandra Overflow"; dsize:>512; flow:to_server,established; content:"AUTHINFO USER"; depth:16; nocase; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-user; sid:291; rev:12;)
+
+# This rule looks for the exploit for w3-msql, but very badly
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3-msql solaris x86  access"; flow:to_server,established; uricontent:"/bin/shA-cA/usr/openwin"; nocase; reference:arachnids,211; reference:cve,1999-0276; classtype:attempted-recon; sid:874; rev:7;)
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 bsd overfow"; content:"echo netrjs stre"; reference:bugtraq,324; reference:cve,1999-0914; classtype:attempted-admin; sid:318; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 linux overflow"; content:"A90|C0 A8 01 01|/bin/sh|00|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:319; rev:5;)
+
+
+# duplicate of 109
+alert tcp $HOME_NET 12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flags:A+; flow:established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:114; rev:5;)
+
+# duplicate of 110
+alert tcp $EXTERNAL_NET any -> $HOME_NET 12346 (msg:"BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:111; rev:5;)
+
+
+# we have a backorifice preprocessor
+alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"BACKDOOR BackOrifice access"; flags:A+; flow:established; content:"server|3A| BO/"; reference:arachnids,400; classtype:misc-activity; sid:112; rev:6;)
+
+# we have a backorifice preprocessor
+alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR BackOrifice access"; content:"|CE|c|D1 D2 16 E7 13 CF|9|A5 A5 86|"; reference:arachnids,399; classtype:misc-activity; sid:116; rev:5;)
+
+
+
+alert udp $EXTERNAL_NET 2140 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; reference:arachnids,106; classtype:misc-activity; sid:164; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server ON"; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; classtype:misc-activity; sid:165; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Picture Client Request"; content:"22"; reference:arachnids,106; classtype:misc-activity; sid:166; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request"; content:"32"; reference:arachnids,106; classtype:misc-activity; sid:167; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request"; content:"33"; reference:arachnids,106; classtype:misc-activity; sid:168; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request"; content:"34"; reference:arachnids,106; classtype:misc-activity; sid:169; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request"; content:"110"; reference:arachnids,106; classtype:misc-activity; sid:170; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request"; content:"35"; reference:arachnids,106; classtype:misc-activity; sid:171; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request"; content:"70"; reference:arachnids,106; classtype:misc-activity; sid:172; rev:6;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request"; content:"71"; reference:arachnids,106; classtype:misc-activity; sid:173; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"31"; reference:arachnids,106; classtype:misc-activity; sid:174; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Resolution Change Client Request"; content:"125"; reference:arachnids,106; classtype:misc-activity; sid:175; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"04"; reference:arachnids,106; classtype:misc-activity; sid:176; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server OFF"; content:"KeyLogger Shut Down"; reference:arachnids,106; classtype:misc-activity; sid:177; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Server Port Client Request"; content:"21"; reference:arachnids,106; classtype:misc-activity; sid:179; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Process List Client request"; content:"64"; reference:arachnids,106; classtype:misc-activity; sid:180; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Close Port Scan Client Request"; content:"121"; reference:arachnids,106; classtype:misc-activity; sid:181; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Registry Add Client Request"; content:"89"; reference:arachnids,106; classtype:misc-activity; sid:182; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 System Info Client Request"; content:"13"; reference:arachnids,106; classtype:misc-activity; sid:122; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Status Client Request"; content:"09"; reference:arachnids,106; classtype:misc-activity; sid:124; rev:5;)
+alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info From Server"; content:"Retreaving"; reference:arachnids,106; classtype:misc-activity; sid:125; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info Client Request"; content:"12"; reference:arachnids,106; classtype:misc-activity; sid:126; rev:5;)
+alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Status From Server"; content:"Host"; reference:arachnids,106; classtype:misc-activity; sid:127; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Status Client Request"; content:"10"; reference:arachnids,106; classtype:misc-activity; sid:128; rev:5;)
+alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Drive Info From Server"; content:"C - "; reference:arachnids,106; classtype:misc-activity; sid:129; rev:5;)
+alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 System Info From Server"; content:"Comp Name"; reference:arachnids,106; classtype:misc-activity; sid:130; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Drive Info Client Request"; content:"130"; reference:arachnids,106; classtype:misc-activity; sid:131; rev:5;)
+alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server"; content:"FTP Server changed to"; reference:arachnids,106; classtype:misc-activity; sid:132; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Cached Passwords Client Request"; content:"16"; reference:arachnids,106; classtype:misc-activity; sid:133; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 RAS Passwords Client Request"; content:"17"; reference:arachnids,106; classtype:misc-activity; sid:134; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Change Client Request"; content:"91"; reference:arachnids,106; classtype:misc-activity; sid:135; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Remove Client Request"; content:"92"; reference:arachnids,106; classtype:misc-activity; sid:136; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Rehash Client Request"; content:"911"; reference:arachnids,106; classtype:misc-activity; sid:137; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Server Rehash Client Request"; content:"shutd0wnM0therF***eR"; reference:arachnids,106; classtype:misc-activity; sid:138; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request"; content:"88"; reference:arachnids,106; classtype:misc-activity; sid:140; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request"; content:"40"; reference:arachnids,106; classtype:misc-activity; sid:142; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request"; content:"20"; reference:arachnids,106; classtype:misc-activity; sid:143; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; content:"|00 23|"; reference:arachnids,106; classtype:misc-activity; sid:149; rev:5;)
+alert udp $EXTERNAL_NET 3150 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; content:"|00 23|"; reference:arachnids,106; classtype:misc-activity; sid:150; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; reference:arachnids,106; classtype:misc-activity; sid:151; rev:5;)
+alert udp $HOME_NET 3150 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Wrong Password"; content:"Wrong Password"; reference:arachnids,106; classtype:misc-activity; sid:154; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Visible Window List Client Request"; content:"37"; reference:arachnids,106; classtype:misc-activity; sid:156; rev:5;)
+alert udp $EXTERNAL_NET 4120 -> $HOME_NET any (msg:"BACKDOOR DeepThroat access"; content:"--Ahhhhhhhhhh"; reference:arachnids,405; classtype:misc-activity; sid:113; rev:6;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Monitor on/off Client Request"; content:"07"; reference:arachnids,106; classtype:misc-activity; sid:186; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Delete File Client Request"; content:"41"; reference:arachnids,106; classtype:misc-activity; sid:187; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Kill Window Client Request"; content:"38"; reference:arachnids,106; classtype:misc-activity; sid:188; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Disable Window Client Request"; content:"23"; reference:arachnids,106; classtype:misc-activity; sid:189; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable Window Client Request"; content:"24"; reference:arachnids,106; classtype:misc-activity; sid:190; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Window Title Client Request"; content:"60"; reference:arachnids,106; classtype:misc-activity; sid:191; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide Window Client Request"; content:"26"; reference:arachnids,106; classtype:misc-activity; sid:192; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Window Client Request"; content:"25"; reference:arachnids,106; classtype:misc-activity; sid:193; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Send Text to Window Client Request"; content:"63"; reference:arachnids,106; classtype:misc-activity; sid:194; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request"; content:"30"; reference:arachnids,106; classtype:misc-activity; sid:196; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Create Directory Client Request"; content:"39"; reference:arachnids,106; classtype:misc-activity; sid:197; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 All Window List Client Request"; content:"370"; reference:arachnids,106; classtype:misc-activity; sid:198; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Play Sound Client Request"; content:"36"; reference:arachnids,106; classtype:misc-activity; sid:199; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Normal Client Request"; content:"14"; reference:arachnids,106; classtype:misc-activity; sid:200; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request"; content:"15"; reference:arachnids,106; classtype:misc-activity; sid:201; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Get NET File Client Request"; content:"100"; reference:arachnids,106; classtype:misc-activity; sid:202; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"117"; reference:arachnids,106; classtype:misc-activity; sid:203; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"118"; reference:arachnids,106; classtype:misc-activity; sid:204; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 HUP Modem Client Request"; content:"199"; reference:arachnids,106; classtype:misc-activity; sid:205; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Open Client Request"; content:"02"; reference:arachnids,106; classtype:misc-activity; sid:206; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Close Client Request"; content:"03"; reference:arachnids,106; classtype:misc-activity; sid:207; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named iquery attempt"; content:"|09 80 00 00 00 01 00 00 00 00|"; depth:16; offset:2; reference:arachnids,277; reference:bugtraq,134; reference:cve,1999-0009; reference:url,www.rfc-editor.org/rfc/rfc1035.txt; classtype:attempted-recon; sid:252; rev:7;)
+alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Keylogger Active on Network"; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; classtype:misc-activity; sid:148; rev:5;)
+
+# The following ftp rules look for specific exploits, which are not needed now
+# that initial protocol decoding is available.
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT format string"; flow:to_server,established; content:"SITE EXEC %020d|7C|%.f%.f|7C 0A|"; depth:32; nocase; reference:arachnids,453; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:338; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT OpenBSD x86 ftpd"; flow:to_server,established; content:" |90|1|C0 99|RR|B0 17 CD 80|h|CC|sh"; reference:arachnids,446; reference:bugtraq,2124; reference:cve,2001-0053; classtype:attempted-user; sid:339; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"PWD|0A|/i"; classtype:attempted-admin; sid:340; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"XXXXX/"; classtype:attempted-admin; sid:341; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8"; flow:to_server,established; content:"|90 1B C0 0F 82 10| |17 91 D0| |08|"; reference:arachnids,451; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:342; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD"; flow:to_server,established; content:"1|C0|PPP|B0|~|CD 80|1|DB|1|C0|"; depth:32; reference:arachnids,228; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:343; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux"; flow:to_server,established; content:"1|C0|1|DB|1|C9 B0|F|CD 80|1|C0|1|DB|"; reference:arachnids,287; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:344; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic"; flow:to_server,established; content:"SITE "; nocase; content:" EXEC "; nocase; content:" %p"; nocase; reference:arachnids,285; reference:bugtraq,1387; reference:cve,2000-0573; reference:nessus,10452; classtype:attempted-admin; sid:345; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check"; flow:to_server,established; content:"f%.f%.f%.f%.f%."; depth:32; reference:arachnids,286; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-recon; sid:346; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0"; flow:to_server,established; content:"..11venglin@"; reference:arachnids,440; reference:bugtraq,1387; classtype:attempted-user; sid:348; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT MKD overflow"; flow:to_server,established; content:"MKD AAAAAA"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:349; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"1|C0|1|DB B0 17 CD 80|1|C0 B0 17 CD 80|"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:350; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"1|DB 89 D8 B0 17 CD 80 EB|,"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:351; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|83 EC 04|^|83 C6|p|83 C6 28 D5 E0 C0|"; reference:bugtraq, 113; reference:cve, CVE-1999-0368; classtype:attempted-admin; sid:352; rev:6;)
+
+# duplicate of 475
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:misc-activity; sid:455; rev:7;)
+
+
+# not needed thanks to 1964 and 1965
+alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv solaris overflow"; dsize:>999; flow:to_server,established; content:"|C0 22|?|FC A2 02| |09 C0|,|7F FF E2 22|?|F4|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:570; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv Solaris overflow"; dsize:>999; flow:to_server,established; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:571; rev:8;)
+
+# dup of 589
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1296; rev:4;)
+# dup of 1275
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; flow:to_server,established; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1297; rev:8;)
+
+# dup of 1280
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing"; flow:to_server,established; rpc:100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:596; rev:6;)
+
+# dup of 1281
+alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing"; flow:to_server,established; rpc:100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:597; rev:6;)
+
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!6; ip_proto:!89; classtype:non-standard-protocol; sid:1620; rev:5;)
+
+# this has been replaced with sid 1905 and 1906
+alert tcp $EXTERNAL_NET any -> $HOME_NET 634:1400 (msg:"RPC AMD Overflow"; flow:to_server,established; content:"|80 00 04|,L|15|u[|00 00 00 00 00 00 00 02|"; depth:32; reference:arachnids,217; reference:cve,1999-0704; classtype:attempted-admin; sid:573; rev:8;)
+
+# these have been replaced by 1915, 1916, 1914, and 1913
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; flow:to_server,established; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:600; rev:7;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:1282; rev:5;)
+
+# duplicate of 1088
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webstore directory traversal"; flow:to_server,established; uricontent:"/web_store.cgi?page=../.."; reference:bugtraq,1774; reference:cve,2000-1005; classtype:web-application-attack; sid:1094; rev:10;)
+
+
+# these are obsolete
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT overflow"; flow:to_server,established; content:"|E8 C0 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:293; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|89 D8|@|CD 80 E8 C8 FF FF FF|/"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:295; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|4^|8D 1E 89|^|0B|1|D2 89|V|07|"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:296; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|5^|80|F|01|0|80|F|02|0|80|F|03|0"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:297; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|8^|89 F3 89 D8 80|F|01| |80|F|02|"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:298; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|X^1|DB 83 C3 08 83 C3 02 88|^&"; reference:bugtraq,130; reference:cve, CVE-1999-0005; classtype:attempted-admin; sid:299; rev:6;)
+
+# what is this rule?  we have no idea...
+alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN ssh-research-scanner"; flow:to_server,established; content:"|00 00 00|`|00 00 00 00 00 00 00 00 01 00 00 00|"; classtype:attempted-recon; sid:617; rev:4;)
+
+# These have been replaced by better rules (1915,1916,1913,1914)
+alert udp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|"; offset:5; reference:arachnids,9; classtype:attempted-recon; sid:592; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|"; offset:5; reference:arachnids,9; classtype:attempted-recon; sid:1278; rev:5;)
+
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned nobody"; flow:from_server,established; content:"uid="; content:"|28|nobody|29|"; classtype:bad-unknown; sid:1883; rev:5;)
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned web"; flow:from_server,established; content:"uid="; content:"|28|web|29|"; classtype:bad-unknown; sid:1884; rev:5;)
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned http"; flow:from_server,established; content:"uid="; content:"|28|http|29|"; classtype:bad-unknown; sid:1885; rev:5;)
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned apache"; flow:from_server,established; content:"uid="; content:"|28|apache|29|"; classtype:bad-unknown; sid:1886; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00|"; depth:2; offset:45; reference:bugtraq,5556; reference:cve,2002-0724; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; reference:nessus,11110; sid:2102; rev:9;)
+
+# specific example for sid:1549
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT x86 windows CSMMail overflow"; flow:to_server,established; content:"|EB|S|EB| [|FC|3|C9 B1 82 8B F3 80|+"; reference:bugtraq,895; reference:cve,2000-0042; classtype:attempted-admin; sid:656; rev:8;)
+
+# this is properly caught by sid:527
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Land attack"; flags:S; id:3868; seq:3868; flow:stateless; reference:bugtraq,2666; reference:cve,1999-0016; classtype:attempted-dos; sid:269; rev:9;)
+
+# duplicate of 1546
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco Web DOS attempt"; flow:to_server,established; content:" /%%"; depth:16; reference:arachnids,275; classtype:attempted-dos; sid:1138; rev:7;)
+
+# these are obsoleted by cleaning up 663
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.4.1 exploit"; flow:to_server,established; content:"rcpt to|3A| |7C| sed '1,/^|24|/d'|7C|"; nocase; reference:arachnids,120; classtype:attempted-user; sid:666; rev:7;)
+
+# dup of 588
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request TCP"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1298; rev:15;)
+# dup of 1274
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request UDP"; content:"|00 00 00 00|"; depth:4; offset:4; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1299; rev:14;)
+
+# these virus rules suck.
+alert tcp any 110 -> any any (msg:"Virus - SnowWhite Trojan Incoming"; flow:established; content:"Suddlently"; classtype:misc-activity; sid:720; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NAVIDAD Worm"; flow:established; content:"NAVIDAD.EXE"; nocase; classtype:misc-activity; sid:722; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"myromeo.exe"; nocase; classtype:misc-activity; sid:723; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"myjuliet.chm"; nocase; classtype:misc-activity; sid:724; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"ble bla"; nocase; classtype:misc-activity; sid:725; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"I Love You"; classtype:misc-activity; sid:726; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"Sorry... Hey you !"; classtype:misc-activity; sid:727; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"my picture from shake-beer"; classtype:misc-activity; sid:728; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible QAZ Worm"; flow:established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:731; rev:7;)
+alert tcp any any -> any 25 (msg:"Virus - Possible QAZ Worm Calling Home"; flow:established; content:"nongmin_cn"; reference:MCAFEE,98775; classtype:misc-activity; sid:733; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Matrix worm"; flow:established; content:"Software provide by [MATRiX]"; nocase; classtype:misc-activity; sid:734; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"Matrix has you..."; classtype:misc-activity; sid:735; rev:6;)
+alert tcp any any -> any 25 (msg:"Virus - Successful eurocalculator execution"; flags:PA; flow:established; content:"funguscrack@hotmail.com"; nocase; classtype:misc-activity; sid:736; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible eurocalculator.exe file"; flow:established; content:"filename="; content:"eurocalculator.exe"; nocase; classtype:misc-activity; sid:737; rev:6;)
+alert tcp any any -> any 110 (msg:"Virus - Possible Pikachu Pokemon Virus"; flags:PA; flow:established; content:"Pikachu Pokemon"; reference:MCAFEE,98696; classtype:misc-activity; sid:738; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Triplesix Worm"; flow:established; content:"filename=|22|666TEST.VBS|22|"; nocase; reference:MCAFEE,10389; classtype:misc-activity; sid:739; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Tune.vbs"; flow:established; content:"filename=|22|tune.vbs|22|"; nocase; reference:MCAFEE,10497; classtype:misc-activity; sid:740; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"Market share tipoff"; reference:MCAFEE,10109; classtype:misc-activity; sid:741; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"name =|22|WWIII!"; reference:MCAFEE,10109; classtype:misc-activity; sid:742; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"New Developments"; reference:MCAFEE,10109; classtype:misc-activity; sid:743; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"Good Times"; reference:MCAFEE,10109; classtype:misc-activity; sid:744; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Papa Worm"; flow:established; content:"filename=|22|XPASS.XLS|22|"; nocase; reference:MCAFEE,10145; classtype:misc-activity; sid:745; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Freelink Worm"; flow:established; content:"LINKS.VBS"; reference:MCAFEE,10225; classtype:misc-activity; sid:746; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Simbiosis Worm"; flow:established; content:"filename=|22|SETUP.EXE|22|"; nocase; classtype:misc-activity; sid:747; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible BADASS Worm"; flow:established; content:"name =|22|BADASS.EXE|22|"; reference:MCAFEE,10388; classtype:misc-activity; sid:748; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible ExploreZip.B Worm"; flow:established; content:"name =|22|File_zippati.exe|22|"; reference:MCAFEE,10471; classtype:misc-activity; sid:749; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible wscript.KakWorm"; flow:established; content:"filename=|22|KAK.HTA|22|"; nocase; reference:MCAFEE,10509; classtype:misc-activity; sid:751; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus Possible Suppl Worm"; flow:established; content:"filename=|22|Suppl.doc|22|"; nocase; reference:MCAFEE,10361; classtype:misc-activity; sid:752; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - theobbq.exe"; flow:established; content:"filename=|22|THEOBBQ.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:753; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; flow:established; content:"filename=|22|MONEY.DOC|22|"; nocase; reference:MCAFEE,10502; classtype:misc-activity; sid:754; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible IROK Worm"; flow:established; content:"filename=|22|irok.exe|22|"; nocase; reference:MCAFEE,98552; classtype:misc-activity; sid:755; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Fix2001 Worm"; flow:established; content:"filename=|22|Fix2001.exe|22|"; nocase; reference:MCAFEE,10355; classtype:misc-activity; sid:756; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Y2K Zelu Trojan"; flow:established; content:"filename=|22|Y2K.EXE|22|"; nocase; reference:MCAFEE,10505; classtype:misc-activity; sid:757; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible The_Fly Trojan"; flow:established; content:"filename=|22|THE_FLY.CHM|22|"; nocase; reference:MCAFEE,10478; classtype:misc-activity; sid:758; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; flow:established; content:"filename=|22|DINHEIRO.DOC|22|"; nocase; reference:MCAFEE,10502; classtype:misc-activity; sid:759; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Passion Worm"; flow:established; content:"filename=|22|ICQ_GREETINGS.EXE|22|"; nocase; reference:MCAFEE,10467; classtype:misc-activity; sid:760; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler3.exe"; flow:established; content:"filename=|22|COOLER3.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:761; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - party.exe"; flow:established; content:"filename=|22|PARTY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:762; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - hog.exe"; flow:established; content:"filename=|22|HOG.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:763; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal1.exe"; flow:established; content:"filename=|22|GOAL1.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:764; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - pirate.exe"; flow:established; content:"filename=|22|PIRATE.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:765; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - video.exe"; flow:established; content:"filename=|22|VIDEO.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:766; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - baby.exe"; flow:established; content:"filename=|22|BABY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:767; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler1.exe"; flow:established; content:"filename=|22|COOLER1.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:768; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - boss.exe"; flow:established; content:"filename=|22|BOSS.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:769; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - g-zilla.exe"; flow:established; content:"filename=|22|G-ZILLA.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:770; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible ToadieE-mail Trojan"; flow:established; content:"filename=|22|Toadie.exe|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:771; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible PrettyPark Trojan"; flow:established; content:"|5C|CoolProgs|5C|"; depth:750; offset:300; reference:MCAFEE,10175; classtype:misc-activity; sid:772; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Happy99 Virus"; flow:established; content:"X-Spanska|3A|Yes"; reference:MCAFEE,10144; classtype:misc-activity; sid:773; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible CheckThis Trojan"; flow:established; content:"name =|22|links.vbs|22|"; classtype:misc-activity; sid:774; rev:5;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Bubbleboy Worm"; flow:established; content:"BubbleBoy is back!"; reference:MCAFEE,10418; classtype:misc-activity; sid:775; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - copier.exe"; flow:established; content:"filename=|22|COPIER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:776; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible MyPics Worm"; flow:established; content:"name =|22|pics4you.exe|22|"; reference:MCAFEE,10467; classtype:misc-activity; sid:777; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Babylonia - X-MAS.exe"; flow:established; content:"name =|22|X-MAS.EXE|22|"; reference:MCAFEE,10461; classtype:misc-activity; sid:778; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - gadget.exe"; flow:established; content:"filename=|22|GADGET.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:779; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - irnglant.exe"; flow:established; content:"filename=|22|IRNGLANT.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:780; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - casper.exe"; flow:established; content:"filename=|22|CASPER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:781; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - fborfw.exe"; flow:established; content:"filename=|22|FBORFW.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:782; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - saddam.exe"; flow:established; content:"filename=|22|SADDAM.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:783; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - bboy.exe"; flow:established; content:"filename=|22|BBOY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:784; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - monica.exe"; flow:established; content:"filename=|22|MONICA.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:785; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal.exe"; flow:established; content:"filename=|22|GOAL.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:786; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - panther.exe"; flow:established; content:"filename=|22|PANTHER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:787; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - chestburst.exe"; flow:established; content:"filename=|22|CHESTBURST.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:788; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Common Sense Worm"; flow:established; content:"name =|22|THE_FLY.CHM|22|"; classtype:misc-activity; sid:790; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cupid2.exe"; flow:established; content:"filename=|22|CUPID2.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:791; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|RESUME1.DOC|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:792; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|Explorer.doc|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:794; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Worm -  txt.vbs file"; flow:established; content:"filename="; content:".txt.vbs"; nocase; classtype:misc-activity; sid:795; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Worm - xls.vbs file"; flow:established; content:"filename="; content:".xls.vbs"; nocase; classtype:misc-activity; sid:796; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Worm - jpg.vbs file"; flow:established; content:"filename="; content:".jpg.vbs"; nocase; classtype:misc-activity; sid:797; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Worm -  gif.vbs file"; flow:established; content:"filename="; content:".gif.vbs"; nocase; classtype:misc-activity; sid:798; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Timofonica Worm"; flow:established; content:"filename=|22|TIMOFONICA.TXT.vbs|22|"; nocase; reference:MCAFEE,98674; classtype:misc-activity; sid:799; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|NORMAL.DOT|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:800; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Worm - doc.vbs file"; flow:established; content:"filename="; content:".doc.vbs"; nocase; classtype:misc-activity; sid:801; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - farter.exe"; flow:established; content:"filename=|22|FARTER.EXE|22|"; nocase; reference:MCAFEE,1054; classtype:misc-activity; sid:789; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"VIRUS Klez Incoming"; dsize:>120; flow:to_server,established; content:"MIME"; content:"VGhpcyBwcm9"; classtype:misc-activity; sid:1800; rev:4;)
+# pcre makes this not needed
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow with evasion attempt"; flow:to_server,established; content:"XEXCH50"; nocase; content:"-0"; distance:1; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx; classtype:attempted-admin; sid:2254; rev:3;)
+
+# historical reference... this used to be here...
+alert tcp any 110 -> any any (msg:"Virus - Possbile Zipped Files Trojan"; flow:established; content:"name =|22|Zipped_Files.EXE|22|"; reference:MCAFEE,10450; classtype:misc-activity; sid:802; rev:7;)
+
+# taken care of by http_inspect now
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS multiple decode attempt"; flow:to_server,established; uricontent:"%5c"; uricontent:".."; reference:bugtraq,2708; reference:cve,2001-0333; classtype:web-application-attack; reference:nessus,10671; sid:970; rev:11;)
+
+# better rule for 1054 caused these rules to not be needed
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".js%2570"; nocase; classtype:attempted-recon; sid:1236; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".j%2573p"; nocase; classtype:attempted-recon; sid:1237; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".%256Asp"; nocase; classtype:attempted-recon; sid:1238; rev:6;)
+
+# these rules are dumb.  sid:857 looks for the access, and thats all we can do
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey attempt full path"; flow:to_server,established; uricontent:"/faxsurvey?/"; nocase; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-attack; sid:1647; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey arbitrary file read attempt"; flow:to_server,established; uricontent:"/faxsurvey?cat%20"; nocase; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-attack; sid:1609; rev:7;)
+
+# dup of 2061
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat directory traversal attempt"; flow:to_server,established; uricontent:"|00|.jsp"; reference:bugtraq,2518; classtype:web-application-attack; sid:1055; rev:9;)
+
+
+
+# squash all of the virus rules into one rule.  go PCRE!
+alert tcp any any -> any 139 (msg:"Virus - Possible QAZ Worm Infection"; flow:established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:732; rev:8;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .shs file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".shs|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:730; rev:7;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .exe file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".exe|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2160; rev:4;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .doc file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".doc|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2161; rev:4;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .vbs file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".vbs|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:793; rev:7;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .hta file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".hta|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2162; rev:4;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .chm file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".chm|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2163; rev:4;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .reg file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".reg|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2164; rev:4;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .ini file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".ini|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2165; rev:4;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .bat file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".bat|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2166; rev:4;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .diz file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".diz|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2167; rev:4;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .cpp file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".cpp|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2168; rev:4;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .dll file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".dll|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2169; rev:4;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .vxd file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".vxd|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2170; rev:4;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .sys file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".sys|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2171; rev:4;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .com file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".com|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2172; rev:4;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .scr file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".scr|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:729; rev:7;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .hsq file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".hsq|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2173; rev:4;)
+
+# uh, yeah this happens quite a bit.
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ?open access"; flow:to_server,established; uricontent:"?open"; nocase; classtype:web-application-activity; sid:1561; rev:5;)
+
+# dup of 1485
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mkilog.exe access"; flow:to_server,established; uricontent:"/mkilog.exe"; nocase; classtype:web-application-activity; sid:1665; rev:6;)
+
+# dup of 2339
+alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP NULL command attempt"; content:"|00 00|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2336; rev:3;)
+
+# these happen.  more research = more better rules
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2503; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2506; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 636 (msg:"MISC LDAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2499; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2498; rev:8;)
+
+
+#nmap is no longer as dumb as it once was...
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap TCP"; ack:0; flags:A,12; flow:stateless; reference:arachnids,28; classtype:attempted-recon; sid:628; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap fingerprint attempt"; flags:SFPU; flow:stateless; reference:arachnids,05; classtype:attempted-recon; sid:629; rev:6;)
+
+# dup of 553
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:" ftp|0D 0A|"; nocase; classtype:misc-activity; sid:1449; rev:7;)
+
+# dup of 2417, which is a better rule anyways
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP format string attempt"; flow:to_server,established; content:"%p"; nocase; classtype:attempted-admin; reference:nessus,10452; reference:bugtraq,1387; reference:bugtraq,2240; reference:bugtraq,726; reference:cve,2000-0573; reference:cve,1999-0997; sid:1530; rev:12;)
+
+# ans1 goodness takes care of this one for us
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; classtype:attempted-dos; reference:nessus,12065; sid:2385; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; classtype:attempted-dos; reference:nessus,12065; sid:2384; rev:10;)
+
+
+# because this rule sucks
+alert tcp $HOME_NET 7161 -> $EXTERNAL_NET any (msg:"MISC Cisco Catalyst Remote Access"; flags:SA,12; flow:stateless; reference:arachnids,129; reference:bugtraq,705; reference:cve,1999-0430; classtype:bad-unknown; sid:513; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy Port 8080 attempt"; flags:S,12; flow:stateless; classtype:attempted-recon; sid:620; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN SOCKS Proxy attempt"; flags:S,12; flow:stateless; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:615; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN Squid Proxy attempt"; flags:S,12; flow:stateless; classtype:attempted-recon; sid:618; rev:9;)
+
+
+# http inspect does a better job than these rules do
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c0%af../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:981; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%1c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:982; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%9c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:983; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%255c.."; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:1945; rev:6;)
+
+# dup of 1672
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~<CR><NEWLINE> attempt"; flow:to_server,established; content:"CWD "; content:" ~|0D 0A|"; reference:bugtraq,2601; reference:cve,2001-0421; classtype:denial-of-service; sid:1728; rev:7;)
+
+# dup of 1229
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD .... attempt"; flow:to_server,established; content:"CWD "; content:" ...."; reference:bugtraq,4884; classtype:denial-of-service; sid:1779; rev:3;)
+
+# dup of 1757
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC b2 access"; flow:to_server,established; uricontent:"/b2/b2-include/"; content:"b2inc"; content:"http|3A|//"; classtype:web-application-attack; reference:bugtraq,4673; reference:cve,2002-0734; sid:1758; rev:6;)
+
+# dup of 653
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0x90 NOOP unicode"; content:"|90 00 90 00 90 00 90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2314; rev:2;)
+
+# converted to a dup by 1437 moving to regex
+alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media Video download"; flow:from_server,established; content:"Content-type|3A| video/x-ms-asf"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1438; rev:7;)
+
+# handled by 1212
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC order.log access"; flow:to_server,established; uricontent:"/admin_files/order.log"; nocase; classtype:attempted-recon; sid:1176; rev:6;)
+
--- /dev/null
+++ b/rules/ddos.rules
@@ -0,0 +1,66 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: ddos.rules,v 1.23.2.3.2.1 2005/05/16 22:17:51 mwatchinski Exp $
+#-----------
+# DDOS RULES
+#-----------
+
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN Probe"; icmp_id:678; itype:8; content:"1234"; reference:arachnids,443; classtype:attempted-recon; sid:221; rev:4;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS tfn2k icmp possible communication"; icmp_id:0; itype:0; content:"AAAAAAAAAA"; reference:arachnids,425; classtype:attempted-dos; sid:222; rev:2;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master PONG message detected"; content:"PONG"; reference:arachnids,187; classtype:attempted-recon; sid:223; rev:3;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN client command BE"; icmp_id:456; icmp_seq:0; itype:0; reference:arachnids,184; classtype:attempted-dos; sid:228; rev:3;)
+
+
+alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any (msg:"DDOS shaft client login to handler"; flow:from_server,established; content:"login|3A|"; reference:arachnids,254; reference:url,security.royans.net/info/posts/bugtraq_ddos3.shtml; classtype:attempted-dos; sid:230; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 18753 (msg:"DDOS shaft handler to agent"; content:"alive tijgu"; reference:arachnids,255; classtype:attempted-dos; sid:239; rev:2;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 20433 (msg:"DDOS shaft agent to handler"; content:"alive"; reference:arachnids,256; classtype:attempted-dos; sid:240; rev:2;)
+# alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"DDOS shaft synflood"; flow:stateless; flags:S,12; seq:674711609; reference:arachnids,253; reference:cve,2000-0138; classtype:attempted-dos; sid:241; rev:10;)
+
+
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master message detected"; content:"l44"; reference:arachnids,186; classtype:attempted-dos; sid:231; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master *HELLO* message detected"; content:"*HELLO*"; reference:arachnids,185; reference:url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm; classtype:attempted-dos; sid:232; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default startup password"; flow:established,to_server; content:"betaalmostdone"; reference:arachnids,197; classtype:attempted-dos; sid:233; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default password"; flow:established,to_server; content:"gOrave"; classtype:attempted-dos; sid:234; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default mdie password"; flow:established,to_server; content:"killme"; classtype:bad-unknown; sid:235; rev:2;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"DDOS Trin00 Master to Daemon default password attempt"; content:"l44adsl"; reference:arachnids,197; classtype:attempted-dos; sid:237; rev:2;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS TFN server response"; icmp_id:123; icmp_seq:0; itype:0; content:"shell bound to port"; reference:arachnids,182; classtype:attempted-dos; sid:238; rev:6;)
+
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 6838 (msg:"DDOS mstream agent to handler"; content:"newserver"; classtype:attempted-dos; sid:243; rev:2;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream handler to agent"; content:"stream/"; reference:cve,2000-0138; classtype:attempted-dos; sid:244; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream handler ping to agent"; content:"ping"; reference:cve,2000-0138; classtype:attempted-dos; sid:245; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream agent pong to handler"; content:"pong"; classtype:attempted-dos; sid:246; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (msg:"DDOS mstream client to handler"; flow:to_server,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:247; rev:4;)
+alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; flow:to_client,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:248; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 15104 (msg:"DDOS mstream client to handler"; flow:stateless; flags:S,12; reference:arachnids,111; reference:cve,2000-0138; classtype:attempted-dos; sid:249; rev:8;)
+alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; flow:from_server,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:250; rev:4;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS - TFN client command LE"; icmp_id:51201; icmp_seq:0; itype:0; reference:arachnids,183; classtype:attempted-dos; sid:251; rev:3;)
+
+
+alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server spoof"; icmp_id:666; itype:0; reference:arachnids,193; classtype:attempted-dos; sid:224; rev:3;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht gag server response"; icmp_id:669; itype:0; content:"sicken"; reference:arachnids,195; classtype:attempted-dos; sid:225; rev:6;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server response"; icmp_id:667; itype:0; content:"ficken"; reference:arachnids,191; classtype:attempted-dos; sid:226; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client spoofworks"; icmp_id:1000; itype:0; content:"spoofworks"; reference:arachnids,192; classtype:attempted-dos; sid:227; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client check gag"; icmp_id:668; itype:0; content:"gesundheit!"; reference:arachnids,194; classtype:attempted-dos; sid:236; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client check skillz"; icmp_id:666; itype:0; content:"skillz"; reference:arachnids,190; classtype:attempted-dos; sid:229; rev:5;)
+alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht handler->agent niggahbitch"; icmp_id:9015; itype:0; content:"niggahbitch"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1854; rev:7;)
+alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht agent->handler skillz"; icmp_id:6666; itype:0; content:"skillz"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1855; rev:7;)
+alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht handler->agent ficken"; icmp_id:6667; itype:0; content:"ficken"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1856; rev:7;)
--- /dev/null
+++ b/rules/community-misc.rules
@@ -0,0 +1,48 @@
+# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# These rules are licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# $Id: community-misc.rules,v 1.25 2007/03/05 15:22:49 akirk Exp $
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 5093 (msg:"COMMUNITY MISC Sentinel License Manager overflow attempt"; dsize:>1000; reference:cve,CAN-2005-0353; reference:bugtraq,12742; classtype:attempted-user; sid:100000125; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2380 (msg:"COMMUNITY MISC GoodTech Telnet Server Buffer Overflow Attempt"; flow:to_server,established; pcre:"/[^\r\n]{1000,}/i"; reference:cve,2005-0768; reference:url,unsecure.altervista.org/security/goodtechtelnet.htm; classtype:attempted-dos; sid:100000126; rev:1;)
+#Rule submitted by rmkml
+alert tcp any any -> any !139 (msg:"COMMUNITY MISC BAD-SSL tcp detect"; flow:stateless; content:"|00 0E|"; depth:4; offset:0; classtype:misc-activity; sid:100000137; rev:1;)
+#Rules submitted by Thierry Chich
+alert tcp any any -> any any (msg:"COMMUNITY MISC streaming RTSP - realplayer"; flow:established; content:"PLAY rtsp|3A 2F 2F|"; depth: 12; classtype:policy-violation; reference:url,www.rtsp.org; sid:100000189; rev:2;)
+alert tcp any any -> any any (msg:"COMMUNITY MISC streaming Windows Mediaplayer"; flow:established; content:"|01 00 00 00 ce fa 0b b0|"; depth: 8; content:"MMS"; distance:4; within:4; classtype:policy-violation; reference:url,www.microsoft.com; sid:100000190; rev:2;)
+#alert udp $EXTERNAL_NET 1023: -> $HOME_NET 123 (msg:"COMMUNITY MISC Ntp fingerprint detect"; dsize:48; content:"|BE 78 2F 1D 19 BA 00 00|"; reference:url,www.arhont.com/ViewPage7422.html?siteNodeId=3&languageId=1&contentId=-1; classtype:attempted-dos; sid:100000198; rev:1;)
+#Rule submitted by rmkml
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8008 (msg:"COMMUNITY MISC Novell eDirectory iMonitor access"; flow:to_server,established; uricontent:"/nds/"; nocase; reference:bugtraq,14548; reference:cve,2005-2551; reference:nessus,19248; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=18703; classtype:web-application-attack; sid:100000199; rev:1;)
+#Rule submitted jointly by Romain Chartier, Sylvain Sarmejeanne, and Pierre Lalet
+alert udp any any -> any 53 (msg:"COMMUNITY MISC Tunneling IP over DNS with NSTX"; byte_test: 1,>,32,12; content: "|00 10 00 01|"; offset: 12; rawbytes; threshold: type threshold, track by_src, count 50, seconds 60; reference:url,nstx.dereference.de/nstx/; reference:url,slashdot.org/articles/00/09/10/2230242.shtml; classtype:policy-violation; sid:100000208; rev:1;)
+#Rules submitted by Crusoe Researches Team
+alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"COMMUNITY MISC TFTP32 Get Format string attempt"; content:"|00 01 25 2E|"; depth:4; reference:url,www.securityfocus.com/archive/1/422405/30/0/threaded; reference:url,www.critical.lt/?vulnerabilities/200; classtype:attempted-admin; sid:100000222; rev:1;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"COMMUNITY MISC SNMP trap Format String detected"; content:"%s"; reference:bugtraq,16267; reference:cve,2006-0250; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=22493; classtype:attempted-recon; sid:100000227; rev:1;)
+#Rule submitted by Nigel Houghton
+alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"COMMUNITY MISC Lotus Domino LDAP attack"; flow:established; content:"|30 0c 02 01 01 60 07 02 00 03 04 00 80 00|"; reference:bugtraq,16523; reference:cve,2006-0580; reference:url,lists.immunitysec.com/pipermail/dailydave/2006-February/002896.html; classtype:misc-attack; sid:100000229; rev:2;)
+
+#Jabber/Google Talk traffic from the client submitted by Steven Alexander
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Jabber/Google Talk Outgoing Traffic"; flow:to_server,established; content:"<stream"; offset:0; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:100000230; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Jabber/Google Talk Outgoing Auth"; flow:to_server,established; content:"<auth"; offset:0; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:100000231; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Google Talk Logon"; flow:to_server,established; content:"<stream\:stream to=\"gmail.com\""; offset:0; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:100000232; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Jabber/Google Talk Outoing Message"; flow:to_server,established; content:"<message"; offset:0; nocase; reference:url,www.google.com/talk/;  classtype:policy-violation; sid:100000233; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Jabber/Google Talk Log Out"; flow:to_server,established; content:"</stream"; offset:0; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:100000234; rev:1;)
+
+#Jabber/Google Talk traffic from the server submitted by Steven Alexander
+alert tcp $EXTERNAL_NET 5222 -> $HOME_NET any (msg:"COMMUNITY MISC Jabber/Google Talk Logon Success"; flow:to_client,established; content:"<success"; offset:0; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:100000235; rev:1;)
+alert tcp $EXTERNAL_NET 5222 -> $HOME_NET any (msg:"COMMUNITY MISC Jabber/Google Talk Incoming Message"; flow:to_client,established; content:"<message"; offset:0; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:100000236; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1364 (msg:"COMMUNITY MISC Connect Direct Server - Session Terminated Invalid Credentials"; flow:stateless; content:"SVTM056I"; nocase; classtype:bad-unknown; sid:100000281; rev:2;)
+
+# TOR Rules by Dan Ramaswami
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY MISC DLR-TOR Directory server response"; flow:established,to_client; content:"|54 4f 52|"; offset:109; depth:3; content:"|06 03 55 04 03|"; distance:4; within:5; content:"|20 3C 69 64 65 6E 74 69 74 79 3E|"; distance:2; within:30; reference:url,tor.eff.org; classtype:policy-violation; sid:100000874; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY MISC DLR-TOR Client Traffic"; flow:established,to_server;content:"|54 4f 52|"; content:"|06 03 55 04 03 14|"; distance:4; within:6; content:"|63 6c 69 65 6e 74 20 3C 69 64 65 6E 74 69 74 79 3E|"; distance:1; within:17; classtype:policy-violation; reference:url,tor.eff.org; sid:100000875; rev:1;)
+
+# Additional GoogleTalk Rules by Will Young
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY MISC Google Talk Version Check"; flow: established,to_server; uricontent:"/googletalk/google-talk-versioncheck.txt?"; nocase; classtype: policy-violation; sid:100000876; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Google Talk Startup"; flow: established,to_server; content:"google.com"; nocase; content:"jabber|3A|client"; nocase; classtype:policy-violation; threshold: type limit, track by_src, count 1, seconds 300; sid:100000877; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"COMMUNITY MISC Q.931 Invalid Call Reference Length Buffer Overflow"; flow:established; content:"|08|"; depth:1; byte_test:1,>,4,1; classtype:attempted-dos; reference:url,www.ethereal.com/news/item_20050504_01.html; reference:url,www.elook.org/internet/126.html; sid:100000892; rev:1;)
+
+# Rule submitted by dprotich@sagonet.com
+alert udp $EXTERNAL_NET any <> $HOME_NET 1025:1026 (msg:"COMMUNITY MISC Microsoft Messenger phishing attempt - corrupted registry"; content:"FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!"; classtype:misc-activity; reference:url,www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx; sid:100000927; rev:1;)
--- /dev/null
+++ b/rules/chat.rules
@@ -0,0 +1,63 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: chat.rules,v 1.25.2.2.2.4 2005/07/22 19:19:54 mwatchinski Exp $
+#-------------
+# CHAT RULES
+#-------------
+# These signatures look for people using various types of chat programs (for
+# example: AIM, ICQ, and IRC) which may be against corporate policy
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT ICQ access"; flow:to_server,established; content:"User-Agent|3A|ICQ"; classtype:policy-violation; sid:541; rev:9;)
+alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"CHAT ICQ forced user addition"; flow:established,to_client; content:"Content-Type|3A| application/x-icq"; nocase; content:"[ICQ User]"; reference:bugtraq,3226; reference:cve,2001-1305; classtype:policy-violation; sid:1832; rev:7;)
+
+alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; classtype:policy-violation; sid:540; rev:11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN outbound file transfer request"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; nocase; content:"INVITE"; distance:0; nocase; classtype:policy-violation; sid:1986; rev:6;)
+alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"CHAT MSN outbound file transfer accept"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 200 OK"; distance:0; nocase; classtype:policy-violation; sid:1988; rev:5;)
+alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"CHAT MSN outbound file transfer rejected"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 603 Decline"; distance:0; nocase; classtype:policy-violation; sid:1989; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN user search"; flow:to_server,established; content:"CAL "; depth:4; nocase; classtype:policy-violation; sid:1990; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN login attempt"; flow:to_server,established; content:"USR "; depth:4; nocase; content:" TWN "; distance:1; nocase; threshold:type limit, track by_src, count 1, seconds 60; classtype:policy-violation; sid:1991; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC nick change"; flow:to_server,established; content:"NICK "; offset:0; nocase; classtype:policy-violation; sid:542; rev:11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC DCC file transfer request"; flow:to_server,established; content:"PRIVMSG "; offset:0; nocase; content:" |3A|.DCC SEND"; nocase; classtype:policy-violation; sid:1639; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC DCC chat request"; flow:to_server,established; content:"PRIVMSG "; offset:0; nocase; content:" |3A|.DCC CHAT chat"; nocase; classtype:policy-violation; sid:1640; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC channel join"; flow:to_server,established; content:"JOIN |3A| |23|"; offset:0; nocase; classtype:policy-violation; sid:1729; rev:5;)
+alert tcp $HOME_NET any <> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC message"; flow:established; content:"PRIVMSG "; nocase; classtype:policy-violation; sid:1463; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC dns request"; flow:to_server,established; content:"USERHOST "; offset:0; nocase; classtype:policy-violation; sid:1789; rev:3;)
+alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"CHAT IRC dns response"; flow:to_client,established; content:"|3A|"; offset:0; content:" 302 "; content:"=+"; classtype:policy-violation; sid:1790; rev:4;)
+
+alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 17 00 06|"; within:8; distance:4; classtype:policy-violation; sid:1631; rev:8;)
+alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM send message"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 04 00 06|"; depth:4; offset:6; classtype:policy-violation; sid:1632; rev:6;)
+alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"CHAT AIM receive message"; flow:to_client; content:"*|02|"; depth:2; content:"|00 04 00 07|"; depth:4; offset:6; classtype:policy-violation; sid:1633; rev:6;)
+
+
+
+alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM successful logon"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 01|"; depth:2; offset:10; classtype:policy-violation; sid:2450; rev:3;)
+alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM voicechat"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00|J"; depth:2; offset:10; classtype:policy-violation; sid:2451; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM ping"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 12|"; depth:2; offset:10; classtype:policy-violation; sid:2452; rev:4;)
+
+alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM conference invitation"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 18|"; depth:2; offset:10; classtype:policy-violation; sid:2453; rev:3;)
+alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM conference logon success"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 19|"; depth:2; offset:10; classtype:policy-violation; sid:2454; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM conference message"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 1D|"; depth:2; offset:10; classtype:policy-violation; sid:2455; rev:3;)
+
+alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo Messenger File Transfer Receive Request"; flow:established; content:"YMSG"; depth:4; content:"|00|M"; depth:2; offset:10; classtype:policy-violation; sid:2456; rev:4;)
+alert tcp any any <> any 5101 (msg:"CHAT Yahoo IM message"; flow:established; content:"YMSG"; depth:4; nocase; classtype:policy-violation; sid:2457; rev:2;)
+
+alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM successful chat join"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 98|"; depth:2; offset:10; classtype:policy-violation; sid:2458; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM conference offer invitation"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00|P"; depth:2; offset:10; classtype:policy-violation; sid:2459; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 (msg:"CHAT Yahoo IM conference request"; flow:to_server,established; content:"<R"; depth:2; pcre:"/^\x3c(REQIMG|RVWCFG)\x3e/ism"; classtype:policy-violation; sid:2460; rev:4;)
+alert tcp $EXTERNAL_NET 5100 -> $HOME_NET any (msg:"CHAT Yahoo IM conference watch"; flow:from_server,established; content:"|0D 00 05 00|"; depth:4; classtype:policy-violation; sid:2461; rev:4;)
--- /dev/null
+++ b/rules/community-web-attacks.rules
@@ -0,0 +1,10 @@
+# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# These rules are licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# $Id: community-web-attacks.rules,v 1.6 2005/12/13 14:24:48 akirk Exp $
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS Hydra Activity Detected"; flow:to_server,established; content:"User-Agent|3A|"; nocase; content:"Hydra"; nocase; distance:0; pcre:"/^User-Agent\s*\x3A\s*Mozilla\x2f4\.0 (Hydra)/smi"; nocase; reference:url,www.thc.org/releases.php; classtype:misc-attack; sid:100000168; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS Amap fingerprint attempt"; flow:to_server,established; content:"|80 80 01 03 01 00 57 00 00 00 20 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 66 00 00 07 00 00 05 00 00 04 05 00 80 03 00 80 01 00 80 08 00 80 00 00 65 00 00 64 00 00 63 00 00 62 00 00 61 00 00 60 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 00 00 06 00 00 03 04 00 80 02 00 80 63 b9 b9 19 c0 2b ae 90 74 4c 73 eb 8b cf d8 55 ea d0 69 82 1b ef 23 c3 39 9b 8e b2 49 3c 5a 79|"; depth:130; classtype:web-application-activity; reference:url,www.thc.org/releases.php; sid:100000169; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Host Parameter"; flow:to_server,established; content:"Host"; nocase; pcre:"/^Host[^\r\n]{100,}/smi"; reference:bugtraq,15081; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19926; classtype:attempted-admin; sid:100000170; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Accept Parameter"; flow:to_server,established; content:"Accept"; nocase; pcre:"/^Accept[^\r\n]{200,}/smi"; reference:bugtraq,15081; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19926; classtype:attempted-admin; sid:100000171; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS SAP WAS syscmd access"; flow:to_server,established; uricontent:"/sap/bc/BSp/sap/menu/frameset.htm"; nocase; uricontent:"sap-syscmd"; nocase; reference:url,www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf; classtype:web-application-activity; sid:100000183; rev:1;)
--- /dev/null
+++ b/rules/web-frontpage.rules
@@ -0,0 +1,58 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: web-frontpage.rules,v 1.32.2.2.2.2 2005/06/29 15:35:05 mwatchinski Exp $
+#--------------------
+# WEB-FRONTPAGE RULES
+#--------------------
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad fp30reg.dll access"; flow:to_server,established; uricontent:"/fp30reg.dll"; nocase; reference:arachnids,555; reference:bugtraq,2906; reference:cve,2001-0341; reference:url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx; classtype:web-application-activity; sid:1248; rev:13;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE frontpage rad fp4areg.dll access"; flow:to_server,established; uricontent:"/fp4areg.dll"; nocase; reference:bugtraq,2906; reference:cve,2001-0341; classtype:web-application-activity; sid:1249; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE _vti_rpc access"; flow:to_server,established; uricontent:"/_vti_rpc"; nocase; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; classtype:web-application-activity; sid:937; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE posting"; flow:to_server,established; content:"POST"; uricontent:"/author.dll"; nocase; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; reference:url,www.microsoft.com/technet/security/bulletin/MS00-100.mspx; classtype:web-application-activity; sid:939; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE shtml.dll access"; flow:to_server,established; uricontent:"/_vti_bin/shtml.dll"; nocase; reference:arachnids,292; reference:bugtraq,1174; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0413; reference:cve,2000-0746; reference:nessus,11395; reference:url,www.microsoft.com/technet/security/bulletin/ms00-060.mspx; classtype:web-application-activity; sid:940; rev:15;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE contents.htm access"; flow:to_server,established; uricontent:"/admcgi/contents.htm"; nocase; classtype:web-application-activity; sid:941; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE orders.htm access"; flow:to_server,established; uricontent:"/_private/orders.htm"; nocase; classtype:web-application-activity; sid:942; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpsrvadm.exe access"; flow:to_server,established; uricontent:"/fpsrvadm.exe"; nocase; classtype:web-application-activity; sid:943; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpremadm.exe access"; flow:to_server,established; uricontent:"/fpremadm.exe"; nocase; classtype:web-application-activity; sid:944; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpadmin.htm access"; flow:to_server,established; uricontent:"/admisapi/fpadmin.htm"; nocase; classtype:web-application-activity; sid:945; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpadmcgi.exe access"; flow:to_server,established; uricontent:"/scripts/Fpadmcgi.exe"; nocase; classtype:web-application-activity; sid:946; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE orders.txt access"; flow:to_server,established; uricontent:"/_private/orders.txt"; nocase; classtype:web-application-activity; sid:947; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE form_results access"; flow:to_server,established; uricontent:"/_private/form_results.txt"; nocase; reference:cve,1999-1052; classtype:web-application-activity; sid:948; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE registrations.htm access"; flow:to_server,established; uricontent:"/_private/registrations.htm"; nocase; classtype:web-application-activity; sid:949; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE cfgwiz.exe access"; flow:to_server,established; uricontent:"/cfgwiz.exe"; nocase; classtype:web-application-activity; sid:950; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE authors.pwd access"; flow:to_server,established; uricontent:"/authors.pwd"; nocase; reference:bugtraq,989; reference:cve,1999-0386; reference:nessus,10078; classtype:web-application-activity; sid:951; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE author.exe access"; flow:to_server,established; uricontent:"/_vti_bin/_vti_aut/author.exe"; nocase; classtype:web-application-activity; sid:952; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE administrators.pwd access"; flow:to_server,established; uricontent:"/administrators.pwd"; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:953; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE form_results.htm access"; flow:to_server,established; uricontent:"/_private/form_results.htm"; nocase; reference:cve,1999-1052; classtype:web-application-activity; sid:954; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE access.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/access.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:955; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE register.txt access"; flow:to_server,established; uricontent:"/_private/register.txt"; nocase; classtype:web-application-activity; sid:956; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE registrations.txt access"; flow:to_server,established; uricontent:"/_private/registrations.txt"; nocase; classtype:web-application-activity; sid:957; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/service.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:958; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.pwd"; flow:to_server,established; uricontent:"/service.pwd"; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:959; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.stp access"; flow:to_server,established; uricontent:"/_vti_pvt/service.stp"; nocase; classtype:web-application-activity; sid:960; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE services.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/services.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:961; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE shtml.exe access"; flow:to_server,established; uricontent:"/_vti_bin/shtml.exe"; nocase; reference:bugtraq,1174; reference:bugtraq,1608; reference:bugtraq,5804; reference:cve,2000-0413; reference:cve,2000-0709; reference:cve,2002-0692; reference:nessus,10405; reference:nessus,11311; classtype:web-application-activity; sid:962; rev:13;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE svcacl.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/svcacl.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:963; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE users.pwd access"; flow:to_server,established; uricontent:"/users.pwd"; nocase; classtype:web-application-activity; sid:964; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE writeto.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/writeto.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:965; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE .... request"; flow:to_server,established; uricontent:"..../"; nocase; reference:arachnids,248; reference:bugtraq,989; reference:cve,1999-0386; reference:cve,2000-0153; reference:nessus,10142; classtype:web-application-attack; sid:966; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE dvwssr.dll access"; flow:to_server,established; uricontent:"/dvwssr.dll"; nocase; reference:arachnids,271; reference:bugtraq,1108; reference:bugtraq,1109; reference:cve,2000-0260; reference:url,www.microsoft.com/technet/security/bulletin/ms00-025.mspx; classtype:web-application-activity; sid:967; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE register.htm access"; flow:to_server,established; uricontent:"/_private/register.htm"; nocase; classtype:web-application-activity; sid:968; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE /_vti_bin/ access"; flow:to_server,established; uricontent:"/_vti_bin/"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1288; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE _vti_inf.html access"; flow:to_server,established; uricontent:"/_vti_inf.html"; nocase; reference:nessus,11455; classtype:web-application-activity; sid:990; rev:9;)
+
--- /dev/null
+++ b/rules/community-exploit.rules
@@ -0,0 +1,11 @@
+# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# These rules are licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# $Id: community-exploit.rules,v 1.17 2006/08/18 19:38:06 akirk Exp $
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Flowbit"; flow:to_server,established; pcre:"/.{1050,}/U"; flowbits:set,community_uri.size.1050; flowbits:noalert; reference:cve,2004-0629; reference: bugtraq,10947; classtype:attempted-user; sid: 100000100; rev:2;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Exploit"; flow:to_client,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s*application\x2f(pdf|vnd\x2efdf|vnd\x2eadobe\x2exfdf|vnd\x2eadobe\x2exdp+xml|vnd\x2e\ adobe\x2exfd+xml)/smi"; flowbits:isset,community_uri.size.1050; reference:cve,2004-0629; reference:bugtraq,10947; classtype:attempted-user; sid:100000101; rev:2;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 5093 (msg:"COMMUNITY EXPLOIT Sentinel LM exploit"; dsize:2048; reference:bugtraq,12742; reference:cve,2005-0353; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=14605; reference:nessus,17326; classtype:attempted-dos; sid:100000165; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"COMMUNITY EXPLOIT HPUX LPD overflow attempt"; flow:to_server,established; content:"|24 7B 49 46 53 7D|"; reference:cve,2005-3277; reference:bugtraq,15136; classtype:attempted-dos; sid:100000176; rev:1;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"COMMUNITY EXPLOIT SIP UDP spoof attempt"; content:"|3B|branch|3D 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0A|"; nocase; reference:bugtraq,14174; reference:cve,2005-2182; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17838; classtype:attempted-dos; sid:100000180; rev:1;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 65535 (msg:"COMMUNITY EXPLOIT LANDesk Management Suite Alerting Service buffer overflow"; dsize:>268; reference: bugtraq,23483; reference: cve,2007-1674; classtype: attempted-admin; sid:100000928; rev:1;)
--- /dev/null
+++ b/rules/community-smtp.rules
@@ -0,0 +1,14 @@
+# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# These rules are licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# $Id: community-smtp.rules,v 1.9 2006/07/14 13:36:01 akirk Exp $
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP Hydra Activity Detected"; flow:to_server,established; content:"hydra"; nocase; pcre:"/^(EH|HE)LO\s+hydra\x0D\x0A/smi"; reference:url,www.thc.org/releases.php; classtype:misc-attack; sid:100000167; rev:1;)
+#Rule submitted by rmkml
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP Gnu Mailman utf8 attachement access"; flow:to_server,established; content:"Content-Disposition|3A 20|attachement"; nocase; content:"filename|2A 3D|utf|2D|8"; nocase; content:"Content-Transfer-Encoding|3A 20|base64"; nocase; reference:bugtraq,15408; reference:cve,2005-3573; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20819; classtype:attempted-dos; sid:100000191; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP MIME-Type ms-tnef access"; flow:to_server,established; content:"Content-Type|3A|"; nocase; content:"application/ms-tnef"; nocase; reference:bugtraq,16197; reference:cve,2006-0002; reference:url,www.microsoft.com/technet/security/bulletin/MS06-003.mspx; classtype:attempted-admin; sid:100000219; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP Mozilla filename overflow attempt"; flow:to_server,established; content:"filename|3D 22|"; nocase; pcre:"/^\s*filename\=\"[^\n]{100,}\.(exe|lnk)/smi"; reference:bugtraq,16271; classtype:attempted-admin; sid:100000224; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP Incoming WAB attachment"; flow:to_server, established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename=\s*.*\x2ewab/smi"; reference:cve,2006-0014; reference:url,www.microsoft.com/technet/security/bulletin/MS06-016.mspx; classtype:suspicious-filename-detect; sid:100000279; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"COMMUNITY SMTP McAfee WebShield SMTP bounce message format string attempt"; flow:to_server,established; content:"RCPT"; nocase; pcre:"/^RCPT\s+TO\x3a\s+[^\r\n]*\x25/smi"; reference:bugtraq,16742; reference:cve,2006-0559; classtype:attempted-admin; sid:100000301; rev:1;)
+# Enable only if SMTP_SERVERS is not any
+# alert tcp !$SMTP_SERVERS any -> any 25 (msg:"COMMUNITY SMTP Mytob MAIL FROM Attempt"; flow:established,to_server; content:"MAIL FROM|3A|"; nocase; pcre:"/MAIL\s+FROM\s*\x3A\s*\x3C?(spm|fcnz|www|secur|abuse)@/i"; reference:url,www.symantec.com/avcenter/venc/data/w32.mytob@mm.html; classtype:misc-attack; sid:100000689; rev:1;)
--- /dev/null
+++ b/rules/VRT-License.txt
@@ -0,0 +1,326 @@
+			SOURCEFIRE, INC.
+	     VRT CERTIFIED RULES LICENSE AGREEMENT
+			 VERSION 1.1
+
+THE VRT CERTIFIED RULES ARE LICENSED TO YOU BY SOURCEFIRE, INC.
+("SOURCEFIRE") UNDER THE TERMS OF THIS VRT CERTIFIED RULES LICENSE
+AGREEMENT (THE "AGREEMENT").  BY CLICKING THE "ACCEPT" BUTTON BELOW, OR
+BY INSTALLING OR USING THE VRT CERTIFIED RULES, YOU ARE CONSENTING TO BE
+BOUND BY THIS AGREEMENT.  IF YOU DO NOT AGREE TO THE TERMS AND
+CONDITIONS OF THIS AGREEMENT, DO NOT CLICK THE "ACCEPT" BUTTON, AND DO
+NOT INSTALL OR USE ANY PART OF THE VRT CERTIFIED RULES.
+
+1. Definitions.
+
+  1.1. "Commercial Purpose" means the use, reproduction or distribution of
+  (i) the VRT Certified Rules or any Modification, or any portion of the
+  foregoing, or (ii) a Compilation that includes, in whole or in part, the
+  VRT Certified Rules or any Modification that in either case is intended
+  to result in a direct or indirect pecuniary gain or any other
+  consideration or economic benefit to any person or entity involved in
+  such use, reproduction or distribution.  Examples of a Commercial
+  Purpose, include without limitation, (v) integrating the VRT Certified
+  Rules with other software or hardware for sale, (w) licensing the VRT
+  Certified Rules for a fee, (x) using the VRT Certified Rules to provide
+  a service to a third party, (y) selling the VRT Certified Rules, or (z)
+  distributing the VRT Certified Rules for use with other products or
+  other services.
+
+  1.2. "Compilation" means a work which combines the VRT Certified Rules
+  or any Modification or portions thereof with any services, programs,
+  code or other products not governed by the terms of this Agreement.
+
+  1.3. "Improvements" shall mean a Modification to a VRT Certified Rule
+  (or to a modified VRT Certified Rule) that corrects a bug, defect, or
+  error in such rule without affecting the overall functionality of such
+  VRT Certified Rule (or Modification thereof).
+
+  1.4. "Modifications" means any alteration, addition to or deletion from
+  the substance or structure of the VRT Certified Rules or any
+  Modifications of such, including, without limitation,
+
+  	(a) any addition to or deletion from the contents of a file
+  	containing a VRT Certified Rule or a Modification;
+  	(b) any derivative of the VRT Certified Rule or of any Modification;
+  	or
+  	(c) any new file that contains any part of the VRT Certified Rule or
+  	Modifications.
+
+  1.5.  "Permitted Use" shall have the meaning given such term in Section 2.1.
+
+  1.6. "Restricted Activities" shall have the meaning given such term in
+  Section 2.1.
+
+  1.7. "Snort(r) Registered User" shall mean an individual who has
+  registered or subscribed on www.snort.org to use the VRT Certified Rules.
+
+  1.8. "VRT Certified Rules" means those Snort(r) rules (in text form,
+  source code form, object code form and all documentation related
+  thereto) that have been created, developed, tested and officially
+  approved by Sourcefire.  These rules are designated with SIDs of 3465 -
+  1,000,000, except as otherwise noted in the license file.
+
+  1.9. "You" (or "your") means an individual exercising rights under this
+  Agreement.  For legal entities, "you'' includes any entity which
+  controls, is controlled by, or is under common control with you or any
+  such entity you are acting on behalf of.  For purposes of this
+  definition, "control'' means (a) the power, direct or indirect, to cause
+  the direction or management of such entity, whether by contract or
+  otherwise, or (b) ownership of more than forty percent (40%) of the
+  outstanding shares or beneficial ownership of such entity.
+
+2. Sourcefire License Grant.
+
+  2.1. Grant of License; Permitted Use.  Subject to the terms and
+  conditions of this Agreement, Sourcefire hereby grants you a world-wide,
+  non-exclusive license to do any of the following with respect to the VRT
+  Certified Rules:
+
+  	(a) use and deploy the VRT Certified Rules on management consoles and
+  	sensors that you manage (over which you have administrative control);
+
+  	(b) use and deploy the VRT Certified Rules on behalf of your employer
+  	on its internal management consoles and sensors (e.g., where a valid
+  	employer-employee relationship exists between you and a legal entity);
+
+  	(c) modify the VRT Certified Rules and use those Modifications
+  	consistent with paragraphs (a) and (b) above;
+
+  	(d) distribute those VRT Certified Rules and any Modifications
+  	generally available to Snort(r) Registered Users  on a limited basis
+  	to other Snort(r) Registered Users;
+
+  	(e) distribute any Improvement generally available to Snort(r)
+  	Registered Users on mailing lists commonly used by the Snort(r) user
+  	community as a whole;
+
+  	(f) reproduce the VRT Certified Rules as strictly necessary in
+  	exercising your rights under this Section 2.1; and
+
+  	(g) Make the VRT Certified Rules (or any Modification) available to
+  	your or your employer's consultants, agents and subcontractors for
+  	the limited purpose of exercising your rights under this Section 2.1
+  	provided that such use is in compliance with this Agreement.
+
+  Paragraphs (a) though (g) of this Section 2.1 are collectively referred
+  to as the "Permitted Uses".  All rights not granted under this Agreement
+  are reserved by Sourcefire.
+
+  2.2. Limitations on License; Restricted Activities.  You recognize and
+  agree that the VRT Certified Rules are the property of Sourcefire,
+  contain valuable assets and proprietary information and property of
+  Sourcefire, and are provided to you under the terms and conditions of
+  this Agreement.  Notwithstanding anything to the contrary in this
+  Agreement, You agree that you shall NOT do any of the following without
+  Sourcefire's prior written consent:
+
+  	(a) use, deploy, perform, modify, license, display, reproduce or
+  	distribute the VRT Certified Rules or Modifications (even if merged
+  	with other materials as a Compilation) other than as allowed under a
+  	Permitted Use;
+
+  	(b) sell, license, transfer, rent, loan, use, modify, reproduce or
+  	disclose the VRT Certified Rules or any Modifications (in whole or in
+  	part and whether done independently or as part of a Compilation) for
+  	a Commercial Purpose;
+
+  	(c) post or make generally available any VRT Certified Rule (in whole
+  	or in part or any Modifications thereto) to individuals or a group of
+  	individuals who have not agreed to the terms and conditions of this
+  	Agreement, provided, however, that nothing in this Section 2.2(c)
+  	shall preclude the Permitted Use in Section 2.1(e);
+
+  	(d) share any user authentication information and/or password
+  	provided to you by Sourcefire with any third party to allow such
+  	party access your snort.org account or to otherwise access the VRT
+  	Certified Rules;
+
+  	(e) alter or remove any copyright notice or proprietary legend
+  	contained in or on the VRT Certified Rules.
+
+  Paragraphs (a) though (e) of this Section 2.2 are collectively referred
+  to as the "Restricted Activities").
+
+  2.3. Reproduction Obligations.  You agree that any embodiment of the VRT
+  Certified Rules permitted under this Agreement will contain the notices
+  set forth in Exhibit A.  In addition, to the extent you make any copies
+  of or distribute the VRT Certified Rules or any Modifications under this
+  Agreement, you agree to ensure that any and all such copies shall contain:
+
+  	(a) a copy of an appropriate copyright notice and all other
+  	applicable proprietary legends;
+
+  	(b) a disclaimer of any warranty consistent with this Agreement; and
+
+  	(c) any and all notices referencing this Agreement and absence of warranties.
+
+3. Modifications; Derivative Works.  In the event you create a
+Modification, the use, reproduction and distribution of such
+Modifications shall be governed by the terms and conditions of this
+Agreement.  Additionally, you hereby grant Sourcefire and any other
+licensee of the VRT Certified Rules an irrevocable, perpetual, fully
+paid-up, world-wide, royalty-free, non-exclusive license to use,
+reproduce, modify, display, perform and distribute such Modifications
+(and the source code thereto), provided, however, that you and any
+recipient of such Modifications must include:
+
+	(a) the original copyright notice and all other applicable
+	proprietary legends;
+
+	(b) the original warranty disclaimer;
+
+	(c) the original notices referencing this Agreement and absence of
+	warranties; and
+
+	(d) a prominent notice stating that you changed the VRT Certified
+	Rule (or any Modification thereto) and the date of any change.
+
+4. Distribution Obligations.
+
+  4.1. General.  The source code version of the VRT Certified Rules (or
+  any Modification thereof) may be distributed only under the terms of
+  this Agreement, and you must include a copy of this Agreement with every
+  copy of the VRT Certified Rules you distribute.
+
+  4.2. Required Notices.  You must duplicate the notice in Exhibit A in
+  each file of the source code.  If it is not possible to put such notice
+  in a particular source code file due to its structure, then you must
+  include such notice in a location (such as a relevant directory) where a
+  user would be likely to look for such a notice. If you created one or
+  more Modification(s) you may add your name as a contributor to the
+  notice described in Exhibit A. You must also duplicate this Agreement in
+  any documentation for the source code where you describe recipients'
+  rights or ownership rights relating to the VRT Certified Rules.  To the
+  extent you offer additional warranty, support, indemnity or liability
+  obligations, you may do so only on your own behalf, and not on behalf of
+  Sourcefire.  You must make it absolutely clear that any such warranty,
+  support, indemnity or liability obligation is offered by you alone, and
+  you hereby agree to indemnify and hold Sourcefire harmless for any
+  liability incurred by Sourcefire as a result of any warranty, support,
+  indemnity or liability terms you offer.
+
+5. Inability to Comply Due to Statute or Regulation.  If it is
+impossible for you to comply with any of the terms of this Agreement
+with respect to some or all of the VRT Certified Rules due to statute,
+judicial order, or regulation then you must: (a) comply with the terms
+of this Agreement to the maximum extent possible; and (b) describe the
+limitations and the code they affect.  Such description must be included
+with all distributions of the source code.  Except to the extent
+prohibited by statute or regulation, such description must be
+sufficiently detailed for a recipient of ordinary skill to be able to
+understand it.
+
+6. Application of this Agreement.  This Agreement also applies to code
+to which Sourcefire has attached the notice in Exhibit A and to related
+Modifications created under Section 3.
+
+7. Versions of the Agreement.
+
+  7.1. New Versions.  Sourcefire may publish revised and/or new versions
+  of the Agreement from time to time.  Each version will be given a
+  distinguishing version number.
+
+  7.2. Effect of New Versions. Once a VRT Certified Rule has been
+  published under a particular version of the Agreement, you may always
+  continue to use it under the terms of that version. You may also choose
+  to use such VRT Certified Rule under the terms of any subsequent version
+  of the Agreement published by Sourcefire. No one other than Sourcefire
+  has the right to modify the terms applicable to a VRT Certified Rule.
+
+8. DISCLAIMER OF WARRANTY.  THE VRT CERTIFIED RULES AND MODIFICATIONS IS
+ARE PROVIDED UNDER THIS AGREEMENT ON AN "AS IS" BASIS, WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION,
+WARRANTIES THAT THE VRT CERTIFIED RULES OR THE MODIFICATIONS ARE FREE OF
+DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR NON-INFRINGING.
+THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE VRT CERTIFIED
+RULES AND MODIFICATIONS IS WITH YOU. SHOULD THE VRT CERTIFIED RULES OR
+MODIFICATIONS PROVE DEFECTIVE IN ANY RESPECT, YOU (NOT SOURCEFIRE)
+ASSUME THE COST OF ANY NECESSARY SERVICING, REPAIR OR CORRECTION. THIS
+DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS AGREEMENT.
+NO USE OF ANY VRT CERTIFIED RULE OR ANY MODIFICATION IS AUTHORIZED
+HEREUNDER EXCEPT UNDER THIS DISCLAIMER.
+
+9. Termination.  This Agreement and the rights granted hereunder will
+terminate automatically if you fail to comply with any or all of the
+terms herein and fail to cure such breach within 30 days of becoming
+aware of the breach.  All sublicenses to the VRT Certified Rules, which
+are properly granted, shall survive any termination of this Agreement.
+Provisions which, by their nature, must remain in effect beyond the
+termination of this Agreement shall survive.
+
+10. LIMITATION OF LIABILITY.  UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL
+THEORY, WHETHER TORT (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE,
+SHALL YOU OR SOURCEFIRE BE LIABLE TO ANY PERSON FOR ANY INDIRECT,
+SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER
+INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK
+STOPPAGE, SECURITY BREACHES OR FAILURES, COMPUTER FAILURE OR
+MALFUNCTION, OR ANY AND ALL OTHER DAMAGES OR LOSSES, EVEN IF SUCH PARTY
+SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. THIS
+LIMITATION OF LIABILITY SHALL NOT APPLY TO THE EXTENT APPLICABLE LAW
+PROHIBITS SUCH LIMITATIONS. SOME JURISDICTIONS DO NOT ALLOW THE
+EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS
+EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU.
+
+11. Audit Rights. You will, from time to time and as requested by
+Sourcefire, provide assurances to Sourcefire that you are using the VRT
+Certified Rules consistent with a Permitted Use, and you grant
+Sourcefire access, at reasonable times and in a reasonable manner, to
+the VRT Certified Rules in your possession or control, and to your
+books, records and facilities to permit Sourcefire to verify appropriate
+use of the VRT Certified Rules and compliance with this Agreement.
+Sourcefire's non-exercise of this right, or its failure to discover or
+object to any inappropriate use or other breach of this Agreement by
+you, shall not constitute its consent thereto or waiver of Sourcefire's
+rights hereunder or under law.  In the event your use of the VRT
+Certified Rules is not in compliance with a Permitted Use, or if you
+otherwise violate the terms of this Agreement, Sourcefire may, since
+remedies at law may be inadequate, in addition to its other remedies:
+(a) demand return of the VRT Certified Rules; (b) forbid and enjoin your
+further use of the VRT Certified Rules; (c) assess you the cost of
+Sourcefire's inspection and enforcement efforts (including attorney
+fees); and/or (d) assess you a use fee appropriate to your actual use of
+the VRT Certified Rules.
+
+12. United States Government Users.  If the VRT Certified Rules or
+Modifications are being acquired by or on behalf of the U.S. Government
+or by a U.S. Government prime contractor or subcontractor (at any tier),
+then the Government's rights in the VRT Certified Rules and
+Modifications shall be subject to Sourcefire's standard commercial terms
+and only as set forth in this Agreement; and only with "Limited Rights"
+and "Restricted Rights" as defined the federal regulations if the
+commercial terms are deemed not to apply..
+
+13. Miscellaneous.  This Agreement represents the complete agreement
+concerning subject matter hereof. If any provision of this Agreement is
+held to be unenforceable, such provision shall be reformed only to the
+extent necessary to make it enforceable. This Agreement shall be
+governed by Maryland law provisions (except to the extent applicable
+law, if any, provides otherwise), excluding its conflict-of-law
+provisions. Any litigation relating to this Agreement shall be subject
+to the jurisdiction of the state and Federal Courts serving Greenbelt,
+Maryland, with the losing party responsible for costs, including without
+limitation, court costs and reasonable attorneys' fees and expenses.
+You hereby submit to jurisdiction and venue in such courts.  The
+application of the United Nations Convention on Contracts for the
+International Sale of Goods is expressly excluded. Any law or regulation
+which provides that the language of a contract shall be construed
+against the drafter shall not apply to this Agreement.  Headings and
+section references are used for reference only and shall not be used
+define, limit or describe such section.
+
+EXHIBIT A - VRT Certified Rules License Agreement
+The contents of this file are subject to the VRT Certified Rules License
+Agreement 1.1 (the "Agreement").  You may not use this file except in
+compliance with the Agreement.  You may obtain a copy of the Agreement
+at www.snort.org.
+Software distributed under the Agreement is distributed on an "AS IS"
+basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the
+Agreement for the specific language governing rights and limitations
+under the Agreement.
+The developer of the VRT Certified Rules is Sourcefire, Inc., a Delaware
+corporation.
+Contributor:
+2005(c) Sourcefire, Inc. All Rights Reserved.  Snort(r), Sourcefire(tm),
+the Snort(r) logo and the Sourcefire logo are trademarks of Sourcefire.
+
+Note: A printer friendly version of this Agreement is available in PDF format.
--- /dev/null
+++ b/rules/community-inappropriate.rules
@@ -0,0 +1,8 @@
+# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# These rules are licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# $Id: community-inappropriate.rules,v 1.8 2005/04/01 17:16:23 akirk Exp $
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY INAPPROPRIATE lolita sex"; content:"lolita"; nocase; content:"sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:100000105; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY INAPPROPRIATE preteen sex"; content:"teen"; nocase; pcre:"/pre-?teen/i"; flow:to_client,established; classtype:kickass-porn; sid:100000123; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY INAPPROPRIATE girls gone wild"; content:"girls"; nocase; content:"gone"; nocase; content:"wild"; nocase; flow:to_client,established; classtype:kickass-porn; sid:100000124; rev:1;)
--- /dev/null
+++ b/rules/misc.rules
@@ -0,0 +1,119 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: misc.rules,v 1.53.2.7.2.4 2005/07/22 19:19:54 mwatchinski Exp $
+#-----------
+# MISC RULES
+#-----------
+
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssr"; ipopts:lsrr; reference:arachnids,418; reference:bugtraq,646; reference:cve,1999-0909; reference:url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx; classtype:bad-unknown; sid:500; rev:5;)
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssre"; ipopts:lsrre; reference:arachnids,420; reference:bugtraq,646; reference:cve,1999-0909; reference:url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx; classtype:bad-unknown; sid:501; rev:5;)
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route ssrr"; ipopts:ssrr ; reference:arachnids,422; classtype:bad-unknown; sid:502; rev:2;)
+alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"MISC Source Port 20 to <1024"; flow:stateless; flags:S,12; reference:arachnids,06; classtype:bad-unknown; sid:503; rev:7;)
+alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; flow:stateless; flags:S,12; reference:arachnids,07; classtype:bad-unknown; sid:504; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1417 (msg:"MISC Insecure TIMBUKTU Password"; flow:to_server,established; content:"|05 00|>"; depth:16; reference:arachnids,229; classtype:bad-unknown; sid:505; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"MISC PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; classtype:attempted-admin; sid:507; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 70 (msg:"MISC gopher proxy"; flow:to_server,established; content:"ftp|3A|"; nocase; content:"@/"; reference:arachnids,409; classtype:bad-unknown; sid:508; rev:7;)
+alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"MISC PCAnywhere Failed Login"; flow:from_server,established; content:"Invalid login"; depth:16; reference:arachnids,240; classtype:unsuccessful-user; sid:512; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 (msg:"MISC ramen worm"; flow:to_server,established; content:"GET "; depth:8; nocase; reference:arachnids,461; classtype:bad-unknown; sid:514; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"MISC SNMP NT UserList"; content:"+|06 10|@|14 D1 02 19|"; reference:nessus,10546; classtype:attempted-recon; sid:516; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"MISC xdmcp query"; content:"|00 01 00 03 00 01 00|"; reference:arachnids,476; classtype:attempted-recon; sid:517; rev:1;)
+
+# once we get response, check for content:"|00 01 00|"; offset:0; depth:3;
+alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"MISC xdmcp info query"; content:"|00 01 00 02 00 01 00|"; reference:nessus,10891; classtype:attempted-recon; sid:1867; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Large UDP Packet"; dsize:>4000; reference:arachnids,247; classtype:bad-unknown; sid:521; rev:2;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Tiny Fragments"; dsize:< 25; fragbits:M; classtype:bad-unknown; sid:522; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:1384; rev:8;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP Location overflow"; content:"Location|3A|"; nocase; pcre:"/^Location\:[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; classtype:misc-attack; sid:1388; rev:12;)
+alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"MISC AIM AddGame attempt"; flow:to_client,established; content:"aim|3A|AddGame?"; nocase; reference:bugtraq,3769; reference:cve,2002-0005; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:1393; rev:12;)
+alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"MISC AIM AddExternalApp attempt"; flow:to_client,established; content:"aim|3A|AddExternalApp?"; nocase; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:1752; rev:4;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"MISC AFS access"; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|"; reference:nessus,10441; classtype:misc-activity; sid:1504; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 32000 (msg:"MISC Xtramail Username overflow attempt"; flow:to_server,established; dsize:>500; content:"Username|3A|"; nocase; isdataat:100,relative; pcre:"/^Username\:[^\n]{100}/smi"; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10323; classtype:attempted-admin; sid:1636; rev:10;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"MISC OpenSSL Worm traffic"; flow:to_server,established; content:"TERM=xterm"; nocase; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:web-application-attack; sid:1887; rev:3;)
+alert udp $EXTERNAL_NET 2002 -> $HTTP_SERVERS 2002 (msg:"MISC slapper worm admin traffic"; content:"|00 00|E|00 00|E|00 00|@|00|"; depth:10; reference:url,isc.incidents.org/analysis.html?id=167; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:trojan-activity; sid:1889; rev:5;)
+
+
+# once we get response, check for content:"|03|"; offset:0; depth:1;
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal server request RDP"; flow:to_server,established; content:"|03 00 00 0B 06 E0 00 00 00 00 00|"; depth:11; reference:bugtraq,3099; reference:cve,2001-0540; reference:url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx; classtype:protocol-command-decode; sid:1447; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal server request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|E0 00 00 00 00 00|"; depth:6; offset:5; reference:bugtraq,3099; reference:cve,2001-0540; reference:url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx; classtype:protocol-command-decode; sid:1448; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal Server no encryption session initiation attempt"; flow:to_server,established; content:"|03 00 01|"; depth:3; content:"|00|"; depth:1; offset:288; reference:url,www.microsoft.com/technet/security/bulletin/MS01-052.mspx; classtype:attempted-dos; sid:2418; rev:4;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2533 (msg:"MISC Alcatel PABX 4400 connection attempt"; flow:established,to_server; content:"|00 01|C"; depth:3; reference:nessus,11019; classtype:misc-activity; sid:1819; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp hardware address length overflow"; content:"|01|"; depth:1; byte_test:1,>,6,2; reference:cve,1999-0798; classtype:misc-activity; sid:1939; rev:4;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp invalid hardware type"; content:"|01|"; depth:1; byte_test:1,>,7,1; reference:cve,1999-0798; classtype:misc-activity; sid:1940; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp hostname format string attempt"; content:"|01|"; depth:1; content:"|0C|"; distance:240; content:"%"; distance:0; content:"%"; within:8; distance:1; content:"%"; within:8; distance:1; reference:bugtraq,4701; reference:cve,2002-0702; reference:nessus,11312; classtype:misc-attack; sid:2039; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 27155 (msg:"MISC GlobalSunTech Access Point Information Disclosure attempt"; content:"gstsearch"; reference:bugtraq,6100; classtype:misc-activity; sid:1966; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"MISC xfs overflow attempt"; flow:to_server,established; dsize:>512; content:"B|00 02|"; depth:3; reference:bugtraq,6241; reference:cve,2002-1317; reference:nessus,11188; classtype:misc-activity; sid:1987; rev:7;)
+
+alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"MISC xtacacs failed login response"; content:"|80 02|"; depth:2; content:"|02|"; distance:4; classtype:misc-activity; sid:2041; rev:2;)
+alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"MISC isakmp login failed"; content:"|10 05|"; depth:2; offset:17; content:"|00 00 00 01 01 00 00 18|"; within:8; distance:13; classtype:misc-activity; sid:2043; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd module list access"; flow:to_server,established; content:"|23|list"; depth:5; classtype:misc-activity; sid:2047; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd overflow attempt"; flow:to_server; byte_test:2,>,4000,0; content:"|00 00|"; depth:2; offset:2; reference:bugtraq,9153; reference:cve,2003-0962; reference:nessus,11943; classtype:misc-activity; sid:2048; rev:6;)
+
+
+# This rule needs some work since you don't have to pass BEGIN and END
+# anywhere near each other.
+#
+#! alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 ( \
+#!   msg:"MISC CVS username overflow attempt"; flow:to_server,established; \
+#!   content:"BEGIN AUTH REQUEST|0A|"; content:!"|0A|END AUTH REQUEST|0A|"; \
+#!   within:255; classtype:misc-attack;)
+
+
+# normally Idon't like using 3a for :, but in this case... I'd like to remove the false positives stemming from someone using anoncvs to checkout snort rules :)
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid user authentication response"; flow:from_server,established; content:"E Fatal error, aborting."; content:"|3A| no such user"; classtype:misc-attack; sid:2008; rev:4;)
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid repository response"; flow:from_server,established; content:"error "; content:"|3A| no such repository"; content:"I HATE YOU"; classtype:misc-attack; sid:2009; rev:2;)
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS double free exploit attempt response"; flow:from_server,established; content:"free|28 29 3A| warning|3A| chunk is already free"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2010; rev:4;)
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid directory response"; flow:from_server,established; content:"E protocol error|3A| invalid directory syntax in"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2011; rev:4;)
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS missing cvsroot response"; flow:from_server,established; content:"E protocol error|3A| Root request missing"; classtype:misc-attack; sid:2012; rev:2;)
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid module response"; flow:from_server,established; content:"cvs server|3A| cannot find module"; content:"error"; distance:1; classtype:misc-attack; sid:2013; rev:2;)
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS non-relative path error response"; flow:from_server,established; content:"E cvs server|3A| warning|3A| cannot make directory CVS in /"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2317; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"MISC CVS non-relative path access attempt"; flow:to_server,established; content:"Argument"; pcre:"m?^Argument\s+/?smi"; pcre:"/^Directory/smiR"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2318; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"MISC CVS Max-dotdot integer overflow attempt"; flow:to_server,established; content:"Max-dotdot"; nocase; pcre:"/^Max-dotdot[\s\r\n]*\d{3,}/msi"; reference:bugtraq,10499; reference:cve,2004-0417; classtype:misc-attack; sid:2583; rev:2;)
+
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"MISC Microsoft PPTP Start Control Request buffer overflow attempt"; flow:to_server,established,no_stream; dsize:>156; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; reference:bugtraq,5807; reference:cve,2002-1214; reference:url,www.microsoft.com/technet/security/bulletin/MS02-063.mspx; classtype:attempted-admin; sid:2126; rev:8;)
+
+# this rule is specificly not looking for flow, since tcpdump handles lengths wrong
+alert tcp any any <> any 179 (msg:"MISC BGP invalid length"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; byte_test:2,<,19,0,relative; reference:bugtraq,6213; reference:cve,2002-1350; reference:url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2158; rev:8;)
+alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"MISC BGP invalid type 0"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; content:"|00|"; within:1; distance:2; reference:bugtraq,6213; reference:cve,2002-1350; classtype:bad-unknown; sid:2159; rev:11;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2500; rev:5;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2516; rev:12;)
+
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2532; rev:6;)
+alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"POP3 SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2533; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2534; rev:6;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin remote file upload attempt"; flow:to_server,established; content:"/plugins/hpjwja/script/devices_update_printer_fw_upload.hts"; nocase; content:"Content-Type|3A|"; nocase; content:"Multipart"; distance:0; nocase; reference:bugtraq,9978; classtype:web-application-activity; sid:2547; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin setinfo access"; flow:to_server,established; content:"/plugins/hpjdwm/script/test/setinfo.hts"; nocase; reference:bugtraq,9972; classtype:web-application-activity; sid:2548; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin file write attempt"; flow:to_server,established; content:"/plugins/framework/script/tree.xms"; nocase; content:"WriteToFile"; nocase; reference:bugtraq,9973; classtype:web-application-activity; sid:2549; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin ExecuteFile admin access"; flow:to_server,established; content:"/plugins/framework/script/content.hts"; nocase; content:"ExecuteFile"; nocase; reference:bugtraq,10224; classtype:attempted-admin; sid:2655; rev:1;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsync backup-dir directory traversal attempt"; flow:to_server,established; content:"--backup-dir"; pcre:"/--backup-dir\s+\x2e\x2e\x2f/"; reference:bugtraq,10247; reference:cve,2004-0426; reference:nessus,12230; classtype:string-detect; sid:2561; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (msg:"MISC distccd command execution attempt"; flow:to_server,established; content:"DIST00000001"; depth:12; nocase; reference:url,distcc.samba.org/security.html; classtype:misc-activity; sid:3061; rev:2;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 7787 (msg:"MISC Unreal Tournament secure overflow attempt"; content:"|5C|secure|5C|"; nocase; pcre:"/\x5csecure\x5c[^\x00]{50}/smi"; reference:bugtraq,10570; reference:cve,2004-0608; classtype:misc-attack; sid:3080; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"MISC Arkeia client backup system info probe"; flow:established,to_server; content:"ARKADMIN_GET_"; nocase; pcre:"/^(CLIENT|MACHINE)_INFO/Ri"; reference:bugtraq,12594; classtype:attempted-recon; sid:3453; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"MISC Arkeia client backup generic info probe"; flow:established,to_server; content:"ARKFS|00|root|00|root"; nocase; reference:bugtraq,12594; classtype:attempted-recon; sid:3454; rev:1;)
--- /dev/null
+++ b/rules/exploit.rules
@@ -0,0 +1,121 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: exploit.rules,v 1.63.2.7.2.7 2005/07/22 19:19:54 mwatchinski Exp $
+#--------------
+# EXPLOIT RULES
+#--------------
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1324; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow filler"; flow:to_server,established; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1325; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1326; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1327; rev:7;)
+alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT Netscape 4.7 client overflow"; flow:to_client,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; reference:arachnids,215; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:attempted-user; sid:283; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 (msg:"EXPLOIT nlps x86 Solaris overflow"; flow:to_server,established; content:"|EB 23|^3|C0 88|F|FA 89|F|F5 89|6"; reference:bugtraq,2319; classtype:attempted-admin; sid:300; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT LPRng overflow"; flow:to_server,established; content:"C|07 89|[|08 8D|K|08 89|C|0C B0 0B CD 80|1|C0 FE C0 CD 80 E8 94 FF FF FF|/bin/sh|0A|"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:301; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:302; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"EXPLOIT SCO calserver overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|"; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:304; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"EXPLOIT delegate proxy overflow"; flow:to_server,established; dsize:>1000; content:"whois|3A|//"; nocase; reference:arachnids,267; reference:bugtraq,808; reference:cve,2000-0165; classtype:attempted-admin; sid:305; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"EXPLOIT VQServer admin"; flow:to_server,established; content:"GET / HTTP/1.1"; nocase; reference:bugtraq,1610; reference:cve,2000-0766; reference:url,www.vqsoft.com/vq/server/docs/other/control.html; classtype:attempted-admin; sid:306; rev:9;)
+alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"EXPLOIT NextFTP client overflow"; flow:to_client,established; content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|C9|f|B9 10|"; reference:bugtraq,572; reference:cve,1999-0671; classtype:attempted-user; sid:308; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT sniffit overflow"; flow:stateless; dsize:>512; flags:A+; content:"from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase; reference:arachnids,273; reference:bugtraq,1158; reference:cve,2000-0343; classtype:attempted-admin; sid:309; rev:10;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT x86 windows MailMax overflow"; flow:to_server,established; content:"|EB|E|EB| [|FC|3|C9 B1 82 8B F3 80|+"; reference:bugtraq,2312; reference:cve,1999-0404; classtype:attempted-admin; sid:310; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"EXPLOIT Netscape 4.7 unsucessful overflow"; flow:to_server,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; reference:arachnids,214; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:unsuccessful-user; sid:311; rev:11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT ntpdx overflow attempt"; dsize:>128; reference:arachnids,492; reference:bugtraq,2540; reference:cve,2001-0414; classtype:attempted-admin; sid:312; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 518 (msg:"EXPLOIT ntalkd x86 Linux overflow"; content:"|01 03 00 00 00 00 00 01 00 02 02 E8|"; reference:bugtraq,210; classtype:attempted-admin; sid:313; rev:4;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:315; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"|EB|V^VVV1|D2 88|V|0B 88|V|1E|"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:316; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"|EB|@^1|C0|@|89|F|04 89 C3|@|89 06|"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:317; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2224 (msg:"EXPLOIT MDBMS overflow"; flow:to_server,established; content:"|01|1|DB CD 80 E8|[|FF FF FF|"; reference:bugtraq,1252; reference:cve,2000-0446; classtype:attempted-admin; sid:1240; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"EXPLOIT AIX pdnsd overflow"; flow:to_server,established; dsize:>1000; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:1261; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"EXPLOIT rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; reference:bugtraq,3474; reference:cve,2001-0838; classtype:misc-attack; sid:1323; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"EXPLOIT CDE dtspcd exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; reference:bugtraq,3517; reference:cve,2001-0803; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:1398; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"EXPLOIT cachefsd buffer overflow attempt"; flow:to_server,established; dsize:>720; content:"|00 01 87 86 00 00 00 01 00 00 00 05|"; reference:bugtraq,4631; reference:cve,2002-0084; reference:nessus,10951; classtype:misc-attack; sid:1751; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1894; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1895; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1896; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1897; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1898; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1899; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT gobbles SSH exploit attempt"; flow:to_server,established; content:"GOBBLES"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:misc-attack; sid:1812; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT LPD dvips remote command execution attempt"; flow:to_server,established; content:"psfile=|22|`"; reference:bugtraq,3241; reference:cve,2001-1002; reference:nessus,11023; classtype:system-call-detect; sid:1821; rev:7;)
+
+alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"EXPLOIT SSH server banner overflow"; flow:established,from_server; content:"SSH-"; nocase; isdataat:200,relative; pcre:"/^SSH-\s[^\n]{200}/ism"; reference:bugtraq,5287; reference:cve,2002-1059; classtype:misc-attack; sid:1838; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 (msg:"EXPLOIT CHAT IRC topic overflow"; flow:to_client,established; content:"|EB|K[S2|E4 83 C3 0B|K|88 23 B8|Pw"; reference:bugtraq,573; reference:cve,1999-0672; classtype:attempted-user; sid:307; rev:9;)
+alert tcp any any -> any 6666:7000 (msg:"EXPLOIT CHAT IRC Ettercap parse overflow attempt"; flow:to_server,established; content:"PRIVMSG"; nocase; content:"nickserv"; nocase; content:"IDENTIFY"; nocase; isdataat:100,relative; pcre:"/^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi"; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"EXPLOIT x86 Linux samba overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|"; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:292; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"EXPLOIT ebola PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s[^\n]{49}/smi"; reference:bugtraq,9156; classtype:attempted-admin; sid:2319; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"EXPLOIT ebola USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]{49}/smi"; reference:bugtraq,9156; classtype:attempted-admin; sid:2320; rev:1;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP first payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2376; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP second payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2377; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP third payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2378; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP forth payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2379; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2380; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP delete hash with empty hash attempt"; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2413; rev:9;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2414; rev:9;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2415; rev:9;)
+alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_test:2,>,128,18,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2443; rev:4;)
+alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_jump:2,18,relative,little; byte_test:2,>,128,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2444; rev:4;)
+alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt"; content:"|05 00|"; depth:2; byte_test:2,>,128,0,relative,little; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_jump:2,18,relative,little; byte_jump:2,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2445; rev:4;)
+alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_test:2,>,512,-11,relative,little; reference:cve,2004-0362; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2446; rev:6;)
+
+alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2462; rev:7;)
+alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2463; rev:7;)
+alert ip any any -> any any (msg:"EXPLOIT EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2464; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPLOIT esignal STREAMQUOTE buffer overflow attempt"; flow:to_server,established; content:"<STREAMQUOTE>"; nocase; isdataat:1024,relative; content:!"</STREAMQUOTE>"; within:1054; nocase; reference:bugtraq,9978; classtype:attempted-admin; sid:2489; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPLOIT esignal SNAPQUOTE buffer overflow attempt"; flow:to_server,established; content:"<SNAPQUOTE>"; nocase; isdataat:1024,relative; content:!"</SNAPQUOTE>"; within:1052; nocase; reference:bugtraq,9978; classtype:attempted-admin; sid:2490; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"EXPLOIT AFP FPLoginExt username buffer overflow attempt"; flow:to_server,established; content:"|00 02|"; depth:2; content:"?"; within:1; distance:14; content:"cleartxt passwrd"; nocase; byte_jump:2,1,relative; byte_jump:2,1,relative; isdataat:2,relative; reference:bugtraq,10271; reference:cve,2004-0430; reference:url,www.atstake.com/research/advisories/2004/a050304-1.txt; classtype:attempted-admin; sid:2545; rev:4;)
+alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT winamp XM module name overflow"; flow:established,from_server; content:"Extended module|3A|"; nocase; isdataat:20,relative; content:!"|1A|"; within:21; reference:url,www.nextgenss.com/advisories/winampheap.txt; classtype:attempted-user; sid:2550; rev:2;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache GET overflow attempt"; flow:to_server,established; content:"GET"; pcre:"/^GET[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2551; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache HEAD overflow attempt"; flow:to_server,established; content:"HEAD"; pcre:"/^HEAD[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2552; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache PUT overflow attempt"; flow:to_server,established; content:"PUT"; pcre:"/^PUT[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2553; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache POST overflow attempt"; flow:to_server,established; content:"POST"; pcre:"/^POST[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2554; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache TRACE overflow attempt"; flow:to_server,established; content:"TRACE"; pcre:"/^TRACE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2555; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache DELETE overflow attempt"; flow:to_server,established; content:"DELETE"; pcre:"/^DELETE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2556; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache LOCK overflow attempt"; flow:to_server,established; content:"LOCK"; pcre:"/^LOCK[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2557; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache MKCOL overflow attempt"; flow:to_server,established; content:"MKCOL"; pcre:"/^MKCOL[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2558; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache COPY overflow attempt"; flow:to_server,established; content:"COPY"; pcre:"/^COPY[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2559; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache MOVE overflow attempt"; flow:to_server,established; content:"MOVE"; pcre:"/^MOVE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2560; rev:4;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"EXPLOIT kerberos principal name overflow UDP"; content:"j"; depth:1; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2578; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"EXPLOIT kerberos principal name overflow TCP"; flow:to_server,established; content:"j"; depth:1; offset:4; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2579; rev:2;)
+alert tcp $EXTERNAL_NET 6666:6669 -> $HOME_NET any (msg:"EXPLOIT eMule buffer overflow attempt"; flow:to_client,established; content:"PRIVMSG"; nocase; pcre:"/^PRIVMSG\s+[^\s]+\s+\x3a\s*\x01SENDLINK\x7c[^\x7c]{69}/smi"; reference:bugtraq,10039; reference:nessus,12233; classtype:attempted-user; sid:2584; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"EXPLOIT WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s"; reference:bugtraq,11763; reference:cve,2004-1080; reference:url,www.immunitysec.com/downloads/instantanea.pdf; reference:url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx; classtype:misc-attack; sid:3017; rev:6;)
+alert udp $EXTERNAL_NET 7808 -> $HOME_NET any (msg:"EXPLOIT Volition Freespace 2 buffer overflow attempt"; content:"|00 E1|..|B4 00 00 00|"; depth:8; isdataat:160,relative; reference:bugtraq,9785; classtype:misc-attack; sid:3006; rev:2;)
+alert tcp $EXTERNAL_NET 8080 -> $HOME_NET any (msg:"EXPLOIT AIM goaway message buffer overflow attempt"; flow:established,from_server; content:"goaway?message="; nocase; isdataat:500,relative; pcre:"/goaway\?message=[^\s]{500}/smi"; reference:bugtraq,10889; reference:cve,2004-0636; classtype:misc-attack; sid:3085; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 6101 (msg:"EXPLOIT Veritas backup overflow attempt"; flow:established,to_server; content:"|02 00|"; depth:2; content:"|00|"; depth:1; offset:3; isdataat:60; content:!"|00|"; depth:66; offset:6; reference:bugtraq,11974; reference:cve,2004-1172; classtype:misc-attack; sid:3084; rev:3;)
+alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"EXPLOIT MSN Messenger png overflow"; flow:to_client,established; content:"application/x-msnmsgrp2p"; nocase; content:"|89|PNG|0D 0A 1A 0A|"; distance:0; content:"IHDR"; within:4; distance:4; content:"|03|"; within:1; distance:9; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; reference:bugtraq,10872; reference:cve,2004-0957; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3130; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"EXPLOIT WINS name query overflow attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:3200; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"EXPLOIT Arkeia backup client type 84 overflow attempt"; flow:established,to_server; content:"|00|T"; depth:2; byte_test:2,>,255,6; isdataat:263; content:!"|00|"; depth:255; offset:8; reference:bugtraq,12594; classtype:attempted-user; sid:3458; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5001 (msg:"EXPLOIT Bontago Game Server Nickname Buffer Overflow"; flow:to_server,established; content:"|FF 01 00 00 00 00 01|"; isdataat:512,relative; reference:bugtraq,12603; reference:url,aluigi.altervista.org/adv/bontagobof-adv.txt; classtype:attempted-user; sid:3455; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"EXPLOIT WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:3199; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"EXPLOIT Arkeia backup client type 77 overflow attempt"; flow:established,to_server; content:"|00|M"; depth:2; byte_test:2,>,23,6; isdataat:31; content:!"|00|"; depth:23; offset:8; reference:bugtraq,12594; classtype:attempted-user; sid:3457; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP slot info msg client domain overflow"; flow:to_server,established; content:"|98|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; reference:bugtraq,12563; classtype:attempted-admin; sid:3475; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9c client domain overflow"; content:"|9C|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3485; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9c client name overflow"; flow:to_server,established; content:"|9C|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3479; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve discovery service overflow"; dsize:>966; reference:bugtraq,12491; reference:can,2005-0260; classtype:attempted-admin; sid:3472; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9c client name overflow"; content:"|9C|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3484; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9b client domain overflow"; flow:to_server,established; content:"|9B|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; reference:bugtraq,12563; classtype:attempted-admin; sid:3476; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP slot info msg client domain overflow"; content:"|98|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3481; rev:3;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9b client domain overflow"; content:"|9B|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3483; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9b client name overflow"; flow:to_server,established; content:"|9B|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3477; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP slot info msg client name overflow"; content:"|98|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3480; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP slot info msg client name overflow"; flow:to_server,established; content:"|98|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3474; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9b client name overflow"; content:"|9B|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3482; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9c client domain overflow"; flow:to_server,established; content:"|9C|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; reference:bugtraq,12563; classtype:attempted-admin; sid:3478; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP msg 0x99 client domain overflow"; content:"|99|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3531; rev:2;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP msg 0x99 client name overflow"; content:"|99|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3530; rev:2;)
--- /dev/null
+++ b/rules/sid
@@ -0,0 +1 @@
+3827
--- /dev/null
+++ b/rules/dos.rules
@@ -0,0 +1,45 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: dos.rules,v 1.39.2.4.2.3 2005/06/29 15:35:04 mwatchinski Exp $
+#----------
+# DOS RULES
+#----------
+
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:268; rev:4;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack"; fragbits:M; id:242; reference:bugtraq,124; reference:cve,1999-0015; reference:nessus,10279; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:attempted-dos; sid:270; rev:6;)
+# alert udp any 19 <> any 7 (msg:"DOS UDP echo+chargen bomb"; reference:cve,1999-0103; reference:cve,1999-0635; classtype:attempted-dos; sid:271; rev:5;)
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; reference:url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx; classtype:attempted-dos; sid:272; rev:10;)
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; classtype:attempted-dos; sid:273; rev:8;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS ath"; itype:8; content:"+++ath"; nocase; reference:arachnids,264; reference:cve,1999-1228; classtype:attempted-dos; sid:274; rev:5;)
+# alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"DOS NAPTHA"; flow:stateless; flags:S; id:413; seq:6060842; reference:bugtraq,2022; reference:cve,2000-1039; reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html; reference:url,www.cert.org/advisories/CA-2000-21.html; reference:url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx; classtype:attempted-dos; sid:275; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Audio Server"; flow:to_server,established; content:"|FF F4 FF FD 06|"; reference:arachnids,411; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:276; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; nocase; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:277; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"DOS Real Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; nocase; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:278; rev:5;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"DOS Bay/Nortel Nautica Marlin"; dsize:0; reference:bugtraq,1009; reference:cve,2000-0221; classtype:attempted-dos; sid:279; rev:4;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"DOS Ascend Route"; content:"NAMENAME"; depth:50; offset:25; reference:arachnids,262; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:281; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"DOS arkiea backup"; flow:to_server,established; dsize:>1445; reference:arachnids,261; reference:bugtraq,662; reference:cve,1999-0788; classtype:attempted-dos; sid:282; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 135:139 (msg:"DOS Winnuke attack"; flow:stateless; flags:U+; reference:bugtraq,2010; reference:cve,1999-0153; classtype:attempted-dos; sid:1257; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"DOS MSDTC attempt"; flow:to_server,established; dsize:>1023; reference:bugtraq,4006; reference:cve,2002-0224; reference:nessus,10939; classtype:attempted-dos; sid:1408; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 6004 (msg:"DOS iParty DOS attempt"; flow:to_server,established; content:"|FF FF FF FF FF FF|"; offset:0; reference:bugtraq,6844; reference:cve,1999-1566; classtype:misc-attack; sid:1605; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6789:6790 (msg:"DOS DB2 dos attempt"; flow:to_server,established; dsize:1; reference:bugtraq,3010; reference:cve,2001-1143; reference:nessus,10871; classtype:denial-of-service; sid:1641; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"DOS Cisco attempt"; flow:to_server,established; dsize:1; content:"|13|"; classtype:web-application-attack; sid:1545; rev:8;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"DOS ISAKMP invalid identification payload attempt"; content:"|05|"; depth:1; offset:16; byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2486; rev:5;)
+alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"DOS BGP spoofed connection reset attempt"; flow:established; flags:RSF*; threshold:type both,track by_dst,count 10,seconds 10; reference:bugtraq,10183; reference:cve,2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2523; rev:7;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"DOS squid WCCP I_SEE_YOU message overflow attempt"; content:"|00 00 00 08|"; depth:4; byte_test:4,>,32,16; reference:bugtraq,12275; reference:cve,2005-0095; classtype:attempted-user; sid:3089; rev:2;)
+# alert tcp $EXTERNAL_NET !721:731 -> $HOME_NET 515 (msg:"DOS WIN32 TCP print service denial of service attempt"; flow:to_server,established; dsize:>600; reference:bugtraq,1082; reference:cve,2000-0232; reference:url,www.microsoft.com/technet/security/bulletin/MS00-021.mspx; classtype:attempted-dos; sid:3442; rev:3;)
--- /dev/null
+++ b/rules/LICENSE
@@ -0,0 +1,340 @@
+		    GNU GENERAL PUBLIC LICENSE
+		       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+     59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+			    Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+		    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+			    NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+		     END OF TERMS AND CONDITIONS
+
+	    How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) 19yy  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) 19yy name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Library General
+Public License instead of this License.
--- /dev/null
+++ b/rules/smtp.rules
@@ -0,0 +1,94 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: smtp.rules,v 1.44.2.4.2.6 2005/07/22 19:19:54 mwatchinski Exp $
+#-----------
+# SMTP RULES
+#-----------
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3A|"; nocase; isdataat:300,relative; pcre:"/^RCPT TO\x3a\s[^\n]{300}/ism"; reference:bugtraq,2283; reference:bugtraq,9696; reference:cve,2001-0260; classtype:attempted-admin; sid:654; rev:14;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP chameleon overflow"; flow:to_server,established; content:"HELP"; nocase; isdataat:500,relative; pcre:"/^HELP\s[^\n]{500}/ism"; reference:arachnids,266; reference:bugtraq,2387; reference:cve,1999-0261; classtype:attempted-admin; sid:657; rev:12;)
+alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; reference:arachnids,140; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:655; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP exchange mime DOS"; flow:to_server,established; content:"charset = |22 22|"; nocase; reference:bugtraq,1869; reference:cve,2000-1006; reference:nessus,10558; reference:url,www.microsoft.com/technet/security/bulletin/MS00-082.mspx; classtype:attempted-dos; sid:658; rev:11;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn decode"; flow:to_server,established; content:"expn"; nocase; content:"decode"; nocase; pcre:"/^expn\s+decode/smi"; reference:arachnids,32; reference:cve,1999-0096; reference:nessus,10248; classtype:attempted-recon; sid:659; rev:9;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn root"; flow:to_server,established; content:"expn"; nocase; content:"root"; nocase; pcre:"/^expn\s+root/smi"; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; classtype:attempted-recon; sid:660; rev:10;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn *@"; flow:to_server,established; content:"expn"; nocase; content:"*@"; pcre:"/^expn\s+\*@/smi"; reference:cve,1999-1200; classtype:misc-attack; sid:1450; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP majordomo ifs"; flow:to_server,established; content:"eply-to|3A| a~.`/bin/"; reference:arachnids,143; reference:bugtraq,2310; reference:cve,1999-0207; classtype:attempted-admin; sid:661; rev:9;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 5.5.5 exploit"; flow:to_server,established; content:"mail from|3A| |22 7C|"; nocase; reference:arachnids,119; reference:cve,1999-0203; reference:nessus,10258; classtype:attempted-admin; sid:662; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to command attempt"; flow:to_server,established; content:"rcpt to|3A|"; nocase; pcre:"/^rcpt\s+to\:\s*[|\x3b]/smi"; reference:arachnids,172; reference:bugtraq,1; reference:cve,1999-0095; classtype:attempted-admin; sid:663; rev:14;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO decode attempt"; flow:to_server,established; content:"rcpt to|3A|"; nocase; content:"decode"; distance:0; nocase; pcre:"/^rcpt to\:\s*decode/smi"; reference:arachnids,121; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-admin; sid:664; rev:15;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 5.6.5 exploit"; flow:to_server,established; content:"MAIL FROM|3A| |7C|/usr/ucb/tail"; nocase; reference:arachnids,122; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-user; sid:665; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|0D 0A|Mprog, P=/bin/"; reference:arachnids,123; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:667; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|09 09 09 09 09 09 09|Mprog,P=/bin"; reference:arachnids,124; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:668; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|Croot|0A|Mprog"; reference:arachnids,142; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:669; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|C|3A|daemon|0A|R"; reference:arachnids,139; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:670; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9c exploit"; flow:to_server,established; content:"|0A|Croot|0D 0A|Mprog"; reference:arachnids,141; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:671; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy decode"; flow:to_server,established; content:"vrfy"; nocase; content:"decode"; distance:1; nocase; pcre:"/^vrfy\s+decode/smi"; reference:arachnids,373; reference:bugtraq,10248; reference:cve,1999-0096; classtype:attempted-recon; sid:672; rev:9;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; classtype:attempted-recon; sid:1446; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop|0A|quit|0A|"; reference:arachnids,372; classtype:protocol-command-decode; sid:631; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn cybercop attempt"; flow:to_server,established; content:"expn cybercop"; reference:arachnids,371; classtype:protocol-command-decode; sid:632; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow attempt"; flow:to_server,established; content:"HELO"; nocase; isdataat:500,relative; pcre:"/^HELO\s[^\n]{500}/smi"; reference:bugtraq,7726; reference:bugtraq,895; reference:cve,2000-0042; reference:nessus,10324; reference:nessus,11674; classtype:attempted-admin; sid:1549; rev:17;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ETRN overflow attempt"; flow:to_server,established; content:"ETRN"; nocase; isdataat:500,relative; pcre:"/^ETRN\s[^\n]{500}/smi"; reference:bugtraq,1297; reference:bugtraq,7515; reference:cve,2000-0490; reference:nessus,10438; classtype:attempted-admin; sid:1550; rev:15;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP From comment overflow attempt"; flow:to_server,established; content:"From|3A|"; nocase; content:"<><><><><><><><><><><><><><><><><><><><><><>"; distance:0; content:"|28|"; distance:1; content:"|29|"; distance:1; reference:bugtraq,6991; reference:cve,2002-1337; reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Transfer-Encoding overflow attempt"; flow:to_server,established; content:"Content-Transfer-Encoding|3A|"; nocase; isdataat:100,relative; content:!"|0A|"; within:100; reference:cve,2003-0161; reference:url,www.cert.org/advisories/CA-2003-12.html; classtype:attempted-admin; sid:2183; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow attempt"; flow:to_server,established; content:"XEXCH50"; nocase; pcre:"/^XEXCH50\s+-\d/smi"; reference:bugtraq,8838; reference:cve,2003-0714; reference:nessus,11889; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx; classtype:attempted-admin; sid:2253; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP EXPN overflow attempt"; flow:to_server,established; content:"EXPN"; nocase; pcre:"/^EXPN[^\n]{255,}/smi"; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2259; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP VRFY overflow attempt"; flow:to_server,established; content:"VRFY"; nocase; pcre:"/^VRFY[^\n]{255,}/smi"; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2260; rev:5;)
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SEND FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SEND FROM|3A|"; nocase; pcre:"/^SEND FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; reference:nessus,11316; classtype:attempted-admin; sid:2261; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SEND FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SEND FROM|3A|"; nocase; pcre:"/^SEND FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2262; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SAML FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SAML FROM|3A|"; nocase; pcre:"/^SAML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2263; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SAML FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SAML FROM|3A|"; nocase; pcre:"/^SAML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2264; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SOML FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SOML FROM|3A|"; nocase; pcre:"/^SOML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2265; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SOML FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SOML FROM|3A|"; nocase; pcre:"/^SOML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2266; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"MAIL FROM|3A|"; nocase; pcre:"/^MAIL FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2267; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"MAIL FROM|3A|"; nocase; pcre:"/^MAIL FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:attempted-admin; sid:2268; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO sendmail prescan too many addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|"; nocase; pcre:"/^RCPT TO\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2269; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO sendmail prescan too long addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|"; nocase; pcre:"/^RCPT TO\x3a\s*[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:attempted-admin; sid:2270; rev:5;)
+alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP AUTH LOGON brute force attempt"; flow:from_server,established; content:"Authentication unsuccessful"; offset:54; nocase; threshold:type threshold, track by_dst, count 5, seconds 60; classtype:suspicious-login; sid:2275; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP WinZip MIME content-type buffer overflow"; flow:to_server, established; content:"Content-Type|3A|"; nocase; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; pcre:"/(name|id|number|total|boundary)=\s*[^\r\n\x3b\s\x2c]{300}/smi"; reference:bugtraq,9758; reference:cve,2004-0333; reference:nessus,12621; classtype:attempted-user; sid:2487; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP WinZip MIME content-disposition buffer overflow"; flow:to_server, established; content:"Content-Type|3A|"; nocase; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; content:"Content-Disposition|3A|"; nocase; pcre:"/name=\s*[^\r\n\x3b\s\x2c]{300}/smi"; reference:bugtraq,9758; reference:cve,2004-0333; reference:nessus,12621; classtype:attempted-user; sid:2488; rev:7;)
+
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2504; rev:9;)
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP Client_Hello overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2519; rev:9;)
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2538; rev:5;)
+alert tcp $SMTP_SERVERS 465 -> $EXTERNAL_NET any (msg:"SMTP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2539; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2540; rev:5;)
+
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP STARTTLS attempt"; flow:to_server,established; content:"STARTTLS|0D 0A|"; within:10; flowbits:set,starttls.attempt; flowbits:noalert; classtype:protocol-command-decode; sid:2527; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isset,starttls.attempt; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2541; rev:7;)
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isset,starttls.attempt; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2528; rev:13;)
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2542; rev:6;)
+alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP TLS SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2543; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2544; rev:6;)
+
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM overflow attempt"; flow:to_server,established; content:"MAIL FROM"; nocase; isdataat:260; content:!"|0A|"; within:256; reference:bugtraq,10290; reference:bugtraq,7506; reference:cve,2004-0399; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2590; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP From command overflow attempt"; flow:to_server,established; content:"From"; nocase; pcre:"/^From\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2591; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ReplyTo command overflow attempt"; flow:to_server,established; content:"ReplyTo"; nocase; pcre:"/^ReplyTo\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2592; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Sender command overflow attempt"; flow:to_server,established; content:"Sender"; nocase; pcre:"/^Sender\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2593; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP To command overflow attempt"; flow:to_server,established; content:"To"; nocase; pcre:"/^To\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2594; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP CC command overflow attempt"; flow:to_server,established; content:"CC"; nocase; pcre:"/^CC\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2595; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP BCC command overflow attempt"; flow:to_server,established; content:"BCC"; nocase; pcre:"/^BCC\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2596; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Encoding overflow attempt"; flow:to_server,established; content:"Content-Encoding|3A|"; nocase; pcre:"/Content-Encoding\x3A[^\r\n]{300,}/i"; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; classtype:attempted-admin; sid:3462; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Type overflow attempt"; flow:to_server,established; content:"Content-Type|3A|"; nocase; pcre:"/Content-Type\x3A[^\r\n]{300,}/i"; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; classtype:attempted-admin; sid:3461; rev:2;)
--- /dev/null
+++ b/rules/community-deleted.rules
@@ -0,0 +1,7 @@
+# Copyright 2006 Sourcefire, Inc. All Rights Reserved.  # These rules are licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# $Id: community-deleted.rules,v 1.3 2006/12/05 20:32:48 akirk Exp $
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY DELETED PhpWebGallery XSS attempt"; content:"GET"; nocase; depth:3; uricontent:"comments.php"; nocase; uricontent:"keyword="; nocase; classtype:web-application-attack; sid:100000819; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY DELETED PhpWebGallery XSS attempt"; content:"GET"; nocase; depth:3; uricontent:"comments"; nocase; uricontent:"|2E|php"; nocase; uricontent:"|3F|keyword"; nocase; reference:bugtraq,18798; classtype:web-application-attack; sid:100000848; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY DELETED phpNuke admin_ug_auth.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_ug_auth.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000381; rev:3;)
--- /dev/null
+++ b/rules/info.rules
@@ -0,0 +1,32 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: info.rules,v 1.27.2.3.2.2 2005/05/31 17:13:02 mwatchinski Exp $
+#-----------
+# INFO RULES
+#-----------
+
+alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"INFO TELNET login incorrect"; flow:from_server,established; content:"Login incorrect"; reference:arachnids,127; classtype:bad-unknown; sid:718; rev:9;)
+alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"INFO TELNET access"; flow:from_server,established; content:"|FF FD|"; rawbytes; content:"|FF FD|"; distance:0; rawbytes; content:"|FF FD|"; distance:0; rawbytes; reference:arachnids,08; reference:cve,1999-0619; reference:nessus,10280; classtype:not-suspicious; sid:716; rev:13;)
+alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"INFO Connection Closed MSG from Port 80"; flow:from_server,established; content:"Connection closed by foreign host"; nocase; classtype:unknown; sid:488; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP no password"; flow:from_client,established; content:"PASS"; nocase; pcre:"/^PASS\s*\n/smi"; reference:arachnids,322; classtype:unknown; sid:489; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INFO battle-mail traffic"; flow:to_server,established; content:"BattleMail"; classtype:policy-violation; sid:490; rev:7;)
+alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"INFO FTP Bad login"; flow:from_server,established; content:"530 "; pcre:"/^530\s+(Login|User)/smi"; classtype:bad-unknown; sid:491; rev:8;)
+alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"INFO TELNET login failed"; flow:from_server,established; content:"Login failed"; nocase; classtype:bad-unknown; sid:492; rev:9;)
+alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"INFO TELNET Bad Login"; flow:from_server,established; content:"Login incorrect"; nocase; classtype:bad-unknown; sid:1251; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INFO psyBNC access"; flow:from_server,established; content:"Welcome!psyBNC@lam3rz.de"; classtype:bad-unknown; sid:493; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INFO web bug 0x0 gif attempt"; flow:from_server,established; content:"Content-type|3A| image/gif"; nocase; content:"GIF"; distance:0; nocase; content:"|01 00 01 00|"; within:4; distance:3; content:","; distance:0; content:"|01 00 01 00|"; within:4; distance:4; classtype:misc-activity; sid:2925; rev:3;)
--- /dev/null
+++ b/rules/web-iis.rules
@@ -0,0 +1,167 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: web-iis.rules,v 1.78.2.5.2.6 2005/07/22 19:19:54 mwatchinski Exp $
+#--------------
+# WEB-IIS RULES
+#--------------
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS MDAC Content-Type overflow attempt"; flow:to_server,established; uricontent:"/msadcs.dll"; nocase; content:"Content-Type|3A|"; nocase; isdataat:50,relative; content:!"|0A|"; within:50; pcre:"/^POST\s/smi"; reference:bugtraq,6214; reference:cve,2002-1142; reference:url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337; reference:url,www.microsoft.com/technet/security/bulletin/MS02-065.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS98-004.mspx; classtype:web-application-attack; sid:1970; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS repost.asp access"; flow:to_server,established; uricontent:"/scripts/repost.asp"; nocase; reference:nessus,10372; classtype:web-application-activity; sid:1076; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .htr chunked Transfer-Encoding"; flow:to_server,established; uricontent:".htr"; nocase; content:"Transfer-Encoding|3A|"; nocase; content:"chunked"; distance:0; nocase; reference:bugtraq,4855; reference:bugtraq,5003; reference:cve,2002-0364; classtype:web-application-attack; sid:1806; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asp chunked Transfer-Encoding"; flow:to_server,established; uricontent:".asp"; nocase; content:"Transfer-Encoding|3A|"; nocase; content:"chunked"; distance:0; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:cve,2002-0071; reference:cve,2002-0079; reference:nessus,10932; classtype:web-application-attack; sid:1618; rev:16;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /StoreCSVS/InstantOrder.asmx request"; flow:to_server,established; uricontent:"/StoreCSVS/InstantOrder.asmx"; nocase; classtype:web-application-activity; sid:1626; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS users.xml access"; flow:to_server,established; uricontent:"/users.xml"; nocase; classtype:web-application-activity; sid:1750; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS as_web.exe access"; flow:to_server,established; uricontent:"/as_web.exe"; nocase; reference:bugtraq,4670; classtype:web-application-activity; sid:1753; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS as_web4.exe access"; flow:to_server,established; uricontent:"/as_web4.exe"; nocase; reference:bugtraq,4670; classtype:web-application-activity; sid:1754; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS NewsPro administration authentication attempt"; flow:to_server,established; content:"logged,true"; reference:bugtraq,4672; classtype:web-application-activity; sid:1756; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS pbserver access"; flow:to_server,established; uricontent:"/pbserver/pbserver.dll"; nocase; reference:cve,2000-1089; reference:url,www.microsoft.com/technet/security/bulletin/ms00-094.mspx; classtype:web-application-activity; sid:1772; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS trace.axd access"; flow:to_server,established; uricontent:"/trace.axd"; nocase; reference:nessus,10993; classtype:web-application-activity; sid:1660; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /isapi/tstisapi.dll access"; flow:to_server,established; uricontent:"/isapi/tstisapi.dll"; nocase; reference:bugtraq,2381; reference:cve,2001-0302; classtype:web-application-activity; sid:1484; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS mkilog.exe access"; flow:to_server,established; uricontent:"/mkilog.exe"; nocase; reference:nessus,10359; reference:url,www.osvdb.org/274; classtype:web-application-activity; sid:1485; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ctss.idc access"; flow:to_server,established; uricontent:"/ctss.idc"; nocase; reference:nessus,10359; classtype:web-application-activity; sid:1486; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /iisadmpwd/aexp2.htr access"; flow:to_server,established; uricontent:"/iisadmpwd/aexp2.htr"; reference:bugtraq,2110; reference:bugtraq,4236; reference:cve,1999-0407; reference:cve,2002-0421; reference:nessus,10371; classtype:web-application-activity; sid:1487; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WebDAV file lock attempt"; flow:to_server,established; content:"LOCK "; depth:5; reference:bugtraq,2736; classtype:web-application-activity; sid:969; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .printer access"; flow:to_server,established; uricontent:".printer"; nocase; reference:arachnids,533; reference:bugtraq,2674; reference:cve,2001-0241; reference:nessus,10661; reference:url,www.microsoft.com/technet/security/bulletin/MS01-023.mspx; classtype:web-application-activity; sid:971; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .ida attempt"; flow:to_server,established; uricontent:".ida?"; nocase; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-attack; sid:1243; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .ida access"; flow:to_server,established; uricontent:".ida"; nocase; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1242; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .idq attempt"; flow:to_server,established; uricontent:".idq?"; nocase; reference:arachnids,553; reference:bugtraq,1065; reference:bugtraq,968; reference:cve,2000-0071; reference:cve,2000-0126; reference:nessus,10115; classtype:web-application-attack; sid:1244; rev:14;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .idq access"; flow:to_server,established; uricontent:".idq"; nocase; reference:arachnids,553; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1245; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS %2E-asp access"; flow:to_server,established; content:"%2easp"; nocase; reference:bugtraq,1814; reference:cve,1999-0253; classtype:web-application-activity; sid:972; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS *.idc attempt"; flow:to_server,established; uricontent:"/*.idc"; nocase; reference:bugtraq,1448; reference:cve,1999-0874; reference:cve,2000-0661; classtype:web-application-attack; sid:973; rev:10;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Directory transversal attempt"; flow:to_server,established; content:"..|5C|.."; reference:bugtraq,2218; reference:cve,1999-0229; classtype:web-application-attack; sid:974; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Alternate Data streams ASP file access attempt"; flow:to_server,established; uricontent:".asp|3A 3A 24|DATA"; nocase; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q188806; classtype:web-application-attack; sid:975; rev:12;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .bat? access"; flow:to_server,established; uricontent:".bat?"; nocase; reference:bugtraq,2023; reference:cve,1999-0233; reference:url,support.microsoft.com/support/kb/articles/Q148/1/88.asp; reference:url,support.microsoft.com/support/kb/articles/Q155/0/56.asp; classtype:web-application-activity; sid:976; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cnf access"; flow:to_server,established; uricontent:".cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:977; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ASP contents view"; flow:to_server,established; content:"%20"; content:"&CiRestriction=none"; nocase; content:"&CiHiliteType=Full"; nocase; reference:bugtraq,1084; reference:cve,2000-0302; reference:nessus,10356; reference:url,www.microsoft.com/technet/security/bulletin/MS00-006.mspx; classtype:web-application-attack; sid:978; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ASP contents view"; flow:to_server,established; uricontent:".htw?CiWebHitsFile"; reference:bugtraq,1861; reference:cve,2000-0942; reference:url,www.microsoft.com/technet/security/bulletin/MS00-006.mspx; classtype:web-application-attack; sid:979; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CGImail.exe access"; flow:to_server,established; uricontent:"/scripts/CGImail.exe"; nocase; reference:bugtraq,1623; reference:cve,2000-0726; classtype:web-application-activity; sid:980; rev:7;)
+
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS JET VBA access"; flow:to_server,established; uricontent:"/scripts/samples/ctguestb.idc"; nocase; reference:bugtraq,307; reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-activity; sid:984; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS JET VBA access"; flow:to_server,established; uricontent:"/scripts/samples/details.idc"; nocase; reference:bugtraq,286; reference:cve,1999-0874; classtype:web-application-activity; sid:985; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MSProxy access"; flow:to_server,established; uricontent:"/scripts/proxy/w3proxy.dll"; nocase; reference:url,support.microsoft.com/?kbid=331066; classtype:web-application-activity; sid:986; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS +.htr code fragment attempt"; flow:to_server,established; uricontent:"+.htr"; nocase; reference:bugtraq,1488; reference:cve,2000-0630; reference:nessus,10680; reference:url,www.microsoft.com/technet/security/bulletin/MS00-044.mspx; classtype:web-application-attack; sid:1725; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .htr access"; flow:to_server,established; uricontent:".htr"; nocase; reference:bugtraq,1488; reference:cve,2000-0630; reference:nessus,10680; classtype:web-application-activity; sid:987; rev:14;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SAM Attempt"; flow:to_server,established; content:"sam._"; nocase; reference:url,www.ciac.org/ciac/bulletins/h-45.shtml; classtype:web-application-attack; sid:988; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS achg.htr access"; flow:to_server,established; uricontent:"/iisadmpwd/achg.htr"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:991; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS adctest.asp access"; flow:to_server,established; uricontent:"/msadc/samples/adctest.asp"; nocase; classtype:web-application-activity; sid:992; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /scripts/iisadmin/default.htm access"; flow:to_server,established; uricontent:"/scripts/iisadmin/default.htm"; nocase; classtype:web-application-attack; sid:994; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ism.dll access"; flow:to_server,established; uricontent:"/scripts/iisadmin/ism.dll?http/dir"; nocase; reference:bugtraq,189; reference:cve,1999-1538; reference:cve,2000-0630; classtype:web-application-attack; sid:995; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS anot.htr access"; flow:to_server,established; uricontent:"/iisadmpwd/anot"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:996; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS asp-dot attempt"; flow:to_server,established; uricontent:".asp."; nocase; reference:bugtraq,1814; reference:nessus,10363; classtype:web-application-attack; sid:997; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS asp-srch attempt"; flow:to_server,established; uricontent:"|23|filename=*.asp"; nocase; classtype:web-application-attack; sid:998; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS bdir access"; flow:to_server,established; uricontent:"/scripts/iisadmin/bdir.htr"; nocase; reference:bugtraq,2280; classtype:web-application-activity; sid:999; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS bdir.htr access"; flow:to_server,established; uricontent:"/bdir.htr"; nocase; reference:bugtraq,2280; reference:nessus,10577; classtype:web-application-activity; sid:1000; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd32.exe access"; flow:to_server,established; content:"cmd32.exe"; nocase; classtype:web-application-attack; sid:1661; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; uricontent:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd? access"; flow:to_server,established; content:".cmd?&"; nocase; classtype:web-application-attack; sid:1003; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS codebrowser Exair access"; flow:to_server,established; uricontent:"/iissamples/exair/howitworks/codebrws.asp"; nocase; reference:cve,1999-0499; reference:cve,1999-0815; classtype:web-application-activity; sid:1004; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS codebrowser SDK access"; flow:to_server,established; uricontent:"/iissamples/sdk/asp/docs/codebrws.asp"; nocase; reference:bugtraq,167; reference:cve,1999-0736; classtype:web-application-activity; sid:1005; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cross-site scripting attempt"; flow:to_server,established; uricontent:"/Form_JScript.asp"; nocase; reference:bugtraq,119; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0746; reference:cve,2000-1104; reference:nessus,10572; reference:url,www.microsoft.com/technet/security/bulletin/MS00-028.mspx; classtype:web-application-attack; sid:1007; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cross-site scripting attempt"; flow:to_server,established; uricontent:"/Form_VBScript.asp"; nocase; reference:bugtraq,119; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0746; reference:cve,2000-1104; reference:nessus,10572; classtype:web-application-attack; sid:1380; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS del attempt"; flow:to_server,established; content:"&del+/s+c|3A 5C|*.*"; nocase; classtype:web-application-attack; sid:1008; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS directory listing"; flow:to_server,established; uricontent:"/ServerVariables_Jscript.asp"; nocase; reference:nessus,10573; classtype:web-application-attack; sid:1009; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS encoding access"; flow:to_server,established; content:"%1u"; reference:arachnids,200; reference:bugtraq,886; reference:cve,2000-0024; reference:url,http//www.microsoft.com/technet/security/bulletin/MS99-061.mspx; classtype:web-application-activity; sid:1010; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS exec-src access"; flow:to_server,established; content:"|23|filename=*.exe"; nocase; classtype:web-application-activity; sid:1011; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS fpcount attempt"; flow:to_server,established; uricontent:"/fpcount.exe"; content:"Digits="; nocase; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-attack; sid:1012; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS fpcount access"; flow:to_server,established; uricontent:"/fpcount.exe"; nocase; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-activity; sid:1013; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS getdrvs.exe access"; flow:to_server,established; uricontent:"/scripts/tools/getdrvs.exe"; nocase; classtype:web-application-activity; sid:1015; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS global.asa access"; flow:to_server,established; uricontent:"/global.asa"; nocase; reference:cve,2000-0778; reference:nessus,10491; reference:nessus,10991; classtype:web-application-activity; sid:1016; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS idc-srch attempt"; flow:to_server,established; content:"|23|filename=*.idc"; nocase; reference:cve,1999-0874; classtype:web-application-attack; sid:1017; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS iisadmpwd attempt"; flow:to_server,established; uricontent:"/iisadmpwd/aexp"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-attack; sid:1018; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"IIS Malformed Hit-Highlighting Argument File Access Attempt"; flow:to_server,established; uricontent:"CiWebHitsFile="; nocase; pcre:"/CiWebHitsFile=\/?([^\r\n\x3b\&]*\.\.\/)?/i"; uricontent:"CiRestriction=none"; nocase; uricontent:"ciHiliteType=Full"; nocase; reference:bugtraq,950; reference:cve,2000-0097; reference:url,www.microsoft.com/technet/security/bulletin/ms00-006.mspx; reference:url,www.securityfocus.com/archive/1/43762; classtype:web-application-attack; sid:1019; rev:15;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS isc$data attempt"; flow:to_server,established; uricontent:".idc|3A 3A 24|data"; nocase; reference:bugtraq,307; reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-attack; sid:1020; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ism.dll attempt"; flow:to_server,established; uricontent:" .htr"; nocase; reference:bugtraq,1193; reference:cve,2000-0457; reference:nessus,10680; reference:url,www.microsoft.com/technet/security/bulletin/MS00-031.mspx; classtype:web-application-attack; sid:1021; rev:14;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS jet vba access"; flow:to_server,established; uricontent:"/advworks/equipment/catalog_type.asp"; nocase; reference:bugtraq,286; reference:cve,1999-0874; classtype:web-application-activity; sid:1022; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS msadcs.dll access"; flow:to_server,established; uricontent:"/msadcs.dll"; nocase; reference:bugtraq,529; reference:cve,1999-1011; reference:nessus,10357; classtype:web-application-activity; sid:1023; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS newdsn.exe access"; flow:to_server,established; uricontent:"/scripts/tools/newdsn.exe"; nocase; reference:bugtraq,1818; reference:cve,1999-0191; reference:nessus,10360; classtype:web-application-activity; sid:1024; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl access"; flow:to_server,established; uricontent:"/scripts/perl"; nocase; classtype:web-application-activity; sid:1025; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl-browse newline attempt"; flow:to_server,established; uricontent:"|0A|.pl"; nocase; reference:bugtraq,6833; classtype:web-application-attack; sid:1026; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl-browse space attempt"; flow:to_server,established; uricontent:" .pl"; nocase; reference:bugtraq,6833; classtype:web-application-attack; sid:1027; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS query.asp access"; flow:to_server,established; uricontent:"/issamples/query.asp"; nocase; reference:bugtraq,193; reference:cve,1999-0449; classtype:web-application-activity; sid:1028; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS scripts-browse access"; flow:to_server,established; uricontent:"/scripts/ "; nocase; reference:nessus,11032; classtype:web-application-attack; sid:1029; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS search97.vts access"; flow:to_server,established; uricontent:"/search97.vts"; reference:bugtraq,162; classtype:web-application-activity; sid:1030; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /SiteServer/Publishing/viewcode.asp access"; flow:to_server,established; uricontent:"/SiteServer/Publishing/viewcode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1031; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Knowledge/Membership/Inspired/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1032; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1033; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1034; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Samples/Knowledge/Push/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1035; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Samples/Knowledge/Search/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1036; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode.asp access"; flow:to_server,established; uricontent:"/showcode.asp"; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,10007; reference:url,www.microsoft.com/technet/security/bulletin/MS99-013.mspx; classtype:web-application-activity; sid:1037; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS site server config access"; flow:to_server,established; uricontent:"/adsamples/config/site.csc"; nocase; reference:bugtraq,256; reference:cve,1999-1520; classtype:web-application-activity; sid:1038; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS srch.htm access"; flow:to_server,established; uricontent:"/samples/isapi/srch.htm"; nocase; classtype:web-application-activity; sid:1039; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS srchadm access"; flow:to_server,established; uricontent:"/srchadm"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1040; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS uploadn.asp access"; flow:to_server,established; uricontent:"/scripts/uploadn.asp"; nocase; reference:bugtraq,1811; reference:cve,1999-0360; classtype:web-application-activity; sid:1041; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS view source via translate header"; flow:to_server,established; content:"Translate|3A| F"; nocase; reference:arachnids,305; reference:bugtraq,1578; reference:cve,2000-0778; classtype:web-application-activity; sid:1042; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS viewcode.asp access"; flow:to_server,established; uricontent:"/viewcode.asp"; nocase; reference:cve,1999-0737; reference:nessus,10576; classtype:web-application-activity; sid:1043; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS webhits access"; flow:to_server,established; uricontent:".htw"; reference:arachnids,237; reference:bugtraq,950; reference:cve,2000-0097; classtype:web-application-activity; sid:1044; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS doctodep.btr access"; flow:to_server,established; uricontent:"doctodep.btr"; classtype:web-application-activity; sid:1726; rev:4;)
+# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-IIS Unauthorized IP Access Attempt"; flow:to_server,established; content:"403"; content:"Forbidden|3A|"; classtype:web-application-attack; sid:1045; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS site/iisamples access"; flow:to_server,established; uricontent:"/site/iisamples"; nocase; reference:nessus,10370; classtype:web-application-activity; sid:1046; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS outlook web dos"; flow:to_server,established; uricontent:"/exchange/LogonFrm.asp?"; nocase; content:"mailbox="; nocase; content:"%%%"; reference:bugtraq,3223; classtype:web-application-attack; sid:1283; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /scripts/samples/ access"; flow:to_server,established; uricontent:"/scripts/samples/"; nocase; reference:nessus,10370; classtype:web-application-attack; sid:1400; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /msadc/samples/ access"; flow:to_server,established; uricontent:"/msadc/samples/"; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,1007; classtype:web-application-attack; sid:1401; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS iissamples access"; flow:to_server,established; uricontent:"/iissamples/"; nocase; reference:nessus,11032; classtype:web-application-attack; sid:1402; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS iisadmin access"; flow:to_server,established; uricontent:"/iisadmin"; nocase; reference:bugtraq,189; reference:cve,1999-1538; reference:nessus,11032; classtype:web-application-attack; sid:993; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS msdac access"; flow:to_server,established; uricontent:"/msdac/"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1285; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS _mem_bin access"; flow:to_server,established; uricontent:"/_mem_bin/"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1286; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS scripts access"; flow:to_server,established; uricontent:"/scripts/"; nocase; classtype:web-application-activity; sid:1287; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS htimage.exe access"; flow:to_server,established; uricontent:"/htimage.exe"; nocase; reference:bugtraq,1117; reference:bugtraq,964; reference:cve,2000-0122; reference:cve,2000-0256; reference:nessus,10376; classtype:web-application-activity; sid:1595; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MS Site Server default login attempt"; flow:to_server,established; uricontent:"/SiteServer/Admin/knowledge/persmbr/"; nocase; pcre:"/^Authorization|3A|\s*Basic\s+TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE=/smi"; reference:nessus,11018; classtype:web-application-attack; sid:1817; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MS Site Server admin attempt"; flow:to_server,established; uricontent:"/Site Server/Admin/knowledge/persmbr/"; nocase; reference:nessus,11018; classtype:web-application-attack; sid:1818; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS postinfo.asp access"; flow:to_server,established; uricontent:"/scripts/postinfo.asp"; nocase; reference:bugtraq,1811; reference:cve,1999-0360; classtype:web-application-activity; sid:1075; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /exchange/root.asp attempt"; flow:to_server,established; uricontent:"/exchange/root.asp?acs=anon"; nocase; reference:bugtraq,3301; reference:cve,2001-0660; reference:nessus,10755; reference:nessus,10781; reference:url,www.microsoft.com/technet/security/bulletin/MS01-047.mspx; classtype:web-application-attack; sid:1567; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /exchange/root.asp access"; flow:to_server,established; uricontent:"/exchange/root.asp"; nocase; reference:bugtraq,3301; reference:cve,2001-0660; reference:nessus,10755; reference:nessus,10781; classtype:web-application-activity; sid:1568; rev:11;)
+
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asa HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".asa"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:web-application-attack; sid:1802; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cer HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".cer"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:web-application-attack; sid:1803; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cdx HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".cdx"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:web-application-attack; sid:1804; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asp HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".asp"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:web-application-attack; sid:1801; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0A|Content-type|3A| text/xml|0A|HOST|3A|"; content:"Accept|3A| */*|0A|Translate|3A| f|0A|Content-length|3A|5276|0A 0A|"; distance:1; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2090; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH / HTTP/1.1|0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|"; within:255; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2091; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Battleaxe Forum login.asp access"; flow:to_server,established; uricontent:"myaccount/login.asp"; nocase; reference:bugtraq,7416; reference:cve,2003-0215; classtype:web-application-activity; sid:2117; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS nsiislog.dll access"; flow:to_server,established; uricontent:"/nsiislog.dll"; nocase; reference:bugtraq,8035; reference:cve,2003-0227; reference:cve,2003-0349; reference:nessus,11664; reference:url,www.microsoft.com/technet/security/bulletin/ms03-018.mspx; classtype:web-application-activity; sid:2129; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS IISProtect siteadmin.asp access"; flow:to_server,established; uricontent:"/iisprotect/admin/SiteAdmin.asp"; nocase; reference:bugtraq,7675; reference:cve,2003-0377; reference:nessus,11662; classtype:web-application-activity; sid:2130; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS IISProtect globaladmin.asp access"; flow:to_server,established; uricontent:"/iisprotect/admin/GlobalAdmin.asp"; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2157; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS IISProtect access"; flow:to_server,established; uricontent:"/iisprotect/admin/"; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2131; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Synchrologic Email Accelerator userid list access attempt"; flow:to_server,established; uricontent:"/en/admin/aggregate.asp"; nocase; reference:nessus,11657; classtype:web-application-activity; sid:2132; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MS BizTalk server access"; flow:to_server,established; uricontent:"/biztalkhttpreceive.dll"; nocase; reference:bugtraq,7469; reference:bugtraq,7470; reference:cve,2003-0117; reference:cve,2003-0118; reference:nessus,11638; reference:url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx; classtype:web-application-activity; sid:2133; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS register.asp access"; flow:to_server,established; uricontent:"/register.asp"; nocase; reference:nessus,11621; classtype:web-application-activity; sid:2134; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS UploadScript11.asp access"; flow:to_server,established; uricontent:"/UploadScript11.asp"; nocase; reference:cve,2001-0938; classtype:web-application-activity; sid:2247; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS DirectoryListing.asp access"; flow:to_server,established; uricontent:"/DirectoryListing.asp"; nocase; reference:cve,2001-0938; classtype:web-application-activity; sid:2248; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /pcadmin/login.asp access"; flow:to_server,established; uricontent:"/pcadmin/login.asp"; nocase; reference:bugtraq,8103; reference:nessus,11785; classtype:web-application-activity; sid:2249; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS foxweb.exe access"; flow:to_server,established; uricontent:"/foxweb.exe"; nocase; reference:nessus,11939; classtype:web-application-activity; sid:2321; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS foxweb.dll access"; flow:to_server,established; uricontent:"/foxweb.dll"; nocase; reference:nessus,11939; classtype:web-application-activity; sid:2322; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS VP-ASP shopsearch.asp access"; flow:to_server,established; uricontent:"/shopsearch.asp"; nocase; reference:bugtraq,9133; reference:bugtraq,9134; reference:nessus,11942; classtype:web-application-activity; sid:2324; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS VP-ASP ShopDisplayProducts.asp access"; flow:to_server,established; uricontent:"/ShopDisplayProducts.asp"; nocase; reference:bugtraq,9133; reference:bugtraq,9134; reference:nessus,11942; classtype:web-application-activity; sid:2325; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS sgdynamo.exe access"; flow:to_server,established; uricontent:"/sgdynamo.exe"; nocase; reference:bugtraq,4720; reference:cve,2002-0375; reference:nessus,11955; classtype:web-application-activity; sid:2326; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS NTLM ASN.1 vulnerability scan attempt"; flow:to_server,established; content:"Authorization|3A| Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:attempted-dos; sid:2386; rev:9;)
+
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SmarterTools SmarterMail frmGetAttachment.aspx access"; flow:to_server,established; uricontent:"/frmGetAttachment.aspx"; nocase; reference:bugtraq,9805; classtype:web-application-activity; sid:2571; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt"; flow:to_server,established; uricontent:"/login.aspx"; nocase; content:"txtusername="; isdataat:980,relative; content:!"|0A|"; within:980; nocase; reference:bugtraq,9805; classtype:web-application-attack; sid:2572; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SmarterTools SmarterMail frmCompose.asp access"; flow:to_server,established; uricontent:"/frmCompose.aspx"; reference:bugtraq,9805; classtype:web-application-activity; sid:2573; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ping.asp access"; flow:to_server,established; uricontent:"/ping.asp"; nocase; reference:nessus,10968; classtype:web-application-activity; sid:2667; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS w3who.dll buffer overflow attempt"; flow:to_server,established; uricontent:"/w3who.dll?"; nocase; pcre:"/w3who.dll\x3F[^\r\n]{519}/i"; reference:bugtraq,11820; reference:cve,2004-1134; classtype:attempted-admin; sid:3087; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cmd executable file parsing attack"; flow:established,to_server; uricontent:".cmd|22|"; nocase; pcre:"/.cmd\x22.*\x26.*/smi"; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:3193; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .bat executable file parsing attack"; flow:established,to_server; uricontent:".bat|22|"; nocase; pcre:"/.bat\x22.*\x26.*/smi"; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:3194; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS httpodbc.dll access - nimda"; flow:to_server,established; uricontent:"/httpodbc.dll"; nocase; reference:bugtraq,2708; reference:cve,2001-0333; classtype:web-application-activity; sid:3201; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS SQLXML content type overflow"; flow:to_server,established; pcre:"/\.x[sm]l/Ui"; uricontent:"contenttype="; pcre:"/contenttype=[^\r\n\x3b\x38]{100}/smiU"; reference:bugtraq,5004; reference:cve,2002-0186; reference:url,www.microsoft.com/technet/security/bulletin/MS02-030.mspx; reference:url,www.westpoint.ltd.uk/advisories/wp-02-0007.txt; classtype:attempted-admin; sid:3150; rev:4;)
--- /dev/null
+++ b/rules/web-client.rules
@@ -0,0 +1,54 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: web-client.rules,v 1.20.2.8.2.7 2005/07/22 19:19:54 mwatchinski Exp $
+#---------------
+# WEB-CLIENT RULES
+#---------------
+#
+# These signatures look for two things:
+# * bad things coming from our users
+# * attacks against our web users
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Outlook EML access"; flow:from_client,established; uricontent:".eml"; reference:nessus,10767; classtype:attempted-user; sid:1233; rev:11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft emf metafile access"; flow:from_client,established; uricontent:".emf"; reference:bugtraq,10120; reference:bugtraq,9707; reference:cve,2003-0906; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-user; sid:2435; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft wmf metafile access"; flow:from_client,established; uricontent:".wmf"; reference:bugtraq,10120; reference:bugtraq,9707; reference:cve,2003-0906; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-user; sid:2436; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT XMLHttpRequest attempt"; flow:to_client,established; content:"new XMLHttpRequest|28|"; content:"file|3A|//"; nocase; reference:bugtraq,4628; reference:cve,2002-0354; classtype:web-application-attack; sid:1735; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT readme.eml download attempt"; flow:from_client,established; uricontent:"/readme.eml"; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1284; rev:10;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT readme.eml autoload attempt"; flow:to_client,established; content:"window.open|28 22|readme.eml|22|"; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1290; rev:10;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Javascript document.domain attempt"; flow:to_client,established; content:"document.domain|28|"; nocase; reference:bugtraq,5346; reference:cve,2002-0815; classtype:attempted-user; sid:1840; rev:7;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Javascript URL host spoofing attempt"; flow:to_client,established; content:"javascript|3A|//"; nocase; reference:bugtraq,5293; classtype:attempted-user; sid:1841; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer arbitrary javascript command attempt"; flow:to_client,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s*application\x2fsmi.*?<area[\s\n\r]+href=[\x22\x27]file\x3ajavascript\x3a/smi"; reference:bugtraq,8453; reference:bugtraq,9378; reference:cve,2003-0726; classtype:attempted-user; sid:2437; rev:7;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist file URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"file|3A|//"; nocase; pcre:"/^file\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2438; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist http URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"http|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2439; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"rtsp|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2440; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Norton antivirus sysmspam.dll load attempt"; flow:to_client,established; content:"clsid|3A|"; nocase; content:"0534CF61-83C5-4765-B19B-45F7A4E135D0"; nocase; reference:bugtraq,9916; reference:cve,2004-0363; classtype:attempted-admin; sid:2485; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT local resource redirection attempt"; flow:to_client,established; content:"Location|3A|"; nocase; pcre:"/^Location\x3a\s*URL\s*\x3a/smi"; reference:cve,2004-0549; reference:url,www.kb.cert.org/vuls/id/713878; classtype:attempted-user; sid:2577; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Content-Disposition CLSID command attempt"; flow:to_client,established; content:"Content-Disposition|3A|"; nocase; pcre:"/^Content-Disposition\x3a[^\r\n]*\{[\da-fA-F]{8}(-[\da-fA-F]{4}){3}-[\da-fA-F]{12}\}/smi"; reference:bugtraq,9510; reference:cve,2004-0420; reference:url,www.microsoft.com/technet/security/bulletin/ms04-024.mspx; classtype:attempted-user; sid:2589; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT libpng tRNS overflow attempt"; flow:to_client,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:4; distance:4; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; pcre:"/IHDR(?!.*?PLTE).*?tRNS/s"; reference:bugtraq,10872; reference:cve,2004-0597; classtype:attempted-user; sid:2673; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT bitmap BitmapOffset integer overflow attempt"; flow:to_client,established; content:"image/bmp"; nocase; pcre:"/^Content-type\x3a\s*image\x2fbmp/smi"; pcre:"/^BM/sm"; byte_test:4,>,2147480000,8,relative,little; reference:bugtraq,9663; reference:cve,2004-0566; classtype:attempted-user; sid:2671; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG parser heap overflow attempt"; flow:from_server,established; content:"image/"; nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fp?jpe?g.*\xFF\xD8.{2}.*\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/smi"; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-admin; sid:2705; rev:4;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG transfer"; flow:from_server,established; content:"image/"; nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fp?jpe?g/smi"; flowbits:set,http.jpeg; flowbits:noalert; classtype:protocol-command-decode; sid:2706; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG parser multipacket heap overflow"; flow:from_server,established; flowbits:isset,http.jpeg; content:"|FF|"; pcre:"/\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/"; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-admin; sid:2707; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft ANI file parsing overflow"; flow:established,from_server; content:"RIFF"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative,little; reference:cve,2004-1049; classtype:attempted-user; sid:3079; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT winamp .cda file name overflow attempt"; flow:from_server,established; content:".cda"; nocase; pcre:"/(\x5c[^\x5c]{16,}|\x2f[^\x2f]{16,})\.cda$/smi"; reference:bugtraq,11730; classtype:attempted-user; sid:3088; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT PNG large image width download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32768,0,relative; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3132; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT PNG large colour depth download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:1,>,16,8,relative; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3134; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT PNG large image height download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32768,4,relative; reference:bugtraq,11481; reference:bugtraq,11523; reference:cve,2004-0599; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3133; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT object type overflow attempt"; flow:from_server,established; content:"<OBJECT"; nocase; pcre:"/<OBJECT\s+[^>]*type\s*=[\x22\x27]\x2f{32}/smi"; reference:cve,2003-0344; reference:url,www.microsoft.com/technet/security/bulletin/MS03-020.mspx; classtype:attempted-user; sid:3149; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt"; flow:from_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename=[^\x3b\x3a\r\n]*(\x2e\x2e|\x25\x32\x65)/smi"; reference:bugtraq,7517; reference:cve,2003-0228; reference:url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx; classtype:attempted-user; sid:3192; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT winhelp clsid attempt"; flow:from_server,established; content:"adb880a6-d8ff-11cf-9377-00aa003b7a11"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*adb880a6-d8ff-11cf-9377-00aa003b7a11/si"; reference:bugtraq,4857; reference:cve,2002-0823; reference:url,www.ngssoftware.com/advisories/ms-winhlp.txt; classtype:attempted-user; sid:3148; rev:4;)
--- /dev/null
+++ b/rules/unicode.map
@@ -0,0 +1,104 @@
+# Windows Version: 5.00.2195
+# OEM codepage: 437
+# ACP codepage: 1252
+
+# INSTALLED CODEPAGES
+10000 (MAC - Roman)
+
+
+10079 (MAC - Icelandic)
+
+
+1250  (ANSI - Central Europe)
+00a1:21 00a2:63 00a3:4c 00a5:59 00aa:61 00b2:32 00b3:33 00b9:31 00ba:6f 00bc:31 00bd:31 00be:33 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+1251  (ANSI - Cyrillic)
+00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221a:76 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2552:2d 2558:4c 2559:4c 255a:4c 255b:2d 255c:2d 255d:2d 2564:54 2565:54 2566:54 256a:2b 256b:2b 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+1252  (ANSI - Latin I)
+0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c8:27 02cb:60 02cd:5f 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 0398:54 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2017:3d 2032:27 2035:60 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 207f:6e 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2212:2d 2215:2f 2216:5c 2217:2a 221a:76 221e:38 2223:7c 2229:6e 2236:3a 223c:7e 2261:3d 2264:3d 2265:3d 2303:5e 2320:28 2321:29 2329:3c 232a:3e 2500:2d 250c:2b 2510:2b 2514:2b 2518:2b 251c:2b 252c:2d 2534:2d 253c:2b 2550:2d 2552:2b 2553:2b 2554:2b 2555:2b 2556:2b 2557:2b 2558:2b 2559:2b 255a:2b 255b:2b 255c:2b 255d:2b 2564:2d 2565:2d 2566:2d 2567:2d 2568:2d 2569:2d 256a:2b 256b:2b 256c:2b 2584:5f 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+1253  (ANSI - Greek)
+00b4:2f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 037e:3b 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+1254  (ANSI - Turkish)
+00dd:59 00fd:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c7:5e 02c8:27 02cb:60 02cd:5f 02d8:5e 02d9:27 0300:60 0302:5e 0331:5f 0332:5f 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2081:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2193:76 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:3d 301d:22 301e:22 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+1255  (ANSI - Hebrew)
+0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+1256  (ANSI - Arabic)
+00c0:41 00c2:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00ce:49 00cf:49 00d4:4f 00d9:55 00db:55 00dc:55 0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+1257  (ANSI - Baltic)
+ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+1258  (ANSI/OEM - Viet Nam)
+ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+#INVALID CODEPAGE: 1361
+20127 (US-ASCII)
+00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+20261 (T.61)
+f8dd:5c f8de:5e f8df:60 f8e0:7b f8fc:7d f8fd:7e f8fe:7f 
+
+20866 (Russian - KOI8)
+00a7:15 00ab:3c 00ad:2d 00ae:52 00b1:2b 00b6:14 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 
+
+28591 (ISO 8859-1 Latin I)
+0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+28592 (ISO 8859-2 Central Europe)
+00a1:21 00a2:63 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b2:32 00b3:33 00b7:2e 00b9:31 00ba:6f 00bb:3e 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+#INVALID CODEPAGE: 28595
+#INVALID CODEPAGE: 28597
+28605 (ISO 8859-15 Latin 9)
+00a6:7c 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0138:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014a:4e 014b:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:54 0169:74 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+37    (IBM EBCDIC - U.S./Canada)
+0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f 
+
+437   (OEM - United States)
+00a4:0f 00a7:15 00a8:22 00a9:63 00ad:2d 00ae:72 00af:5f 00b3:33 00b4:27 00b6:14 00b8:2c 00b9:31 00be:5f 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:78 00d8:4f 00d9:55 00da:55 00db:55 00dd:59 00de:5f 00e3:61 00f0:64 00f5:6f 00f8:6f 00fd:79 00fe:5f 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02ca:27 02cb:60 02cd:5f 02dc:7e 0300:60 0301:27 0302:5e 0303:7e 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:60 2019:27 201a:2c 201c:22 201d:22 201e:2c 2020:2b 2022:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:09 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2212:2d 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 3000:20 3007:09 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+500   (IBM EBCDIC - International)
+0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 
+
+850   (OEM - Multilingual Latin I)
+0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01a9:53 01ab:74 01ae:54 01af:55 01b0:75 01b6:5a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:27 02cd:5f 02dc:7e 0300:27 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:39 207f:6e 2080:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2126:4f 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2211:53 2212:2d 2215:2f 2216:2f 2217:2a 2219:07 221a:56 221e:38 221f:1c 2229:6e 2236:3a 223c:7e 2248:7e 2261:3d 2264:3d 2265:3d 2302:7f 2303:5e 2320:28 2321:29 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2713:56 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+860   (OEM - Portuguese)
+00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00be:33 00c4:41 00c5:41 00c6:41 00cb:45 00ce:49 00cf:49 00d0:44 00d6:4f 00d7:58 00d8:4f 00db:55 00dd:59 00de:54 00e4:61 00e5:61 00e6:61 00eb:65 00ee:69 00ef:69 00f0:64 00f6:6f 00f8:6f 00fb:75 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:5c 0161:7c 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:5f 2011:5f 2013:5f 2014:5f 2017:5f 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 
+
+861   (OEM - Icelandic)
+00a2:63 00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00aa:61 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00ba:6f 00be:33 00c0:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00db:55 00e3:61 00ec:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f9:75 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 
+
+863   (OEM - Canadian French)
+00a1:21 00a5:59 00a9:63 00aa:61 00ad:16 00ae:72 00b9:33 00ba:6f 00c1:41 00c3:41 00c4:41 00c5:41 00c6:41 00cc:49 00cd:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d5:4f 00d6:4f 00d7:58 00d8:4f 00da:55 00dd:59 00de:54 00e1:61 00e3:61 00e4:61 00e5:61 00e6:61 00ec:69 00ed:69 00f0:64 00f1:6e 00f2:6f 00f5:6f 00f6:6f 00f8:6f 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:22 02ba:27 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 0304:16 0305:16 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 
+
+865   (OEM - Nordic)
+00a2:63 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00bb:3e 00be:33 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00da:55 00db:55 00dd:59 00de:54 00e3:61 00f0:64 00f5:6f 00fd:79 00fe:74 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 226b:3c 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 300b:3e 301a:5b 301b:5d 30fb:07 
+
+874   (ANSI/OEM - Thai)
+00a7:15 00b6:14 203c:13 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+932   (ANSI/OEM - Japanese Shift-JIS)
+00a1:21 00a5:5c 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:64 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 
+
+936   (ANSI/OEM - Simplified Chinese GBK)
+00a6:7c 00aa:61 00ad:2d 00b2:32 00b3:33 00b9:31 00ba:6f 00d0:44 00dd:59 00de:54 00e2:61 00f0:65 00fd:79 00fe:74 
+
+949   (ANSI/OEM - Korean)
+00a6:7c 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 20a9:5c 
+
+950   (ANSI/OEM - Traditional Chinese Big5)
+00a1:21 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:65 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 
+
+65000 (UTF-7)
+
+
+65001 (UTF-8)
+
+
--- /dev/null
+++ b/rules/community-web-misc.rules
@@ -0,0 +1,215 @@
+# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# These rules are licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# $Id: community-web-misc.rules,v 1.45 2007/04/20 13:28:50 akirk Exp $
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Test Script Access"; flow:to_server,established; uricontent:"/test"; nocase; pcre:"/test\.(pl|php|cgi|asp|jsp)/Ui"; classtype:web-application-activity; sid:100000121; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "COMMUNITY WEB-MISC mod_jrun overflow attempt"; flow:to_server,established; content:"|3A|"; pcre:"/^.*\x3a[^\n]{1000}/sm"; reference:bugtraq,11245; reference:cve,2004-0646; classtype:web-application-attack; sid:100000122; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Cisco IOS HTTP Router Management Service Infinite Loop DoS"; flow:to_server,established; uricontent:"?/ "; reference:bugtraq,10014; reference:url,www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml; classtype:successful-dos; sid:100000129; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS"; flow:to_server,established; uricontent:"/Filelist.html"; nocase; reference:bugtraq,12778; classtype:attempted-dos; sid:100000130; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS - Floppy Access"; flow:to_server,established; uricontent:"/A|3A|"; nocase; pcre:"/A\x3A[^\r\n]?\.[^\r\n]?[\r\n]/Ui"; reference:bugtraq,12778; classtype:attempted-dos; sid:100000131; rev:1;)
+# Following rule submitted by Alexandru Ionica <gremlin@networked.ro>, and revised by Jason Haar <Jason.Haar@trimble.co.nz>
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY WEB-MISC Proxy Server Access"; flow:established,from_server; content:"Proxy-Connection"; nocase; content:"Via"; nocase; content:"HTTP"; nocase; content: !"ERR_ACCESS_DENIED"; nocase; classtype:misc-activity; sid:100000132; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-DoS Xeneo Server Question Mark GET Request"; flow:to_server,established; pcre:"/GET \/\?{250,}/i"; reference:bugtraq,7398; reference:url,www.northernsolutions.com/support/index.php?view=support&cmd=releasenotes&productid=1; classtype:attempted-dos; sid:100000133; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"COMMUNITY WEB-MISC MaxDB Web Tool Remote Stack Overflow"; flow:to_server,established; content:"GET"; nocase; depth:3; content:"/%"; distance:0; pcre:"/^GET\s+\/\%[^\r\n]{215,}/smi"; reference:cve,2005-0684; reference:url,www.idefense.com/application/poi/display?id=234&type=vulnerabilities; classtype:attempted-admin; sid:100000140; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jsp directory traversal attempt"; flow:to_server,established; content:".jsp"; pcre:"/.jsp\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000141; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jpg directory traversal attempt"; flow:to_server,established; content:".jpg"; pcre:"/.jpg\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000142; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .gif directory traversal attempt"; flow:to_server,established; content:".gif"; pcre:"/.gif\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000143; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .wav directory traversal attempt"; flow:to_server,established; content:".wav"; pcre:"/.wav\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252;classtype:attempted-recon; sid:100000144; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .css directory traversal attempt"; flow:to_server,established; content:".css"; pcre:"/.css\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000145; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .htm directory traversal attempt"; flow:to_server,established; content:".htm"; pcre:"/.htm\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000146; rev:1;)
+#Rules submitted by rmkml
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8000 (msg:"COMMUNITY WEB-MISC Barracuda img.pl attempt"; flow:to_server,established; uricontent:"/cgi-bin/img.pl?f=.."; reference:bugtraq,14712; reference:bugtraq,14710; reference:cve,2005-2848; classtype:web-application-attack; sid:100000148; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:"COMMUNITY WEB-MISC Jboss % attempt"; flow:to_server,established; content:"GET %"; reference:bugtraq,13985; reference:cve,2005-2006; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17403; classtype:attempted-recon; sid:100000149; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC HTTP Transfer-Content Request Smuggling attempt"; flow:to_server,established; content:"Transfer-Encoding|3A|"; content:"chunked"; content:"Content-Length|3A|"; nocase; reference:bugtraq,13873; reference:bugtraq,14106; reference:cve,2005-2088; reference:cve,2005-2089; reference:cve,2005-2090; reference:cve,2005-2091; reference:cve,2005-2092; reference:cve,2005-2093; reference:cve,2005-2094; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17738; reference:nessus,18337; classtype:attempted-admin; sid:100000150; rev:1;)
+alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Linksys apply.cgi overflow attempt"; flow:to_server,established; uricontent:"/apply.cgi"; content:"Content-Length|3A|"; pcre:"/Content-Length\x3A\s*[^\r\n]{1000,}/smi"; reference:bugtraq,14822; reference:cve,2005-2799; reference:nessus,20096; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19389; classtype:web-application-attack; sid:100000177; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Hasbani-WindWeb GET DoS attempt"; flow:to_server,established; uricontent:"..\:..\:..\:.."; reference:bugtraq,15225; reference:nessus,20097; classtype:attempted-dos; sid:100000178; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 898 (msg:"COMMUNITY WEB-MISC SMC TRACE access"; flow:to_server,established; content:"TRACE"; depth:5; reference:url,www.kb.cert.org/vuls/id/867593; classtype:attempted-recon; sid:100000179; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"COMMUNITY WEB-MISC JBoss JMXInvokerServlet access"; flow:to_server,established; uricontent:"/invoker/JMXInvokerServlet"; reference:url,online.securityfocus.com/archive/1/415707; classtype:misc-activity; sid:100000184; rev:1;)
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"COMMUNITY WEB-MISC apache directory list attempt"; flow:to_client,established; content:"HTTP/1.1 200 OK"; depth:15; content:"Index of /"; nocase; within:200; reference:bugtraq,3009; reference:cve,2001-0731; classtype:web-application-activity; sid:100000185; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 41080 (msg:"COMMUNITY WEB-MISC Symantec Brightmail Antispam default login attempt"; flow:to_server,established; uricontent:"/brightmail/viewLogin.do"; nocase; uricontent:"user|3D|admin"; nocase; uricontent:"pass|3D|symantec"; nocase; reference:nessus,19598; reference:url,securityresponse.symantec.com/avcenter/security/Content/2005.05.31a.html; classtype:web-application-attack; sid:100000200; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC FtpLocate flsearch.pl possible command execution attempt"; flow:to_server,established; uricontent:"/flsearch.pl"; nocase; uricontent:"cmd|3D|exec_flsearch"; nocase; reference:bugtraq,14367; reference:cve,2005-2420; reference:nessus,19300; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=18305; classtype:web-application-attack; sid:100000209; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC generic cmd pipe after = attempt"; flow:to_server,established; uricontent:"|3D 7C|"; nocase; classtype:web-application-attack; sid:100000210; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Trend Micro ServerProtect isaNVWRequest.dll access"; flow:to_server,established; content:"POST"; nocase; depth:4; uricontent:"/ControlManager/cgi-bin/VA/isaNVWRequest.dll"; nocase; reference:cve,2005-1929; reference:url,www.idefense.com/application/poi/display?id=353&type=vulnerabilities; classtype:web-application-attack; sid:100000216; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC man2web cmd exec attempt"; flow:to_server,established; uricontent:"/man2web"; nocase; uricontent:"|2D|P"; reference:cve,2005-2812; reference:bugtraq,14747; reference:nessus,19591; classtype:web-application-attack; sid:100000217; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ASPSurvey Login_Validate.asp Password param access"; flow:to_server,established; uricontent:"/Login_Validate.asp"; nocase; uricontent:"Password|3D|"; nocase; reference:cve,2006-0192; classtype:web-application-activity; sid:100000225; rev:1;)
+
+#Rule to detect use of Google's translation feature to bypass content monitor submitted by David Bianco
+alert tcp any any -> any $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Proxy Bypass Via Google Translation Same To And From Language"; flow:established, to_server; uricontent:"/translate?"; pcre:"/translate\?.*langpair=([a-zA-Z]+)(%7C|\|)\1\&/Ui"; classtype: policy-violation; reference:url,www.boingboing.net/2006/02/22/argonne_national_lab.html; sid:100000237; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DeviceSelection.asp sRedirectUrl parameter access"; flow:to_server,established; uricontent:"DeviceSelection.asp"; nocase; uricontent:"sRedirectUrl="; nocase; pcre:"/sRedirectUrl=(https?|ftp)/Ui"; reference:bugtraq,17964; classtype:web-application-attack; sid:100000302; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DeviceSelection.asp sCancelURL parameter access"; flow:to_server,established; uricontent:"DeviceSelection.asp"; nocase; uricontent:"sCancelURL="; nocase; pcre:"/sCancelURL=(https?|ftp)/Ui"; reference:bugtraq,17964; classtype:web-application-attack; sid:100000303; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21700 (msg:"COMMUNITY WEB-MISC 3Com Network Supervisor directory traversal"; flow:to_server,established; content:"GET"; nocase; pcre:"/GET[^\r\n]*?\x2e\x2e(\x2f|\x5c)[^\r\n]*?HTTP[^\r\n]*?\r\n/msi"; reference:bugtraq,14715; reference:cve,2005-2020; classtype:web-application-attack; sid:100000313; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MediaWiki parser script insertion attempt"; flow:to_server,established; content:"POST"; nocase; content:"|7B 7B 7B|"; pcre:"/\x7B\x7B\x7B[^\r\n]*\x3C[^\r\n]*\x7C[^\r\n]*\x3E[^\r\n]*\x7D\x7D\x7D/"; reference:cve,2006-2611; classtype:attempted-user; sid:100000314; rev:1;)
+
+#Rules for detecting HTTP PUT requests, successful or not, submitted by David Bianco; enable only after reading the rule documentation for these two SIDs
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC HTTP PUT Request"; flow:to_server,established; content:"PUT "; depth:4; flowbits:set,http.put; flowbits:noalert; classtype:misc-activity; reference:url,infosecpotpourri.blogspot.com/2006/06/http-put-defacement-attempts.html; sid:100000315; rev:1;)
+#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"COMMUNITY WEB-MISC HTTP PUT Request Successful"; flow:from_server,established; flowbits:isset,http.put; content:"HTTP/"; nocase; depth:5; content:"200"; within:7; classtype:web-application-attack; reference:url,infosecpotpourri.blogspot.com/2006/06/http-put-defacement-attempts.html; sid:100000316; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBazar classified_right.php remote file include"; flow:to_server,established; uricontent:"/classified_right.php"; nocase; uricontent:"language_dir="; nocase; pcre:"/language_dir=(https?|ftp)/Ui"; reference:bugtraq,18052; classtype:web-application-attack; sid:100000317; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBazar admin.php unauthorized administrative access"; flow:to_server,established; uricontent:"/admin/admin.php"; nocase; uricontent:"action=edit_member&value=1"; nocase; reference:bugtraq,18053; reference:cve,2006-2527; classtype:web-application-attack; sid:100000318; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ActualScripts direct.php remote file include"; flow:to_server,established; uricontent:"/direct.php"; nocase; uricontent:"rf="; nocase; pcre:"/rf=(https?|ftp)/Ui"; reference:bugtraq,17597; classtype:web-application-attack; sid:100000319; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews functions.php remote file include"; flow:to_server,established; uricontent:"/functions.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000320; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews help.php remote file include"; flow:to_server,established; uricontent:"/help.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000321; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews mail.php remote file include"; flow:to_server,established; uricontent:"/mail.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000322; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews news.php remote file include"; flow:to_server,established; uricontent:"/news.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000323; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews template.php remote file include"; flow:to_server,established; uricontent:"/template.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000324; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_cats.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_cats.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000325; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_edit.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_edit.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000326; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_import.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_import.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000327; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_templates.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_templates.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000328; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Invision Power Board class_post.php remote file include"; flow:to_server,established; uricontent:"/classes/post/class_post.php"; nocase; uricontent:"post_icon="; nocase; pcre:"/post_icon=(https?|ftp)/Ui"; reference:bugtraq,18040; classtype:web-application-attack; sid:100000329; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Invision Power Board moderate.php remote file include"; flow:to_server,established; uricontent:"/action_public/moderate.php"; nocase; uricontent:"df="; nocase; pcre:"/df=(https?|ftp)/Ui"; reference:bugtraq,18040; classtype:web-application-attack; sid:100000330; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ZixForum settings.asp access"; flow:to_server,established; uricontent:"/settings.asp"; nocase; uricontent:"layid="; nocase; reference:bugtraq,18043; classtype:web-application-attack; sid:100000331; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Artmedic Newsletter log.php access"; flow:to_server,established; uricontent:"/log.php"; nocase; uricontent:"email="; nocase; reference:bugtraq,18047; classtype:web-application-attack; sid:100000332; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Artmedic Newsletter log.php access"; flow:to_server,established; uricontent:"/log.php"; nocase; uricontent:"logfile="; nocase; reference:bugtraq,18047; classtype:web-application-attack; sid:100000333; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CaLogic Calendars reconfig.php remote file include"; flow:to_server,established; uricontent:"/reconfig.php"; nocase; uricontent:"CLPath="; nocase; pcre:"/CLPath=(https?|ftp)/Ui"; reference:bugtraq,18076; classtype:web-application-attack; sid:100000334; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CaLogic Calendars srxclr.php remote file include"; flow:to_server,established; uricontent:"/srxclr.php"; nocase; uricontent:"CLPath="; nocase; pcre:"/CLPath=(https?|ftp)/Ui"; reference:bugtraq,18076; classtype:web-application-attack; sid:100000335; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpMyDirectory footer.php remote file include"; flow:to_server,established; uricontent:"/footer.php"; nocase; uricontent:"ROOT_PATH="; nocase; pcre:"/ROOT_PATH=(https?|ftp)/Ui"; reference:cve,2006-2521; classtype:web-application-attack; sid:100000336; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpMyDirectory defaults_setup.php remote file include"; flow:to_server,established; uricontent:"/defaults_setup.php"; nocase; uricontent:"ROOT_PATH="; nocase; pcre:"/ROOT_PATH=(https?|ftp)/Ui"; reference:cve,2006-2521; classtype:web-application-attack; sid:100000337; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpMyDirectory header.php remote file include"; flow:to_server,established; uricontent:"/header.php"; nocase; uricontent:"ROOT_PATH="; nocase; pcre:"/ROOT_PATH=(https?|ftp)/Ui"; reference:cve,2006-2521; classtype:web-application-attack; sid:100000338; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC V-Webmail core.php remote file include"; flow:to_server,established; uricontent:"/includes/mailaccess/pop3/core.php"; nocase; uricontent:"CONFIG[pear_dir]="; nocase; pcre:"/CONFIG[pear_dir]=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20297/; classtype:web-application-attack; sid:100000339; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC V-Webmail pop3.php remote file include"; flow:to_server,established; uricontent:"/includes/mailaccess/pop3.php"; nocase; uricontent:"CONFIG[pear_dir]="; nocase; pcre:"/CONFIG[pear_dir]=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20297/; classtype:web-application-attack; sid:100000340; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DoceboLMS help.php remote file include"; flow:to_server,established; uricontent:"/modules/credits/help.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18110; classtype:web-application-attack; sid:100000341; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DoceboLMS business.php remote file include"; flow:to_server,established; uricontent:"/modules/credits/business.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18110; classtype:web-application-attack; sid:100000342; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DoceboLMS credits.php remote file include"; flow:to_server,established; uricontent:"/modules/credits/credits.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18110; classtype:web-application-attack; sid:100000343; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC SocketMail index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"site_path="; nocase; pcre:"/site_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20273/; classtype:web-application-attack; sid:100000344; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC SocketMail inc-common.php remote file include"; flow:to_server,established; uricontent:"/inc-common.php"; nocase; uricontent:"site_path="; nocase; pcre:"/site_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20273/; classtype:web-application-attack; sid:100000345; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Plume CMS prepend.php remote file include"; flow:to_server,established; uricontent:"/manager/frontinc/prepend.php"; nocase; uricontent:"_PX_config[manager_path]="; nocase; pcre:"/_PX_config[manager_path]=(https?|ftp)/Ui"; reference:bugtraq,16662; classtype:web-application-attack; sid:100000346; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ezupload Pro form.php remote file include"; flow:to_server,established; uricontent:"/form.php"; nocase; uricontent:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; reference:bugtraq,18135; classtype:web-application-attack; sid:100000347; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ezupload Pro customize.php remote file include"; flow:to_server,established; uricontent:"/customize.php"; nocase; uricontent:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; reference:bugtraq,18135; classtype:web-application-attack; sid:100000348; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ezupload Pro initialize.php remote file include"; flow:to_server,established; uricontent:"/initialize.php"; nocase; uricontent:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; reference:bugtraq,18135; classtype:web-application-attack; sid:100000349; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC UBBThreads ubbt.inc.php remote file include"; flow:to_server,established; uricontent:"/ubbt.inc.php"; nocase; uricontent:"GLOBALS[thispath]="; nocase; pcre:"/GLOBALS[thispath]=(https?|ftp)/Ui"; reference:url,www.nukedx.com/?viewdoc=40; classtype:web-application-attack; sid:100000350; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC UBBThreads config[cookieprefix] remote file include"; flow:to_server,established; uricontent:"/includepollresults.php?config[cookieprefix]"; nocase; uricontent:"w3t_language="; nocase; pcre:"/w3t_language=(https?|ftp)/Ui"; reference:url,www.nukedx.com/?viewdoc=40; classtype:web-application-attack; sid:100000351; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Blend Portal blend_common.php remote file include"; flow:to_server,established; uricontent:"/blend_data/blend_common.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18153; reference:url,www.nukedx.com/?viewdoc=41; classtype:web-application-attack; sid:100000352; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC tinyBB footers.php remote file include"; flow:to_server,established; uricontent:"/footers.php"; nocase; uricontent:"tinybb_footers="; nocase; pcre:"/tinybb_footers=(https?|ftp)/Ui"; reference:bugtraq,18147; classtype:web-application-attack; sid:100000353; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBB-Amod lang_activity.php remote file include"; flow:to_server,established; uricontent:"/lang_activity.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18155; classtype:web-application-attack; sid:100000354; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC eSyndiCat cron.php remote file include"; flow:to_server,established; uricontent:"/admin/cron.php"; nocase; uricontent:"path_to_config="; nocase; pcre:"/path_to_config=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20218/; classtype:web-application-attack; sid:100000355; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BASE base_qry_common.php remote file include"; flow:to_server,established; uricontent:"/base_qry_common.php"; nocase; uricontent:"BASE_path="; nocase; pcre:"/BASE_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000356; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BASE base_stat_common.php remote file include"; flow:to_server,established; uricontent:"/base_stat_common.php"; nocase; uricontent:"BASE_path="; nocase; pcre:"/BASE_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000357; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BASE base_include.inc.php remote file include"; flow:to_server,established; uricontent:"/base_include.inc.php"; nocase; uricontent:"BASE_path="; nocase; pcre:"/BASE_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000358; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS drucken.php remote file include"; flow:to_server,established; uricontent:"/drucken.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000359; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS drucken2.php remote file include"; flow:to_server,established; uricontent:"/drucken2.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000360; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS email_an_benutzer.php remote file include"; flow:to_server,established; uricontent:"/email_an_benutzer.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000361; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS rechnung.php remote file include"; flow:to_server,established; uricontent:"/rechnung.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000362; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS search.php remote file include"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000363; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS admin.php remote file include"; flow:to_server,established; uricontent:"/admin.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000364; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke index.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/index.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000365; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_ug_auth.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_ug_auth.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000366; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_board.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_board.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000367; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_disallow.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_disallow.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000368; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_forumauth.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_forumauth.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000369; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_groups.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_groups.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000370; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_ranks.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_ranks.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000371; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_styles.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_styles.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000372; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_user_ban.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_user_ban.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000373; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_words.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_words.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000374; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_avatar.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_avatar.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000375; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_db_utilities.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_db_utilities.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000376; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_forum_prune.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_forum_prune.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000377; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_forums.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_forums.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000378; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_mass_email.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_mass_email.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000379; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_smilies.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_smilies.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000380; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_users.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_users.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000382; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC OsTicket open_form.php remote file include"; flow:to_server,established; uricontent:"/open_form.php"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=(https?|ftp)/Ui"; reference:bugtraq,18190; classtype:web-application-attack; sid:100000383; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ottoman index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"default_path="; nocase; pcre:"/default_path=(https?|ftp)/Ui"; reference:bugtraq,18208; classtype:web-application-attack; sid:100000384; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ottoman error.php remote file include"; flow:to_server,established; uricontent:"/error.php"; nocase; uricontent:"default_path="; nocase; pcre:"/default_path=(https?|ftp)/Ui"; reference:bugtraq,18208; classtype:web-application-attack; sid:100000385; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ottoman main_class.php remote file include"; flow:to_server,established; uricontent:"/classes/main_class.php"; nocase; uricontent:"default_path="; nocase; pcre:"/default_path=(https?|ftp)/Ui"; reference:bugtraq,18208; classtype:web-application-attack; sid:100000386; rev:2;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia index.php remote file include"; flow:to_server,established; uricontent:"/orid/index.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000387; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia topman.php remote file include"; flow:to_server,established; uricontent:"/orid/topman.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000388; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia approb.php remote file include"; flow:to_server,established; uricontent:"/orid/approb.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000389; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia vacadmb.php remote file include"; flow:to_server,established; uricontent:"/orid/vacadmb.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000390; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia vacadma.php remote file include"; flow:to_server,established; uricontent:"/orid/vacadma.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000391; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia vacadm.php remote file include"; flow:to_server,established; uricontent:"/orid/vacadm.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000392; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia start.php remote file include"; flow:to_server,established; uricontent:"/orid/start.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000393; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia search.php remote file include"; flow:to_server,established; uricontent:"/orid/search.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000394; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia posts.php remote file include"; flow:to_server,established; uricontent:"/orid/posts.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000395; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia options.php remote file include"; flow:to_server,established; uricontent:"/orid/options.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000396; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia login.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/login.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000397; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia frchart.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/frchart.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000398; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia flbchart.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/flbchart.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000399; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia fileman.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/fileman.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000400; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia faq.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/faq.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000401; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia event.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/event.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000402; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia directory.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/directory.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000403; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia articles.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/articles.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000404; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia artedit.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/artedit.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000405; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia approb.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/approb.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000406; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia calday.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/calday.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000407; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC AssoCIateD cache_mngt.php remote file include"; flow:to_server,established; uricontent:"/cache_mngt.php"; nocase; uricontent:"root_path="; nocase; pcre:"/root_path=(https?|ftp)/Ui"; reference:bugtraq,18220; classtype:web-application-attack; sid:100000408; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC AssoCIateD gallery_functions.php remote file include"; flow:to_server,established; uricontent:"/gallery_functions.php"; nocase; uricontent:"root_path="; nocase; pcre:"/root_path=(https?|ftp)/Ui"; reference:bugtraq,18220; classtype:web-application-attack; sid:100000409; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/image_resize/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000410; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/simple_user/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000411; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/stats/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000412; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/import_export/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000413; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO community.inc.php remote file include"; flow:to_server,established; uricontent:"/include/pages/community.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000414; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Bytehoard server.php remote file include"; flow:to_server,established; uricontent:"/includes/webdav/server.php"; nocase; uricontent:"bhconfig[bhfilepath]="; nocase; pcre:"/bhconfig[bhfilepath]=(https?|ftp)/Ui"; reference:bugtraq,18234; classtype:web-application-attack; sid:100000415; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MyBloggie admin.php remote file include"; flow:to_server,established; uricontent:"/admin.php"; nocase; uricontent:"mybloggie_root_path="; nocase; pcre:"/mybloggie_root_path=(https?|ftp)/Ui"; reference:bugtraq,18241; classtype:web-application-attack; sid:100000416; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MyBloggie scode.php remote file include"; flow:to_server,established; uricontent:"/scode.php"; nocase; uricontent:"mybloggie_root_path="; nocase; pcre:"/mybloggie_root_path=(https?|ftp)/Ui"; reference:bugtraq,18241; classtype:web-application-attack; sid:100000417; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ashwebstudio Ashnews ashheadlines.php remote file include"; flow:to_server,established; uricontent:"/ashheadlines.php"; nocase; uricontent:"pathtoashnews="; nocase; pcre:"/pathtoashnews=(https?|ftp)/Ui"; reference:bugtraq,18248; classtype:web-application-attack; sid:100000418; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ashwebstudio Ashnews ashnews.php remote file include"; flow:to_server,established; uricontent:"/ashnews.php"; nocase; uricontent:"pathtoashnews="; nocase; pcre:"/pathtoashnews=(https?|ftp)/Ui"; reference:bugtraq,18248; classtype:web-application-attack; sid:100000419; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Informium common-menu.php remote file include"; flow:to_server,established; uricontent:"/admin/common-menu.php"; nocase; uricontent:"CONF[local_path]="; nocase; pcre:"/CONF[local_path]=(https?|ftp)/Ui"; reference:bugtraq,18249; classtype:web-application-attack; sid:100000420; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Igloo wiki.php remote file include"; flow:to_server,established; uricontent:"/wiki.php"; nocase; uricontent:"c_node[class_path]="; nocase; pcre:"/c_node[class_path]=(https?|ftp)/Ui"; reference:bugtraq,18250; classtype:web-application-attack; sid:100000421; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBB template.php remote file include"; flow:to_server,established; uricontent:"/template.php"; nocase; uricontent:"page="; nocase; pcre:"/page=(https?|ftp)/Ui"; reference:bugtraq,18255; classtype:web-application-attack; sid:100000422; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotWidget CMS index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"file_path="; nocase; pcre:"/file_path=(https?|ftp)/Ui"; reference:bugtraq,18258; classtype:web-application-attack; sid:100000423; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotWidget CMS feedback.php remote file include"; flow:to_server,established; uricontent:"/feedback.php"; nocase; uricontent:"file_path="; nocase; pcre:"/file_path=(https?|ftp)/Ui"; reference:bugtraq,18258; classtype:web-application-attack; sid:100000424; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotWidget CMS printfriendly.php remote file include"; flow:to_server,established; uricontent:"/printfriendly.php"; nocase; uricontent:"file_path="; nocase; pcre:"/file_path=(https?|ftp)/Ui"; reference:bugtraq,18258; classtype:web-application-attack; sid:100000425; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotClear prepend.php remote file include"; flow:to_server,established; uricontent:"/prepend.php"; nocase; uricontent:"blog_dc_path="; nocase; pcre:"/blog_dc_path=(https?|ftp)/Ui"; reference:bugtraq,18259; classtype:web-application-attack; sid:100000426; rev:2;)
+
+# JBoss Rules from Jon Hart <jhart@spoofed.org>
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC JBoss jmx-console html adaptor access"; flow:to_server,established; uricontent:"/jmx-console/HtmlAdaptor"; reference:url,jboss.org/wiki/Wiki.jsp?page=JMXConsole; classtype:misc-activity; sid:100000427; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:"COMMUNITY WEB-MISC JBoss RMI class download service directory listing attempt"; flow:to_server,established; content:"GET %. HTTP/1."; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2; classtype:web-application-attack; sid:100000428; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC JBoss web-console access"; flow:to_server,established; uricontent:"/web-console"; reference:url,www.jboss.org/wiki/Wiki.jsp?page=WebConsole; classtype:misc-activity; sid:100000429; rev:1;)
+
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_Faq.class.php remote file include"; flow:to_server,established; uricontent:"/applications/faq/Bs_Faq.class.php"; nocase; uricontent:"APP[path][applications]="; nocase; pcre:"/APP\[path\]\[applications\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000430; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes fileBrowserInner.php remote file include"; flow:to_server,established; uricontent:"/applications/filebrowser/fileBrowserInner.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000431; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes file.php remote file include"; flow:to_server,established; uricontent:"/applications/filemanager/file.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000432; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes viewer.php remote file include"; flow:to_server,established; uricontent:"/applications/filemanager/viewer.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000433; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_ImageArchive.class.php remote file include"; flow:to_server,established; uricontent:"/applications/imagearchive/Bs_ImageArchive.class.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000434; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_Ml_User.class.php remote file include"; flow:to_server,established; uricontent:"/applications/mailinglist/Bs_Ml_User.class.php"; nocase; uricontent:"GLOBALS[APP][path][core]="; nocase; pcre:"/GLOBALS\[APP\]\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000435; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_Wse_Profile.class.php remote file include"; flow:to_server,established; uricontent:"/applications/websearchengine/Bs_Wse_Profile.class.php"; nocase; uricontent:"APP[path][plugins]="; nocase; pcre:"/APP\[path\]\[plugins\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000436; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CS-Cart class.cs_phpmailer.php remote file include"; flow:to_server,established; uricontent:"/class.cs_phpmailer.php"; nocase; uricontent:"classes_dir="; nocase; pcre:"/classes_dir=(https?|ftp)/Ui"; reference:bugtraq,18263; classtype:web-application-attack; sid:100000437; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Claroline mambo.inc.php remote file include"; flow:to_server,established; uricontent:"/auth/extauth/drivers/mambo.inc.php"; nocase; uricontent:"includepath="; nocase; pcre:"/includepath=(https?|ftp)/Ui"; reference:bugtraq,18265; classtype:web-application-attack; sid:100000438; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Claroline postnuke.inc.php remote file include"; flow:to_server,established; uricontent:"/auth/extauth/drivers/postnuke.inc.php"; nocase; uricontent:"includepath="; nocase; pcre:"/includepath=(https?|ftp)/Ui"; reference:bugtraq,18265; classtype:web-application-attack; sid:100000439; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CyBoards common.php remote file include"; flow:to_server,established; uricontent:"/include/common.php"; nocase; uricontent:"script_path="; nocase; pcre:"/script_path=(https?|ftp)/Ui"; reference:bugtraq,18272; classtype:web-application-attack; sid:100000440; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Wikiwig wk_lang.php remote file include"; flow:to_server,established; uricontent:"/wk_lang.php"; nocase; uricontent:"WK[wkpath]="; nocase; pcre:"/WK\[wkpath\]=(https?|ftp)/Ui"; reference:bugtraq,18291; classtype:web-application-attack; sid:100000441; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MiraksGalerie pcltar.lib.php remote file include"; flow:to_server,established; uricontent:"/pcltar.lib.php"; nocase; uricontent:"g_pcltar_lib_dir="; nocase; pcre:"/g_pcltar_lib_dir=(https?|ftp)/Ui"; reference:bugtraq,18313; classtype:web-application-attack; sid:100000442; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MiraksGalerie galimage.lib.php remote file include"; flow:to_server,established; uricontent:"/galimage.lib.php"; nocase; uricontent:"listconfigfile[0]="; nocase; pcre:"/listconfigfile\[0\]=(https?|ftp)/Ui"; reference:bugtraq,18313; classtype:web-application-attack; sid:100000443; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MiraksGalerie galsecurity.lib.php remote file include"; flow:to_server,established; uricontent:"/galsecurity.lib.php"; nocase; uricontent:"listconfigfile[0]="; nocase; pcre:"/listconfigfile\[0\]=(https?|ftp)/Ui"; reference:bugtraq,18313; classtype:web-application-attack; sid:100000444; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC OfficeFlow default.asp xss attempt"; flow:to_server,established; uricontent:"/default.asp"; nocase; uricontent:"sqlType="; nocase; pcre:"/sqlType(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18367; classtype:web-application-attack; sid:100000448; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC OfficeFlow files.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"/files.asp"; nocase; uricontent:"Project="; nocase; pcre:"/Project(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18367; classtype:web-application-attack; sid:100000449; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VanillaSoft Helpdesk default.asp xss attempt"; flow:to_server,established; uricontent:"/default.asp"; nocase; uricontent:"username="; nocase; pcre:"/username(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18368; classtype:web-application-attack; sid:100000450; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice album.asp xss attempt"; flow:to_server,established; uricontent:"/album.asp"; nocase; uricontent:"cat="; nocase; pcre:"/cat(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000451; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice album.asp xss attempt"; flow:to_server,established; uricontent:"/album.asp"; nocase; uricontent:"albumid="; nocase; pcre:"/albumid(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000452; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice edtalbum.asp xss attempt"; flow:to_server,established; uricontent:"/edtalbum.asp"; nocase; uricontent:"apage="; nocase; pcre:"/apage(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000453; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice edtalbum.asp xss attempt"; flow:to_server,established; uricontent:"/edtalbum.asp"; nocase; uricontent:"New Category="; nocase; pcre:"/New Category(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000454; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Axent Forum viewposts.cfm xss attempt"; flow:to_server,established; uricontent:"/viewposts.cfm"; nocase; uricontent:"startrow="; nocase; pcre:"/startrow(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18473; classtype:web-application-attack; sid:100000455; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC SSPwiz index.cfm xss attempt"; flow:to_server,established; uricontent:"/index.cfm"; nocase; uricontent:"message="; nocase; pcre:"/message(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18482; classtype:web-application-attack; sid:100000456; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ASP Stats pages.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"/pages.asp"; nocase; uricontent:"order="; nocase; pcre:"/order(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18512; classtype:web-application-attack; sid:100000457; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DPVision Tradingeye Shop details.cfm xss attempt"; flow:to_server,established; uricontent:"/details.cfm"; nocase; uricontent:"image="; nocase; pcre:"/image(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18526; classtype:web-application-attack; sid:100000458; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC WeBBoA yeni_host.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"host/yeni_host.asp"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18564; classtype:web-application-attack; sid:100000459; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC AZureus index.tmpl xss attempt"; flow:to_server,established; uricontent:"/index.tmpl"; nocase; uricontent:"search="; nocase; pcre:"/search(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18596; classtype:web-application-attack; sid:100000460; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Open WebMail openwebmail-read.pl xss attempt"; flow:to_server,established; uricontent:"/openwebmail-read.pl"; nocase; uricontent:"To="; nocase; pcre:"/To(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18598; classtype:web-application-attack; sid:100000461; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Open WebMail openwebmail-read.pl xss attempt"; flow:to_server,established; uricontent:"/openwebmail-read.pl"; nocase; uricontent:"From="; nocase; pcre:"/From(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18598; classtype:web-application-attack; sid:100000462; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO gbrowse.php SQL injection attempt"; flow:to_server,established; uricontent:"/gbrowse.php"; nocase; uricontent:"cat_id="; nocase; pcre:"/cat_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000694; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO rating.php SQL injection attempt"; flow:to_server,established; uricontent:"/rating.php"; nocase; uricontent:"card_id="; nocase; pcre:"/card_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000695; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO create.php SQL injection attempt"; flow:to_server,established; uricontent:"/create.php"; nocase; uricontent:"card_id="; nocase; pcre:"/card_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000696; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO search.php SQL injection attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"event_id="; nocase; pcre:"/event_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000697; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BXCP index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"where="; nocase; pcre:"/where(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18765; classtype:web-application-attack; sid:100000698; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Vincent Leclercq News diver.php xss attempt"; flow:to_server,established; uricontent:"/divers.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18775; classtype:web-application-attack; sid:100000699; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Vincent Leclercq News diver.php xss attempt"; flow:to_server,established; uricontent:"/divers.php"; nocase; uricontent:"disable="; nocase; pcre:"/disable(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18775; classtype:web-application-attack; sid:100000700; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC WordPress index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"paged="; nocase; pcre:"/paged(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18779; classtype:web-application-attack; sid:100000701; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Webvizyon SayfalaAltList.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"/SayfalaAltList.asp"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18899; classtype:web-application-attack; sid:100000702; rev:1;)
+
+# Rules submitted by rmkml
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 10000 (msg:"COMMUNITY WEB-MISC Webmin null char attempt"; flow:to_server,established; uricontent:"miniserv.pl"; nocase; uricontent:"|00|"; reference:bugtraq,19820; reference:nessus,22300; classtype:web-application-attack; sid:100000890; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 20000 (msg:"COMMUNITY WEB-MISC Usermin null char attempt"; flow:to_server,established; uricontent:"miniserv.pl"; nocase; uricontent:"|00|"; reference:bugtraq,19820; reference:nessus,22300; classtype:web-application-attack; sid:100000891; rev:1;)
+
+# Rule submitted by Avinash Shenoi (Cenzic Inc. CIA Research Team)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog blog-category-description xss attempt"; flow:to_server; content:"blog-category-description"; nocase; pcre:"/blog-category-description(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000895; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog blog-entry-title xss attempt"; flow:to_server; content:"blog-entry-title"; nocase; pcre:"/blog-entry-title(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000896; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog rss-enclosure-url xss attempt"; flow:to_server; content:"rss-enclosure-url"; nocase; pcre:"/rss-enclosure-url(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000897; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog technorati-tags xss attempt"; flow:to_server; content:"technorati-tags"; nocase; pcre:"/technorati-tags(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000898; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog blog-category-name xss attempt"; flow:to_server; content:"blog-category-name"; nocase; pcre:"/blog-category-name(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000899; rev:1;)
--- /dev/null
+++ b/rules/sid-msg.map
@@ -0,0 +1,3544 @@
+103 || BACKDOOR subseven 22 || arachnids,485 || url,www.hackfix.org/subseven/
+104 || BACKDOOR - Dagger_1.4.0_client_connect || arachnids,483 || url,www.tlsecurity.net/backdoor/Dagger.1.4.html
+105 || BACKDOOR - Dagger_1.4.0 || arachnids,484 || url,www.tlsecurity.net/backdoor/Dagger.1.4.html
+106 || BACKDOOR ACKcmdC trojan scan || arachnids,445
+107 || BACKDOOR subseven DEFCON8 2.1 access
+108 || BACKDOOR QAZ Worm Client Login access || MCAFEE,98775
+109 || BACKDOOR netbus active || arachnids,401
+110 || BACKDOOR netbus getinfo || arachnids,403
+111 || BACKDOOR netbus getinfo || arachnids,403
+112 || BACKDOOR BackOrifice access || arachnids,400
+113 || BACKDOOR DeepThroat access || arachnids,405
+114 || BACKDOOR netbus active || arachnids,401
+115 || BACKDOOR NetBus Pro 2.0 connection established
+116 || BACKDOOR BackOrifice access || arachnids,399
+117 || BACKDOOR Infector.1.x || arachnids,315
+118 || BACKDOOR SatansBackdoor.2.0.Beta || arachnids,316
+119 || BACKDOOR Doly 2.0 access || arachnids,312
+120 || BACKDOOR Infector 1.6 Server to Client || cve,1999-0660 || nessus,11157
+121 || BACKDOOR Infector 1.6 Client to Server Connection Request || cve,1999-0660 || nessus,11157
+122 || BACKDOOR DeepThroat 3.1 System Info Client Request || arachnids,106
+124 || BACKDOOR DeepThroat 3.1 FTP Status Client Request || arachnids,106
+125 || BACKDOOR DeepThroat 3.1 E-Mail Info From Server || arachnids,106
+126 || BACKDOOR DeepThroat 3.1 E-Mail Info Client Request || arachnids,106
+127 || BACKDOOR DeepThroat 3.1 Server Status From Server || arachnids,106
+128 || BACKDOOR DeepThroat 3.1 Server Status Client Request || arachnids,106
+129 || BACKDOOR DeepThroat 3.1 Drive Info From Server || arachnids,106
+130 || BACKDOOR DeepThroat 3.1 System Info From Server || arachnids,106
+131 || BACKDOOR DeepThroat 3.1 Drive Info Client Request || arachnids,106
+132 || BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server || arachnids,106
+133 || BACKDOOR DeepThroat 3.1 Cached Passwords Client Request || arachnids,106
+134 || BACKDOOR DeepThroat 3.1 RAS Passwords Client Request || arachnids,106
+135 || BACKDOOR DeepThroat 3.1 Server Password Change Client Request || arachnids,106
+136 || BACKDOOR DeepThroat 3.1 Server Password Remove Client Request || arachnids,106
+137 || BACKDOOR DeepThroat 3.1 Rehash Client Request || arachnids,106
+138 || BACKDOOR DeepThroat 3.1 Server Rehash Client Request || arachnids,106
+140 || BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request || arachnids,106
+141 || BACKDOOR HackAttack 1.20 Connect
+142 || BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request || arachnids,106
+143 || BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request || arachnids,106
+144 || FTP ADMw0rm ftp login attempt || arachnids,01
+145 || BACKDOOR GirlFriendaccess || arachnids,98
+146 || BACKDOOR NetSphere access || arachnids,76
+147 || BACKDOOR GateCrasher || arachnids,99
+148 || BACKDOOR DeepThroat 3.1 Keylogger Active on Network || arachnids,106
+149 || BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network || arachnids,106
+150 || BACKDOOR DeepThroat 3.1 Server Active on Network || arachnids,106
+151 || BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network || arachnids,106
+152 || BACKDOOR BackConstruction 2.1 Connection
+153 || BACKDOOR DonaldDick 1.53 Traffic || mcafee,98575
+154 || BACKDOOR DeepThroat 3.1 Wrong Password || arachnids,106
+155 || BACKDOOR NetSphere 1.31.337 access || arachnids,76
+156 || BACKDOOR DeepThroat 3.1 Visible Window List Client Request || arachnids,106
+157 || BACKDOOR BackConstruction 2.1 Client FTP Open Request
+158 || BACKDOOR BackConstruction 2.1 Server FTP Open Reply
+159 || BACKDOOR NetMetro File List || arachnids,79
+160 || BACKDOOR NetMetro Incoming Traffic || arachnids,79
+161 || BACKDOOR Matrix 2.0 Client connect || arachnids,83
+162 || BACKDOOR Matrix 2.0 Server access || arachnids,83
+163 || BACKDOOR WinCrash 1.0 Server Active || arachnids,36
+164 || BACKDOOR DeepThroat 3.1 Server Active on Network || arachnids,106
+165 || BACKDOOR DeepThroat 3.1 Keylogger on Server ON || arachnids,106
+166 || BACKDOOR DeepThroat 3.1 Show Picture Client Request || arachnids,106
+167 || BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request || arachnids,106
+168 || BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request || arachnids,106
+169 || BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request || arachnids,106
+170 || BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request || arachnids,106
+171 || BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request || arachnids,106
+172 || BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request || arachnids,106
+173 || BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request || arachnids,106
+174 || BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request || arachnids,106
+175 || BACKDOOR DeepThroat 3.1 Resolution Change Client Request || arachnids,106
+176 || BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request || arachnids,106
+177 || BACKDOOR DeepThroat 3.1 Keylogger on Server OFF || arachnids,106
+179 || BACKDOOR DeepThroat 3.1 FTP Server Port Client Request || arachnids,106
+180 || BACKDOOR DeepThroat 3.1 Process List Client request || arachnids,106
+181 || BACKDOOR DeepThroat 3.1 Close Port Scan Client Request || arachnids,106
+182 || BACKDOOR DeepThroat 3.1 Registry Add Client Request || arachnids,106
+183 || BACKDOOR SIGNATURE - Q ICMP || arachnids,202
+184 || BACKDOOR Q access || arachnids,203
+185 || BACKDOOR CDK || arachnids,263
+186 || BACKDOOR DeepThroat 3.1 Monitor on/off Client Request || arachnids,106
+187 || BACKDOOR DeepThroat 3.1 Delete File Client Request || arachnids,106
+188 || BACKDOOR DeepThroat 3.1 Kill Window Client Request || arachnids,106
+189 || BACKDOOR DeepThroat 3.1 Disable Window Client Request || arachnids,106
+190 || BACKDOOR DeepThroat 3.1 Enable Window Client Request || arachnids,106
+191 || BACKDOOR DeepThroat 3.1 Change Window Title Client Request || arachnids,106
+192 || BACKDOOR DeepThroat 3.1 Hide Window Client Request || arachnids,106
+193 || BACKDOOR DeepThroat 3.1 Show Window Client Request || arachnids,106
+194 || BACKDOOR DeepThroat 3.1 Send Text to Window Client Request || arachnids,106
+195 || BACKDOOR DeepThroat 3.1 Server Response || arachnids,106 || mcafee,98574 || nessus,10053
+196 || BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request || arachnids,106
+197 || BACKDOOR DeepThroat 3.1 Create Directory Client Request || arachnids,106
+198 || BACKDOOR DeepThroat 3.1 All Window List Client Request || arachnids,106
+199 || BACKDOOR DeepThroat 3.1 Play Sound Client Request || arachnids,106
+200 || BACKDOOR DeepThroat 3.1 Run Program Normal Client Request || arachnids,106
+201 || BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request || arachnids,106
+202 || BACKDOOR DeepThroat 3.1 Get NET File Client Request || arachnids,106
+203 || BACKDOOR DeepThroat 3.1 Find File Client Request || arachnids,106
+204 || BACKDOOR DeepThroat 3.1 Find File Client Request || arachnids,106
+205 || BACKDOOR DeepThroat 3.1 HUP Modem Client Request || arachnids,106
+206 || BACKDOOR DeepThroat 3.1 CD ROM Open Client Request || arachnids,106
+207 || BACKDOOR DeepThroat 3.1 CD ROM Close Client Request || arachnids,106
+208 || BACKDOOR PhaseZero Server Active on Network
+209 || BACKDOOR w00w00 attempt || arachnids,510
+210 || BACKDOOR attempt
+211 || BACKDOOR MISC r00t attempt
+212 || BACKDOOR MISC rewt attempt
+213 || BACKDOOR MISC Linux rootkit attempt
+214 || BACKDOOR MISC Linux rootkit attempt lrkr0x
+215 || BACKDOOR MISC Linux rootkit attempt
+216 || BACKDOOR MISC Linux rootkit satori attempt || arachnids,516
+217 || BACKDOOR MISC sm4ck attempt
+218 || BACKDOOR MISC Solaris 2.5 attempt
+219 || BACKDOOR HidePak backdoor attempt
+220 || BACKDOOR HideSource backdoor attempt
+221 || DDOS TFN Probe || arachnids,443
+222 || DDOS tfn2k icmp possible communication || arachnids,425
+223 || DDOS Trin00 Daemon to Master PONG message detected || arachnids,187
+224 || DDOS Stacheldraht server spoof || arachnids,193
+225 || DDOS Stacheldraht gag server response || arachnids,195
+226 || DDOS Stacheldraht server response || arachnids,191
+227 || DDOS Stacheldraht client spoofworks || arachnids,192
+228 || DDOS TFN client command BE || arachnids,184
+229 || DDOS Stacheldraht client check skillz || arachnids,190
+230 || DDOS shaft client login to handler || arachnids,254 || url,security.royans.net/info/posts/bugtraq_ddos3.shtml
+231 || DDOS Trin00 Daemon to Master message detected || arachnids,186
+232 || DDOS Trin00 Daemon to Master *HELLO* message detected || arachnids,185 || url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm
+233 || DDOS Trin00 Attacker to Master default startup password || arachnids,197
+234 || DDOS Trin00 Attacker to Master default password
+235 || DDOS Trin00 Attacker to Master default mdie password
+236 || DDOS Stacheldraht client check gag || arachnids,194
+237 || DDOS Trin00 Master to Daemon default password attempt || arachnids,197
+238 || DDOS TFN server response || arachnids,182
+239 || DDOS shaft handler to agent || arachnids,255
+240 || DDOS shaft agent to handler || arachnids,256
+241 || DDOS shaft synflood || arachnids,253 || cve,2000-0138
+243 || DDOS mstream agent to handler
+244 || DDOS mstream handler to agent || cve,2000-0138
+245 || DDOS mstream handler ping to agent || cve,2000-0138
+246 || DDOS mstream agent pong to handler
+247 || DDOS mstream client to handler || cve,2000-0138
+248 || DDOS mstream handler to client || cve,2000-0138
+249 || DDOS mstream client to handler || arachnids,111 || cve,2000-0138
+250 || DDOS mstream handler to client || cve,2000-0138
+251 || DDOS - TFN client command LE || arachnids,183
+252 || DNS named iquery attempt || arachnids,277 || bugtraq,134 || cve,1999-0009 || url,www.rfc-editor.org/rfc/rfc1035.txt
+253 || DNS SPOOF query response PTR with TTL of 1 min. and no authority
+254 || DNS SPOOF query response with TTL of 1 min. and no authority
+255 || DNS zone transfer TCP || arachnids,212 || cve,1999-0532 || nessus,10595
+256 || DNS named authors attempt || arachnids,480 || nessus,10728
+257 || DNS named version attempt || arachnids,278 || nessus,10028
+258 || DNS EXPLOIT named 8.2->8.2.1 || bugtraq,788 || cve,1999-0833
+259 || DNS EXPLOIT named overflow ADM || bugtraq,788 || cve,1999-0833
+260 || DNS EXPLOIT named overflow ADMROCKS || bugtraq,788 || cve,1999-0833 || url,www.cert.org/advisories/CA-1999-14.html
+261 || DNS EXPLOIT named overflow attempt || url,www.cert.org/advisories/CA-1998-05.html
+262 || DNS EXPLOIT x86 Linux overflow attempt
+264 || DNS EXPLOIT x86 Linux overflow attempt
+265 || DNS EXPLOIT x86 Linux overflow attempt ADMv2
+266 || DNS EXPLOIT x86 FreeBSD overflow attempt
+267 || DNS EXPLOIT sparc overflow attempt
+268 || DOS Jolt attack || cve,1999-0345
+269 || DOS Land attack || bugtraq,2666 || cve,1999-0016
+270 || DOS Teardrop attack || bugtraq,124 || cve,1999-0015 || nessus,10279 || url,www.cert.org/advisories/CA-1997-28.html
+271 || DOS UDP echo+chargen bomb || cve,1999-0103 || cve,1999-0635
+272 || DOS IGMP dos attack || bugtraq,514 || cve,1999-0918 || url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx
+273 || DOS IGMP dos attack || bugtraq,514 || cve,1999-0918
+274 || DOS ath || arachnids,264 || cve,1999-1228
+275 || DOS NAPTHA || bugtraq,2022 || cve,2000-1039 || url,razor.bindview.com/publish/advisories/adv_NAPTHA.html || url,www.cert.org/advisories/CA-2000-21.html || url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx
+276 || DOS Real Audio Server || arachnids,411 || bugtraq,1288 || cve,2000-0474
+277 || DOS Real Server template.html || bugtraq,1288 || cve,2000-0474
+278 || DOS Real Server template.html || bugtraq,1288 || cve,2000-0474
+279 || DOS Bay/Nortel Nautica Marlin || bugtraq,1009 || cve,2000-0221
+281 || DOS Ascend Route || arachnids,262 || bugtraq,714 || cve,1999-0060
+282 || DOS arkiea backup || arachnids,261 || bugtraq,662 || cve,1999-0788
+283 || EXPLOIT Netscape 4.7 client overflow || arachnids,215 || bugtraq,822 || cve,1999-1189 || cve,2000-1187
+284 || POP2 x86 Linux overflow || bugtraq,283 || cve,1999-0920 || nessus,10130
+285 || POP2 x86 Linux overflow || bugtraq,283 || cve,1999-0920 || nessus,10130
+286 || POP3 EXPLOIT x86 BSD overflow || bugtraq,133 || cve,1999-0006 || nessus,10196
+287 || POP3 EXPLOIT x86 BSD overflow
+288 || POP3 EXPLOIT x86 Linux overflow
+289 || POP3 EXPLOIT x86 SCO overflow || bugtraq,156 || cve,1999-0006
+290 || POP3 EXPLOIT qpopper overflow || bugtraq,830 || cve,1999-0822 || nessus,10184
+291 || NNTP Cassandra Overflow || arachnids,274 || bugtraq,1156 || cve,2000-0341
+292 || EXPLOIT x86 Linux samba overflow || bugtraq,1816 || bugtraq,536 || cve,1999-0182 || cve,1999-0811
+293 || IMAP EXPLOIT overflow
+295 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005
+296 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005
+297 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005
+298 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005
+299 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005
+300 || EXPLOIT nlps x86 Solaris overflow || bugtraq,2319
+301 || EXPLOIT LPRng overflow || bugtraq,1712 || cve,2000-0917
+302 || EXPLOIT Redhat 7.0 lprd overflow || bugtraq,1712 || cve,2000-0917
+303 || DNS EXPLOIT named tsig overflow attempt || arachnids,482 || bugtraq,2302 || cve,2001-0010
+304 || EXPLOIT SCO calserver overflow || bugtraq,2353 || cve,2000-0306
+305 || EXPLOIT delegate proxy overflow || arachnids,267 || bugtraq,808 || cve,2000-0165
+306 || EXPLOIT VQServer admin || bugtraq,1610 || cve,2000-0766 || url,www.vqsoft.com/vq/server/docs/other/control.html
+307 || EXPLOIT CHAT IRC topic overflow || bugtraq,573 || cve,1999-0672
+308 || EXPLOIT NextFTP client overflow || bugtraq,572 || cve,1999-0671
+309 || EXPLOIT sniffit overflow || arachnids,273 || bugtraq,1158 || cve,2000-0343
+310 || EXPLOIT x86 windows MailMax overflow || bugtraq,2312 || cve,1999-0404
+311 || EXPLOIT Netscape 4.7 unsucessful overflow || arachnids,214 || bugtraq,822 || cve,1999-1189 || cve,2000-1187
+312 || EXPLOIT ntpdx overflow attempt || arachnids,492 || bugtraq,2540 || cve,2001-0414
+313 || EXPLOIT ntalkd x86 Linux overflow || bugtraq,210
+314 || DNS EXPLOIT named tsig overflow attempt || bugtraq,2303 || cve,2001-0010
+315 || EXPLOIT x86 Linux mountd overflow || bugtraq,121 || cve,1999-0002
+316 || EXPLOIT x86 Linux mountd overflow || bugtraq,121 || cve,1999-0002
+317 || EXPLOIT x86 Linux mountd overflow || bugtraq,121 || cve,1999-0002
+318 || EXPLOIT bootp x86 bsd overfow || bugtraq,324 || cve,1999-0914
+319 || EXPLOIT bootp x86 linux overflow || cve,1999-0389 || cve,1999-0798 || cve,1999-0799
+320 || FINGER cmd_rootsh backdoor attempt || nessus,10070 || url,www.sans.org/y2k/TFN_toolkit.htm || url,www.sans.org/y2k/fingerd.htm
+321 || FINGER account enumeration attempt || nessus,10788
+322 || FINGER search query || arachnids,375 || cve,1999-0259
+323 || FINGER root query || arachnids,376
+324 || FINGER null request || arachnids,377
+325 || FINGER probe 0 attempt || arachnids,378
+326 || FINGER remote command execution attempt || arachnids,379 || bugtraq,974 || cve,1999-0150
+327 || FINGER remote command pipe execution attempt || arachnids,380 || bugtraq,2220 || cve,1999-0152
+328 || FINGER bomb attempt || arachnids,381 || cve,1999-0106
+329 || FINGER cybercop redirection || arachnids,11
+330 || FINGER redirection attempt || arachnids,251 || cve,1999-0105 || nessus,10073
+331 || FINGER cybercop query || arachnids,132 || cve,1999-0612
+332 || FINGER 0 query || arachnids,131 || arachnids,378 || cve,1999-0197 || nessus,10069
+333 || FINGER . query || arachnids,130 || cve,1999-0198 || nessus,10072
+334 || FTP .forward || arachnids,319
+335 || FTP .rhosts || arachnids,328
+336 || FTP CWD ~root attempt || arachnids,318 || cve,1999-0082
+337 || FTP CEL overflow attempt || arachnids,257 || bugtraq,679 || cve,1999-0789 || nessus,10009
+338 || FTP EXPLOIT format string || arachnids,453 || bugtraq,1387 || cve,2000-0573
+339 || FTP EXPLOIT OpenBSD x86 ftpd || arachnids,446 || bugtraq,2124 || cve,2001-0053
+340 || FTP EXPLOIT overflow
+341 || FTP EXPLOIT overflow
+342 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8 || arachnids,451 || bugtraq,1387 || cve,2000-0573
+343 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD || arachnids,228 || bugtraq,1387 || cve,2000-0573
+344 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux || arachnids,287 || bugtraq,1387 || cve,2000-0573
+345 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic || arachnids,285 || bugtraq,1387 || cve,2000-0573 || nessus,10452
+346 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check || arachnids,286 || bugtraq,1387 || cve,2000-0573
+348 || FTP EXPLOIT wu-ftpd 2.6.0 || arachnids,440 || bugtraq,1387
+349 || FTP EXPLOIT MKD overflow || bugtraq,113 || bugtraq,2242 || cve,1999-0368
+350 || FTP EXPLOIT x86 linux overflow || bugtraq,113 || bugtraq,2242 || cve,1999-0368
+351 || FTP EXPLOIT x86 linux overflow || bugtraq,113 || bugtraq,2242 || cve,1999-0368
+352 || FTP EXPLOIT x86 linux overflow || bugtraq,113 || cve,1999-0368
+353 || FTP adm scan || arachnids,332
+354 || FTP iss scan || arachnids,331
+355 || FTP pass wh00t || arachnids,324
+356 || FTP passwd retrieval attempt || arachnids,213
+357 || FTP piss scan
+358 || FTP saint scan || arachnids,330
+359 || FTP satan scan || arachnids,329
+360 || FTP serv-u directory transversal || bugtraq,2052 || cve,2001-0054
+361 || FTP SITE EXEC attempt || arachnids,317 || bugtraq,2241 || cve,1999-0080 || cve,1999-0955
+362 || FTP tar parameters || arachnids,134 || bugtraq,2240 || cve,1999-0202 || cve,1999-0997
+363 || ICMP IRDP router advertisement || arachnids,173 || bugtraq,578 || cve,1999-0875
+364 || ICMP IRDP router selection || arachnids,174 || bugtraq,578 || cve,1999-0875
+365 || ICMP PING undefined code
+366 || ICMP PING *NIX
+368 || ICMP PING BSDtype || arachnids,152
+369 || ICMP PING BayRS Router || arachnids,438 || arachnids,444
+370 || ICMP PING BeOS4.x || arachnids,151
+371 || ICMP PING Cisco Type.x || arachnids,153
+372 || ICMP PING Delphi-Piette Windows || arachnids,155
+373 || ICMP PING Flowpoint2200 or Network Management Software || arachnids,156
+374 || ICMP PING IP NetMonitor Macintosh || arachnids,157
+375 || ICMP PING LINUX/*BSD || arachnids,447
+376 || ICMP PING Microsoft Windows || arachnids,159
+377 || ICMP PING Network Toolbox 3 Windows || arachnids,161
+378 || ICMP PING Ping-O-MeterWindows || arachnids,164
+379 || ICMP PING Pinger Windows || arachnids,163
+380 || ICMP PING Seer Windows || arachnids,166
+381 || ICMP PING Sun Solaris || arachnids,448
+382 || ICMP PING Windows || arachnids,169
+384 || ICMP PING
+385 || ICMP traceroute || arachnids,118
+386 || ICMP Address Mask Reply
+387 || ICMP Address Mask Reply undefined code
+388 || ICMP Address Mask Request
+389 || ICMP Address Mask Request undefined code
+390 || ICMP Alternate Host Address
+391 || ICMP Alternate Host Address undefined code
+392 || ICMP Datagram Conversion Error
+393 || ICMP Datagram Conversion Error undefined code
+394 || ICMP Destination Unreachable Destination Host Unknown
+395 || ICMP Destination Unreachable Destination Network Unknown
+396 || ICMP Destination Unreachable Fragmentation Needed and DF bit was set
+397 || ICMP Destination Unreachable Host Precedence Violation
+398 || ICMP Destination Unreachable Host Unreachable for Type of Service
+399 || ICMP Destination Unreachable Host Unreachable
+400 || ICMP Destination Unreachable Network Unreachable for Type of Service
+401 || ICMP Destination Unreachable Network Unreachable
+402 || ICMP Destination Unreachable Port Unreachable
+403 || ICMP Destination Unreachable Precedence Cutoff in effect
+404 || ICMP Destination Unreachable Protocol Unreachable
+405 || ICMP Destination Unreachable Source Host Isolated
+406 || ICMP Destination Unreachable Source Route Failed
+407 || ICMP Destination Unreachable cndefined code
+408 || ICMP Echo Reply
+409 || ICMP Echo Reply undefined code
+410 || ICMP Fragment Reassembly Time Exceeded
+411 || ICMP IPV6 I-Am-Here
+412 || ICMP IPV6 I-Am-Here undefined code
+413 || ICMP IPV6 Where-Are-You
+414 || ICMP IPV6 Where-Are-You undefined code
+415 || ICMP Information Reply
+416 || ICMP Information Reply undefined code
+417 || ICMP Information Request
+418 || ICMP Information Request undefined code
+419 || ICMP Mobile Host Redirect
+420 || ICMP Mobile Host Redirect undefined code
+421 || ICMP Mobile Registration Reply
+422 || ICMP Mobile Registration Reply undefined code
+423 || ICMP Mobile Registration Request
+424 || ICMP Mobile Registration Request undefined code
+425 || ICMP Parameter Problem Bad Length
+426 || ICMP Parameter Problem Missing a Required Option
+427 || ICMP Parameter Problem Unspecified Error
+428 || ICMP Parameter Problem undefined Code
+429 || ICMP Photuris Reserved
+430 || ICMP Photuris Unknown Security Parameters Index
+431 || ICMP Photuris Valid Security Parameters, But Authentication Failed
+432 || ICMP Photuris Valid Security Parameters, But Decryption Failed
+433 || ICMP Photuris undefined code!
+436 || ICMP Redirect for TOS and Host
+437 || ICMP Redirect for TOS and Network
+438 || ICMP Redirect undefined code
+439 || ICMP Reserved for Security Type 19
+440 || ICMP Reserved for Security Type 19 undefined code
+441 || ICMP Router Advertisement || arachnids,173
+443 || ICMP Router Selection || arachnids,174
+445 || ICMP SKIP
+446 || ICMP SKIP undefined code
+448 || ICMP Source Quench undefined code
+449 || ICMP Time-To-Live Exceeded in Transit
+450 || ICMP Time-To-Live Exceeded in Transit undefined code
+451 || ICMP Timestamp Reply
+452 || ICMP Timestamp Reply undefined code
+453 || ICMP Timestamp Request
+454 || ICMP Timestamp Request undefined code
+455 || ICMP Traceroute ipopts || arachnids,238
+456 || ICMP Traceroute
+457 || ICMP Traceroute undefined code
+458 || ICMP unassigned type 1
+459 || ICMP unassigned type 1 undefined code
+460 || ICMP unassigned type 2
+461 || ICMP unassigned type 2 undefined code
+462 || ICMP unassigned type 7
+463 || ICMP unassigned type 7 undefined code
+465 || ICMP ISS Pinger || arachnids,158
+466 || ICMP L3retriever Ping || arachnids,311
+467 || ICMP Nemesis v1.1 Echo || arachnids,449
+469 || ICMP PING NMAP || arachnids,162
+471 || ICMP icmpenum v1.1.1 || arachnids,450
+472 || ICMP redirect host || arachnids,135 || cve,1999-0265
+473 || ICMP redirect net || arachnids,199 || cve,1999-0265
+474 || ICMP superscan echo
+475 || ICMP traceroute ipopts || arachnids,238
+476 || ICMP webtrends scanner || arachnids,307
+477 || ICMP Source Quench
+478 || ICMP Broadscan Smurf Scanner
+480 || ICMP PING speedera
+481 || ICMP TJPingPro1.1Build 2 Windows || arachnids,167
+482 || ICMP PING WhatsupGold Windows || arachnids,168
+483 || ICMP PING CyberKit 2.2 Windows || arachnids,154
+484 || ICMP PING Sniffer Pro/NetXRay network scan
+485 || ICMP Destination Unreachable Communication Administratively Prohibited
+486 || ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited
+487 || ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited
+488 || INFO Connection Closed MSG from Port 80
+489 || INFO FTP no password || arachnids,322
+490 || INFO battle-mail traffic
+491 || INFO FTP Bad login
+492 || INFO TELNET login failed
+493 || INFO psyBNC access
+494 || ATTACK-RESPONSES command completed || bugtraq,1806
+495 || ATTACK-RESPONSES command error
+496 || ATTACK RESPONSES directory listing
+497 || ATTACK-RESPONSES file copied ok || bugtraq,1806 || cve,2000-0884
+498 || ATTACK-RESPONSES id check returned root
+499 || ICMP Large ICMP Packet || arachnids,246
+500 || MISC source route lssr || arachnids,418 || bugtraq,646 || cve,1999-0909 || url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx
+501 || MISC source route lssre || arachnids,420 || bugtraq,646 || cve,1999-0909 || url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx
+502 || MISC source route ssrr || arachnids,422
+503 || MISC Source Port 20 to <1024 || arachnids,06
+504 || MISC source port 53 to <1024 || arachnids,07
+505 || MISC Insecure TIMBUKTU Password || arachnids,229
+506 || MISC ramen worm incoming || arachnids,460
+507 || MISC PCAnywhere Attempted Administrator Login
+508 || MISC gopher proxy || arachnids,409
+509 || WEB-MISC PCCS mysql database admin tool access || arachnids,300 || bugtraq,1557 || cve,2000-0707 || nessus,10783
+510 || POLICY HP JetDirect LCD modification attempt || arachnids,302 || bugtraq,2245
+511 || MISC Invalid PCAnywhere Login
+512 || MISC PCAnywhere Failed Login || arachnids,240
+513 || MISC Cisco Catalyst Remote Access || arachnids,129 || bugtraq,705 || cve,1999-0430
+514 || MISC ramen worm || arachnids,461
+516 || MISC SNMP NT UserList || nessus,10546
+517 || MISC xdmcp query || arachnids,476
+518 || TFTP Put || arachnids,148 || cve,1999-0183
+519 || TFTP parent directory || arachnids,137 || cve,1999-0183 || cve,2002-1209
+520 || TFTP root directory || arachnids,138 || cve,1999-0183
+521 || MISC Large UDP Packet || arachnids,247
+522 || MISC Tiny Fragments
+523 || BAD-TRAFFIC ip reserved bit set
+524 || BAD-TRAFFIC tcp port 0 traffic
+525 || BAD-TRAFFIC udp port 0 traffic || bugtraq,576 || cve,1999-0675 || nessus,10074
+526 || BAD-TRAFFIC data in TCP SYN packet || url,www.cert.org/incident_notes/IN-99-07.html
+527 || BAD-TRAFFIC same SRC/DST || bugtraq,2666 || cve,1999-0016 || url,www.cert.org/advisories/CA-1997-28.html
+528 || BAD-TRAFFIC loopback traffic || url,rr.sans.org/firewall/egress.php
+529 || NETBIOS DOS RFPoison || arachnids,454
+530 || NETBIOS NT NULL session || arachnids,204 || bugtraq,1163 || cve,2000-0347
+532 || NETBIOS SMB ADMIN$ share access
+533 || NETBIOS SMB C$ share access
+534 || NETBIOS SMB CD.. || arachnids,338
+535 || NETBIOS SMB CD... || arachnids,337
+536 || NETBIOS SMB D$ share access
+537 || NETBIOS SMB IPC$ share access
+538 || NETBIOS SMB IPC$ unicode share access
+539 || NETBIOS Samba clientaccess || arachnids,341
+540 || CHAT MSN message
+541 || CHAT ICQ access
+542 || CHAT IRC nick change
+543 || POLICY FTP 'STOR 1MB' possible warez site
+544 || POLICY FTP 'RETR 1MB' possible warez site
+545 || POLICY FTP 'CWD / ' possible warez site
+546 || POLICY FTP 'CWD  ' possible warez site
+547 || POLICY FTP 'MKD  ' possible warez site
+548 || POLICY FTP 'MKD .' possible warez site
+549 || P2P napster login
+550 || P2P napster new user login
+551 || P2P napster download attempt
+552 || P2P napster upload request
+553 || POLICY FTP anonymous login attempt
+554 || POLICY FTP 'MKD / ' possible warez site
+555 || POLICY WinGate telnet server response || arachnids,366 || cve,1999-0657
+556 || P2P Outbound GNUTella client request
+557 || P2P GNUTella client request
+558 || INFO Outbound GNUTella client request
+559 || P2P Inbound GNUTella client request
+560 || POLICY VNC server response
+561 || P2P Napster Client Data
+562 || P2P Napster Client Data
+563 || P2P Napster Client Data
+564 || P2P Napster Client Data
+565 || P2P Napster Server Login
+566 || POLICY PCAnywhere server response || arachnids,239
+567 || POLICY SMTP relaying denied || arachnids,249 || url,mail-abuse.org/tsi/ar-fix.html
+568 || POLICY HP JetDirect LCD modification attempt || arachnids,302 || bugtraq,2245
+569 || RPC snmpXdmi overflow attempt TCP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html
+570 || RPC EXPLOIT ttdbserv solaris overflow || arachnids,242 || bugtraq,122 || cve,1999-0003 || url,www.cert.org/advisories/CA-2001-27.html
+571 || RPC EXPLOIT ttdbserv Solaris overflow || arachnids,242 || bugtraq,122 || cve,1999-0003 || url,www.cert.org/advisories/CA-2001-27.html
+572 || RPC DOS ttdbserv Solaris || arachnids,241 || bugtraq,122 || cve,1999-0003
+573 || RPC AMD Overflow || arachnids,217 || cve,1999-0704
+574 || RPC mountd TCP export request || arachnids,26
+575 || RPC portmap admind request UDP || arachnids,18
+576 || RPC portmap amountd request UDP || arachnids,19
+577 || RPC portmap bootparam request UDP || arachnids,16 || cve,1999-0647
+578 || RPC portmap cmsd request UDP || arachnids,17
+579 || RPC portmap mountd request UDP || arachnids,13
+580 || RPC portmap nisd request UDP || arachnids,21
+581 || RPC portmap pcnfsd request UDP || arachnids,22
+582 || RPC portmap rexd request UDP || arachnids,23
+583 || RPC portmap rstatd request UDP || arachnids,10
+584 || RPC portmap rusers request UDP || arachnids,133 || cve,1999-0626
+585 || RPC portmap sadmind request UDP || arachnids,20
+586 || RPC portmap selection_svc request UDP || arachnids,25
+587 || RPC portmap status request UDP || arachnids,15
+588 || RPC portmap ttdbserv request UDP || arachnids,24 || bugtraq,122 || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html
+589 || RPC portmap yppasswd request UDP || arachnids,14
+590 || RPC portmap ypserv request UDP || arachnids,12 || bugtraq,5914 || bugtraq,6016 || cve,2000-1042 || cve,2000-1043 || cve,2002-1232
+591 || RPC portmap ypupdated request TCP || arachnids,125
+592 || RPC rstatd query || arachnids,9
+593 || RPC portmap snmpXdmi request TCP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html
+595 || RPC portmap espd request TCP || bugtraq,2714 || cve,2001-0331
+596 || RPC portmap listing || arachnids,429
+597 || RPC portmap listing || arachnids,429
+598 || RPC portmap listing TCP 111 || arachnids,428
+599 || RPC portmap listing TCP 32771 || arachnids,429
+600 || RPC EXPLOIT statdx || arachnids,442
+601 || RSERVICES rlogin LinuxNIS
+602 || RSERVICES rlogin bin || arachnids,384
+603 || RSERVICES rlogin echo++ || arachnids,385
+604 || RSERVICES rsh froot || arachnids,387
+605 || RSERVICES rlogin login failure || arachnids,393
+606 || RSERVICES rlogin root || arachnids,389
+607 || RSERVICES rsh bin || arachnids,390
+608 || RSERVICES rsh echo + + || arachnids,388
+609 || RSERVICES rsh froot || arachnids,387
+610 || RSERVICES rsh root || arachnids,391
+611 || RSERVICES rlogin login failure || arachnids,392
+612 || RPC rusers query UDP || cve,1999-0626
+613 || SCAN myscan || arachnids,439
+614 || BACKDOOR hack-a-tack attempt || arachnids,314
+615 || SCAN SOCKS Proxy attempt || url,help.undernet.org/proxyscan/
+616 || SCAN ident version request || arachnids,303
+617 || SCAN ssh-research-scanner
+618 || SCAN Squid Proxy attempt
+619 || SCAN cybercop os probe || arachnids,146
+620 || SCAN Proxy Port 8080 attempt
+621 || SCAN FIN || arachnids,27
+622 || SCAN ipEye SYN scan || arachnids,236
+623 || SCAN NULL || arachnids,4
+624 || SCAN SYN FIN || arachnids,198
+625 || SCAN XMAS || arachnids,144
+626 || SCAN cybercop os PA12 attempt || arachnids,149
+627 || SCAN cybercop os SFU12 probe || arachnids,150
+628 || SCAN nmap TCP || arachnids,28
+629 || SCAN nmap fingerprint attempt || arachnids,05
+630 || SCAN synscan portscan || arachnids,441
+631 || SMTP ehlo cybercop attempt || arachnids,372
+632 || SMTP expn cybercop attempt || arachnids,371
+634 || SCAN Amanda client version request
+635 || SCAN XTACACS logout || arachnids,408
+636 || SCAN cybercop udp bomb || arachnids,363
+637 || SCAN Webtrends Scanner UDP Probe || arachnids,308
+638 || SHELLCODE SGI NOOP || arachnids,356
+639 || SHELLCODE SGI NOOP || arachnids,357
+640 || SHELLCODE AIX NOOP
+641 || SHELLCODE Digital UNIX NOOP || arachnids,352
+642 || SHELLCODE HP-UX NOOP || arachnids,358
+643 || SHELLCODE HP-UX NOOP || arachnids,359
+644 || SHELLCODE sparc NOOP || arachnids,345
+645 || SHELLCODE sparc NOOP || arachnids,353
+646 || SHELLCODE sparc NOOP || arachnids,355
+647 || SHELLCODE sparc setuid 0 || arachnids,282
+648 || SHELLCODE x86 NOOP || arachnids,181
+649 || SHELLCODE x86 setgid 0 || arachnids,284
+650 || SHELLCODE x86 setuid 0 || arachnids,436
+651 || SHELLCODE x86 stealth NOOP || arachnids,291
+652 || SHELLCODE Linux shellcode || arachnids,343
+653 || SHELLCODE x86 0x90 unicode NOOP
+654 || SMTP RCPT TO overflow || bugtraq,2283 || bugtraq,9696 || cve,2001-0260
+655 || SMTP sendmail 8.6.9 exploit || arachnids,140 || bugtraq,2311 || cve,1999-0204
+656 || SMTP EXPLOIT x86 windows CSMMail overflow || bugtraq,895 || cve,2000-0042
+657 || SMTP chameleon overflow || arachnids,266 || bugtraq,2387 || cve,1999-0261
+658 || SMTP exchange mime DOS || bugtraq,1869 || cve,2000-1006 || nessus,10558 || url,www.microsoft.com/technet/security/bulletin/MS00-082.mspx
+659 || SMTP expn decode || arachnids,32 || cve,1999-0096 || nessus,10248
+660 || SMTP expn root || arachnids,31 || cve,1999-0531 || nessus,10249
+661 || SMTP majordomo ifs || arachnids,143 || bugtraq,2310 || cve,1999-0207
+662 || SMTP sendmail 5.5.5 exploit || arachnids,119 || cve,1999-0203 || nessus,10258
+663 || SMTP rcpt to command attempt || arachnids,172 || bugtraq,1 || cve,1999-0095
+664 || SMTP RCPT TO decode attempt || arachnids,121 || bugtraq,2308 || cve,1999-0203
+665 || SMTP sendmail 5.6.5 exploit || arachnids,122 || bugtraq,2308 || cve,1999-0203
+666 || SMTP sendmail 8.4.1 exploit || arachnids,120
+667 || SMTP sendmail 8.6.10 exploit || arachnids,123 || bugtraq,2311 || cve,1999-0204
+668 || SMTP sendmail 8.6.10 exploit || arachnids,124 || bugtraq,2311 || cve,1999-0204
+669 || SMTP sendmail 8.6.9 exploit || arachnids,142 || bugtraq,2311 || cve,1999-0204
+670 || SMTP sendmail 8.6.9 exploit || arachnids,139 || bugtraq,2311 || cve,1999-0204
+671 || SMTP sendmail 8.6.9c exploit || arachnids,141 || bugtraq,2311 || cve,1999-0204
+672 || SMTP vrfy decode || arachnids,373 || bugtraq,10248 || cve,1999-0096
+673 || MS-SQL sp_start_job - program execution
+674 || MS-SQL xp_displayparamstmt possible buffer overflow || bugtraq,2030 || cve,2000-1081 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx
+675 || MS-SQL xp_setsqlsecurity possible buffer overflow || bugtraq,2043 || cve,2000-1088 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx
+676 || MS-SQL/SMB sp_start_job - program execution
+677 || MS-SQL/SMB sp_password password change
+678 || MS-SQL/SMB sp_delete_alert log file deletion
+679 || MS-SQL/SMB sp_adduser database user creation
+680 || MS-SQL/SMB sa login failed || bugtraq,4797 || cve,2000-1209
+681 || MS-SQL/SMB xp_cmdshell program execution
+682 || MS-SQL xp_enumresultset possible buffer overflow || bugtraq,2031 || cve,2000-1082 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx
+683 || MS-SQL sp_password - password change
+684 || MS-SQL sp_delete_alert log file deletion
+685 || MS-SQL sp_adduser - database user creation
+686 || MS-SQL xp_reg* - registry access || bugtraq,5205 || cve,2002-0642 || nessus,10642 || url,www.microsoft.com/technet/security/bulletin/MS02-034
+687 || MS-SQL xp_cmdshell - program execution
+688 || MS-SQL sa login failed || bugtraq,4797 || cve,2000-1209 || nessus,10673
+689 || MS-SQL/SMB xp_reg* registry access || bugtraq,5205 || cve,2002-0642 || nessus,10642 || url,www.microsoft.com/technet/security/bulletin/MS02-034
+690 || MS-SQL/SMB xp_printstatements possible buffer overflow || bugtraq,2041 || cve,2000-1086 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx
+691 || MS-SQL shellcode attempt
+692 || MS-SQL/SMB shellcode attempt
+693 || MS-SQL shellcode attempt
+694 || MS-SQL/SMB shellcode attempt
+695 || MS-SQL/SMB xp_sprintf possible buffer overflow || bugtraq,1204 || url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx
+696 || MS-SQL/SMB xp_showcolv possible buffer overflow || bugtraq,2038 || cve,2000-1083 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx
+697 || MS-SQL/SMB xp_peekqueue possible buffer overflow || bugtraq,2040 || cve,2000-1085 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx
+698 || MS-SQL/SMB xp_proxiedmetadata possible buffer overflow || bugtraq,2042 || cve,2000-1087 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx
+699 || MS-SQL xp_printstatements possible buffer overflow || bugtraq,2041 || cve,2000-1086 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx
+700 || MS-SQL/SMB xp_updatecolvbm possible buffer overflow || bugtraq,2039 || cve,2000-1084 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx
+701 || MS-SQL xp_updatecolvbm possible buffer overflow || bugtraq,2039 || cve,2000-1084 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx
+702 || MS-SQL/SMB xp_displayparamstmt possible buffer overflow || bugtraq,2030 || cve,2000-1081 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx
+703 || MS-SQL/SMB xp_setsqlsecurity possible buffer overflow || bugtraq,2043 || cve,2000-1088 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx
+704 || MS-SQL xp_sprintf possible buffer overflow || bugtraq,1204 || cve,2001-0542 || url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx
+705 || MS-SQL xp_showcolv possible buffer overflow || bugtraq,2038 || cve,2000-1083 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx
+706 || MS-SQL xp_peekqueue possible buffer overflow || bugtraq,2040 || cve,2000-1085 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx
+707 || MS-SQL xp_proxiedmetadata possible buffer overflow || bugtraq,2024 || cve,1999-0287 || cve,2000-1087 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx
+708 || MS-SQL/SMB xp_enumresultset possible buffer overflow || bugtraq,2031 || cve,2000-1082 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx
+709 || TELNET 4Dgifts SGI account attempt || cve,1999-0501 || nessus,11243
+710 || TELNET EZsetup account attempt || cve,1999-0501 || nessus,11244
+711 || TELNET SGI telnetd format bug || arachnids,304 || bugtraq,1572 || cve,2000-0733
+712 || TELNET ld_library_path || arachnids,367 || bugtraq,459 || cve,1999-0073
+713 || TELNET livingston DOS || arachnids,370 || bugtraq,2225 || cve,1999-0218
+714 || TELNET resolv_host_conf || arachnids,369 || bugtraq,2181 || cve,2001-0170
+715 || TELNET Attempted SU from wrong group
+716 || INFO TELNET access || arachnids,08 || cve,1999-0619 || nessus,10280
+717 || TELNET not on console || arachnids,365
+718 || INFO TELNET login incorrect || arachnids,127
+719 || TELNET root login
+720 || Virus - SnowWhite Trojan Incoming
+721 || VIRUS OUTBOUND bad file attachment
+722 || Virus - Possible NAVIDAD Worm
+723 || Virus - Possible MyRomeo Worm
+724 || Virus - Possible MyRomeo Worm
+725 || Virus - Possible MyRomeo Worm
+726 || Virus - Possible MyRomeo Worm
+727 || Virus - Possible MyRomeo Worm
+728 || Virus - Possible MyRomeo Worm
+729 || VIRUS OUTBOUND .scr file attachment
+730 || VIRUS OUTBOUND .shs file attachment
+731 || Virus - Possible QAZ Worm || MCAFEE,98775
+732 || Virus - Possible QAZ Worm Infection || MCAFEE,98775
+733 || Virus - Possible QAZ Worm Calling Home || MCAFEE,98775
+734 || Virus - Possible Matrix worm
+735 || Virus - Possible MyRomeo Worm
+736 || Virus - Successful eurocalculator execution
+737 || Virus - Possible eurocalculator.exe file
+738 || Virus - Possible Pikachu Pokemon Virus || MCAFEE,98696
+739 || Virus - Possible Triplesix Worm || MCAFEE,10389
+740 || Virus - Possible Tune.vbs || MCAFEE,10497
+741 || Virus - Possible NAIL Worm || MCAFEE,10109
+742 || Virus - Possible NAIL Worm || MCAFEE,10109
+743 || Virus - Possible NAIL Worm || MCAFEE,10109
+744 || Virus - Possible NAIL Worm || MCAFEE,10109
+745 || Virus - Possible Papa Worm || MCAFEE,10145
+746 || Virus - Possible Freelink Worm || MCAFEE,10225
+747 || Virus - Possible Simbiosis Worm
+748 || Virus - Possible BADASS Worm || MCAFEE,10388
+749 || Virus - Possible ExploreZip.B Worm || MCAFEE,10471
+751 || Virus - Possible wscript.KakWorm || MCAFEE,10509
+752 || Virus Possible Suppl Worm || MCAFEE,10361
+753 || Virus - Possible NewApt.Worm - theobbq.exe || MCAFEE,10540
+754 || Virus - Possible Word Macro - VALE || MCAFEE,10502
+755 || Virus - Possible IROK Worm || MCAFEE,98552
+756 || Virus - Possible Fix2001 Worm || MCAFEE,10355
+757 || Virus - Possible Y2K Zelu Trojan || MCAFEE,10505
+758 || Virus - Possible The_Fly Trojan || MCAFEE,10478
+759 || Virus - Possible Word Macro - VALE || MCAFEE,10502
+760 || Virus - Possible Passion Worm || MCAFEE,10467
+761 || Virus - Possible NewApt.Worm - cooler3.exe || MCAFEE,10540
+762 || Virus - Possible NewApt.Worm - party.exe || MCAFEE,10540
+763 || Virus - Possible NewApt.Worm - hog.exe || MCAFEE,10540
+764 || Virus - Possible NewApt.Worm - goal1.exe || MCAFEE,10540
+765 || Virus - Possible NewApt.Worm - pirate.exe || MCAFEE,10540
+766 || Virus - Possible NewApt.Worm - video.exe || MCAFEE,10540
+767 || Virus - Possible NewApt.Worm - baby.exe || MCAFEE,10540
+768 || Virus - Possible NewApt.Worm - cooler1.exe || MCAFEE,10540
+769 || Virus - Possible NewApt.Worm - boss.exe || MCAFEE,10540
+770 || Virus - Possible NewApt.Worm - g-zilla.exe || MCAFEE,10540
+771 || Virus - Possible ToadieE-mail Trojan || MCAFEE,10540
+772 || Virus - Possible PrettyPark Trojan || MCAFEE,10175
+773 || Virus - Possible Happy99 Virus || MCAFEE,10144
+774 || Virus - Possible CheckThis Trojan
+775 || Virus - Possible Bubbleboy Worm || MCAFEE,10418
+776 || Virus - Possible NewApt.Worm - copier.exe || MCAFEE,10540
+777 || Virus - Possible MyPics Worm || MCAFEE,10467
+778 || Virus - Possible Babylonia - X-MAS.exe || MCAFEE,10461
+779 || Virus - Possible NewApt.Worm - gadget.exe || MCAFEE,10540
+780 || Virus - Possible NewApt.Worm - irnglant.exe || MCAFEE,10540
+781 || Virus - Possible NewApt.Worm - casper.exe || MCAFEE,10540
+782 || Virus - Possible NewApt.Worm - fborfw.exe || MCAFEE,10540
+783 || Virus - Possible NewApt.Worm - saddam.exe || MCAFEE,10540
+784 || Virus - Possible NewApt.Worm - bboy.exe || MCAFEE,10540
+785 || Virus - Possible NewApt.Worm - monica.exe || MCAFEE,10540
+786 || Virus - Possible NewApt.Worm - goal.exe || MCAFEE,10540
+787 || Virus - Possible NewApt.Worm - panther.exe || MCAFEE,10540
+788 || Virus - Possible NewApt.Worm - chestburst.exe || MCAFEE,10540
+789 || Virus - Possible NewApt.Worm - farter.exe || MCAFEE,1054
+790 || Virus - Possible Common Sense Worm
+791 || Virus - Possible NewApt.Worm - cupid2.exe || MCAFEE,10540
+792 || Virus - Possible Resume Worm || MCAFEE,98661
+793 || VIRUS OUTBOUND .vbs file attachment
+794 || Virus - Possible Resume Worm || MCAFEE,98661
+795 || Virus - Possible Worm -  txt.vbs file
+796 || Virus - Possible Worm - xls.vbs file
+797 || Virus - Possible Worm - jpg.vbs file
+798 || Virus - Possible Worm -  gif.vbs file
+799 || Virus - Possible Timofonica Worm || MCAFEE,98674
+800 || Virus - Possible Resume Worm || MCAFEE,98661
+801 || Virus - Possible Worm - doc.vbs file
+802 || Virus - Possbile Zipped Files Trojan || MCAFEE,10450
+803 || WEB-CGI HyperSeek hsx.cgi directory traversal attempt || bugtraq,2314 || cve,2001-0253 || nessus,10602
+804 || WEB-CGI SWSoft ASPSeek Overflow attempt || bugtraq,2492 || cve,2001-0476
+805 || WEB-CGI webspeed access || arachnids,467 || bugtraq,969 || cve,2000-0127 || nessus,10304
+806 || WEB-CGI yabb directory traversal attempt || arachnids,462 || bugtraq,1668 || cve,2000-0853
+807 || WEB-CGI /wwwboard/passwd.txt access || arachnids,463 || bugtraq,649 || cve,1999-0953 || cve,1999-0954 || nessus,10321
+808 || WEB-CGI webdriver access || arachnids,473 || bugtraq,2166 || nessus,10592
+809 || WEB-CGI whois_raw.cgi arbitrary command execution attempt || arachnids,466 || bugtraq,304 || cve,1999-1063 || nessus,10306
+810 || WEB-CGI whois_raw.cgi access || arachnids,466 || bugtraq,304 || cve,1999-1063 || nessus,10306
+811 || WEB-CGI websitepro path access || arachnids,468 || bugtraq,932 || cve,2000-0066
+812 || WEB-CGI webplus version access || arachnids,470 || bugtraq,1102 || cve,2000-0282
+813 || WEB-CGI webplus directory traversal || arachnids,471 || bugtraq,1102 || cve,2000-0282
+815 || WEB-CGI websendmail access || arachnids,469 || bugtraq,2077 || cve,1999-0196 || nessus,10301
+817 || WEB-CGI dcboard.cgi invalid user addition attempt || bugtraq,2728 || cve,2001-0527 || nessus,10583
+818 || WEB-CGI dcforum.cgi access || bugtraq,2728 || cve,2001-0527 || nessus,10583
+819 || WEB-CGI mmstdod.cgi access || bugtraq,2063 || cve,2001-0021 || nessus,10566
+820 || WEB-CGI anaconda directory transversal attempt || bugtraq,2338 || bugtraq,2388 || cve,2000-0975 || cve,2001-0308
+821 || WEB-CGI imagemap.exe overflow attempt || arachnids,412 || bugtraq,739 || cve,1999-0951 || nessus,10122
+823 || WEB-CGI cvsweb.cgi access || bugtraq,1469 || cve,2000-0670 || nessus,10465
+824 || WEB-CGI php.cgi access || arachnids,232 || bugtraq,2250 || bugtraq,712 || cve,1999-0238 || cve,1999-058 || nessus,10178
+825 || WEB-CGI glimpse access || bugtraq,2026 || cve,1999-0147 || nessus,10095
+826 || WEB-CGI htmlscript access || bugtraq,2001 || cve,1999-0264 || nessus,10106
+827 || WEB-CGI info2www access || bugtraq,1995 || cve,1999-0266 || nessus,10127
+828 || WEB-CGI maillist.pl access
+829 || WEB-CGI nph-test-cgi access || arachnids,224 || bugtraq,686 || cve,1999-0045 || nessus,10165
+830 || WEB-CGI NPH-publish access || cve,1999-1177 || nessus,10164
+832 || WEB-CGI perl.exe access || arachnids,219 || cve,1999-0509 || nessus,10173 || url,www.cert.org/advisories/CA-1996-11.html
+833 || WEB-CGI rguest.exe access || bugtraq,2024 || cve,1999-0287 || cve,1999-0467
+834 || WEB-CGI rwwwshell.pl access || url,www.itsecurity.com/papers/p37.htm
+835 || WEB-CGI test-cgi access || arachnids,218 || bugtraq,2003 || cve,1999-0070 || nessus,10282
+836 || WEB-CGI textcounter.pl access || bugtraq,2265 || cve,1999-1479 || nessus,11451
+837 || WEB-CGI uploader.exe access || bugtraq,1611 || cve,1999-0177 || cve,2000-0769 || nessus,10291
+838 || WEB-CGI webgais access || arachnids,472 || bugtraq,2058 || cve,1999-0176 || nessus,10300
+839 || WEB-CGI finger access || arachnids,221 || cve,1999-0612 || nessus,10071
+840 || WEB-CGI perlshop.cgi access || cve,1999-1374
+841 || WEB-CGI pfdisplay.cgi access || bugtraq,64 || cve,1999-0270 || nessus,10174
+842 || WEB-CGI aglimpse access || bugtraq,2026 || cve,1999-0147 || nessus,10095
+843 || WEB-CGI anform2 access || arachnids,225 || bugtraq,719 || cve,1999-0066
+844 || WEB-CGI args.bat access || cve,1999-1180 || nessus,11465
+845 || WEB-CGI AT-admin.cgi access || cve,1999-1072
+846 || WEB-CGI bnbform.cgi access || bugtraq,2147 || cve,1999-0937
+847 || WEB-CGI campas access || bugtraq,1975 || cve,1999-0146 || nessus,10035
+848 || WEB-CGI view-source directory traversal || bugtraq,2251 || bugtraq,8883 || cve,1999-0174
+849 || WEB-CGI view-source access || bugtraq,2251 || bugtraq,8883 || cve,1999-0174
+850 || WEB-CGI wais.pl access
+851 || WEB-CGI files.pl access || cve,1999-1081
+852 || WEB-CGI wguest.exe access || bugtraq,2024 || cve,1999-0287 || cve,1999-0467
+853 || WEB-CGI wrap access || arachnids,234 || bugtraq,373 || cve,1999-0149 || nessus,10317
+854 || WEB-CGI classifieds.cgi access || bugtraq,2020 || cve,1999-0934
+855 || WEB-CGI edit.pl access || bugtraq,2713
+856 || WEB-CGI environ.cgi access
+857 || WEB-CGI faxsurvey access || bugtraq,2056 || cve,1999-0262 || nessus,10067
+858 || WEB-CGI filemail access || cve,1999-1154
+859 || WEB-CGI man.sh access || bugtraq,2276 || cve,1999-1179
+860 || WEB-CGI snork.bat access || arachnids,220 || bugtraq,1053 || cve,2000-0169
+861 || WEB-CGI w3-msql access || arachnids,210 || bugtraq,591 || bugtraq,898 || cve,1999-0276 || cve,1999-0753 || cve,2000-0012 || nessus,10296
+862 || WEB-CGI csh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html
+863 || WEB-CGI day5datacopier.cgi access || cve,1999-1232
+864 || WEB-CGI day5datanotifier.cgi access || cve,1999-1232
+865 || WEB-CGI ksh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html
+866 || WEB-CGI post-query access || bugtraq,6752 || cve,2001-0291
+867 || WEB-CGI visadmin.exe access || bugtraq,1808 || cve,1999-0970 || cve,1999-1970 || nessus,10295
+868 || WEB-CGI rsh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html
+869 || WEB-CGI dumpenv.pl access || cve,1999-1178 || nessus,10060
+870 || WEB-CGI snorkerz.cmd access
+871 || WEB-CGI survey.cgi access || bugtraq,1817 || cve,1999-0936
+872 || WEB-CGI tcsh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html
+873 || WEB-CGI scriptalias access || arachnids,227 || bugtraq,2300 || cve,1999-0236
+874 || WEB-CGI w3-msql solaris x86  access || arachnids,211 || cve,1999-0276
+875 || WEB-CGI win-c-sample.exe access || arachnids,231 || bugtraq,2078 || cve,1999-0178 || nessus,10008
+877 || WEB-CGI rksh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html
+878 || WEB-CGI w3tvars.pm access
+879 || WEB-CGI admin.pl access || bugtraq,3839 || url,online.securityfocus.com/archive/1/249355
+880 || WEB-CGI LWGate access || url,www.netspace.org/~dwb/lwgate/lwgate-history.html || url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm
+881 || WEB-CGI archie access
+882 || WEB-CGI calendar access
+883 || WEB-CGI flexform access || url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm
+884 || WEB-CGI formmail access || arachnids,226 || bugtraq,1187 || bugtraq,2079 || cve,1999-0172 || cve,2000-0411 || nessus,10076 || nessus,10782
+885 || WEB-CGI bash access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html
+886 || WEB-CGI phf access || arachnids,128 || bugtraq,629 || cve,1999-0067
+887 || WEB-CGI www-sql access || url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2
+888 || WEB-CGI wwwadmin.pl access
+889 || WEB-CGI ppdscgi.exe access || bugtraq,491 || nessus,10187 || url,online.securityfocus.com/archive/1/16878
+890 || WEB-CGI sendform.cgi access || bugtraq,5286 || cve,2002-0710 || url,www.scn.org/help/sendform.txt
+891 || WEB-CGI upload.pl access
+892 || WEB-CGI AnyForm2 access || bugtraq,719 || cve,1999-0066 || nessus,10277
+893 || WEB-CGI MachineInfo access || cve,1999-1067
+894 || WEB-CGI bb-hist.sh access || bugtraq,142 || cve,1999-1462 || nessus,10025
+895 || WEB-CGI redirect access || bugtraq,1179 || cve,2000-0382
+896 || WEB-CGI way-board access || bugtraq,2370 || cve,2001-0214 || nessus,10610
+897 || WEB-CGI pals-cgi access || bugtraq,2372 || cve,2001-0216 || cve,2001-0217 || nessus,10611
+898 || WEB-CGI commerce.cgi access || bugtraq,2361 || cve,2001-0210 || nessus,10612
+899 || WEB-CGI Amaya templates sendtemp.pl directory traversal attempt || bugtraq,2504 || cve,2001-0272
+900 || WEB-CGI webspirs.cgi directory traversal attempt || bugtraq,2362 || cve,2001-0211 || nessus,10616
+901 || WEB-CGI webspirs.cgi access || bugtraq,2362 || cve,2001-0211 || nessus,10616
+902 || WEB-CGI tstisapi.dll access || bugtraq,2381 || cve,2001-0302
+903 || WEB-COLDFUSION cfcache.map access || bugtraq,917 || cve,2000-0057
+904 || WEB-COLDFUSION exampleapp application.cfm || bugtraq,1021 || cve,2000-0189
+905 || WEB-COLDFUSION application.cfm access || bugtraq,1021 || cve,2000-0189
+906 || WEB-COLDFUSION getfile.cfm access || bugtraq,229 || cve,1999-0800
+907 || WEB-COLDFUSION addcontent.cfm access
+908 || WEB-COLDFUSION administrator access || bugtraq,1314 || cve,2000-0538
+909 || WEB-COLDFUSION datasource username attempt || bugtraq,550
+910 || WEB-COLDFUSION fileexists.cfm access || bugtraq,550
+911 || WEB-COLDFUSION exprcalc access || bugtraq,115 || bugtraq,550 || cve,1999-0455
+912 || WEB-COLDFUSION parks access || bugtraq,550
+913 || WEB-COLDFUSION cfappman access || bugtraq,550
+914 || WEB-COLDFUSION beaninfo access || bugtraq,550
+915 || WEB-COLDFUSION evaluate.cfm access || bugtraq,550
+916 || WEB-COLDFUSION getodbcdsn access || bugtraq,550
+917 || WEB-COLDFUSION db connections flush attempt || bugtraq,550
+918 || WEB-COLDFUSION expeval access || bugtraq,550 || cve,1999-0477
+919 || WEB-COLDFUSION datasource passwordattempt || bugtraq,550
+920 || WEB-COLDFUSION datasource attempt || bugtraq,550
+921 || WEB-COLDFUSION admin encrypt attempt || bugtraq,550
+922 || WEB-COLDFUSION displayfile access || bugtraq,550
+923 || WEB-COLDFUSION getodbcin attempt || bugtraq,550
+924 || WEB-COLDFUSION admin decrypt attempt || bugtraq,550
+925 || WEB-COLDFUSION mainframeset access || bugtraq,550
+926 || WEB-COLDFUSION set odbc ini attempt || bugtraq,550
+927 || WEB-COLDFUSION settings refresh attempt || bugtraq,550
+928 || WEB-COLDFUSION exampleapp access
+929 || WEB-COLDFUSION CFUSION_VERIFYMAIL access || bugtraq,550
+930 || WEB-COLDFUSION snippets attempt || bugtraq,550
+931 || WEB-COLDFUSION cfmlsyntaxcheck.cfm access || bugtraq,550
+932 || WEB-COLDFUSION application.cfm access || arachnids,268 || bugtraq,550 || cve,2000-0189
+933 || WEB-COLDFUSION onrequestend.cfm access || arachnids,269 || bugtraq,550 || cve,2000-0189
+935 || WEB-COLDFUSION startstop DOS access || bugtraq,247
+936 || WEB-COLDFUSION gettempdirectory.cfm access  || bugtraq,550
+937 || WEB-FRONTPAGE _vti_rpc access || bugtraq,2144 || cve,2001-0096 || nessus,10585
+939 || WEB-FRONTPAGE posting || bugtraq,2144 || cve,2001-0096 || nessus,10585 || url,www.microsoft.com/technet/security/bulletin/MS00-100.mspx
+940 || WEB-FRONTPAGE shtml.dll access || arachnids,292 || bugtraq,1174 || bugtraq,1594 || bugtraq,1595 || cve,2000-0413 || cve,2000-0746 || nessus,11395 || url,www.microsoft.com/technet/security/bulletin/ms00-060.mspx
+941 || WEB-FRONTPAGE contents.htm access
+942 || WEB-FRONTPAGE orders.htm access
+943 || WEB-FRONTPAGE fpsrvadm.exe access
+944 || WEB-FRONTPAGE fpremadm.exe access
+945 || WEB-FRONTPAGE fpadmin.htm access
+946 || WEB-FRONTPAGE fpadmcgi.exe access
+947 || WEB-FRONTPAGE orders.txt access
+948 || WEB-FRONTPAGE form_results access || cve,1999-1052
+949 || WEB-FRONTPAGE registrations.htm access
+950 || WEB-FRONTPAGE cfgwiz.exe access
+951 || WEB-FRONTPAGE authors.pwd access || bugtraq,989 || cve,1999-0386 || nessus,10078
+952 || WEB-FRONTPAGE author.exe access
+953 || WEB-FRONTPAGE administrators.pwd access || bugtraq,1205
+954 || WEB-FRONTPAGE form_results.htm access || cve,1999-1052
+955 || WEB-FRONTPAGE access.cnf access || bugtraq,4078 || nessus,10575
+956 || WEB-FRONTPAGE register.txt access
+957 || WEB-FRONTPAGE registrations.txt access
+958 || WEB-FRONTPAGE service.cnf access || bugtraq,4078 || nessus,10575
+959 || WEB-FRONTPAGE service.pwd || bugtraq,1205
+960 || WEB-FRONTPAGE service.stp access
+961 || WEB-FRONTPAGE services.cnf access || bugtraq,4078 || nessus,10575
+962 || WEB-FRONTPAGE shtml.exe access || bugtraq,1174 || bugtraq,1608 || bugtraq,5804 || cve,2000-0413 || cve,2000-0709 || cve,2002-0692 || nessus,10405 || nessus,11311
+963 || WEB-FRONTPAGE svcacl.cnf access || bugtraq,4078 || nessus,10575
+964 || WEB-FRONTPAGE users.pwd access
+965 || WEB-FRONTPAGE writeto.cnf access || bugtraq,4078 || nessus,10575
+966 || WEB-FRONTPAGE .... request || arachnids,248 || bugtraq,989 || cve,1999-0386 || cve,2000-0153 || nessus,10142
+967 || WEB-FRONTPAGE dvwssr.dll access || arachnids,271 || bugtraq,1108 || bugtraq,1109 || cve,2000-0260 || url,www.microsoft.com/technet/security/bulletin/ms00-025.mspx
+968 || WEB-FRONTPAGE register.htm access
+969 || WEB-IIS WebDAV file lock attempt || bugtraq,2736
+970 || WEB-IIS multiple decode attempt || bugtraq,2708 || cve,2001-0333 || nessus,10671
+971 || WEB-IIS ISAPI .printer access || arachnids,533 || bugtraq,2674 || cve,2001-0241 || nessus,10661 || url,www.microsoft.com/technet/security/bulletin/MS01-023.mspx
+972 || WEB-IIS %2E-asp access || bugtraq,1814 || cve,1999-0253
+973 || WEB-IIS *.idc attempt || bugtraq,1448 || cve,1999-0874 || cve,2000-0661
+974 || WEB-IIS Directory transversal attempt || bugtraq,2218 || cve,1999-0229
+975 || WEB-IIS Alternate Data streams ASP file access attempt || bugtraq,149 || cve,1999-0278 || nessus,10362 || url,support.microsoft.com/default.aspx?scid=kb\
+976 || WEB-IIS .bat? access || bugtraq,2023 || cve,1999-0233 || url,support.microsoft.com/support/kb/articles/Q148/1/88.asp || url,support.microsoft.com/support/kb/articles/Q155/0/56.asp
+977 || WEB-IIS .cnf access || bugtraq,4078 || nessus,10575
+978 || WEB-IIS ASP contents view || bugtraq,1084 || cve,2000-0302 || nessus,10356 || url,www.microsoft.com/technet/security/bulletin/MS00-006.mspx
+979 || WEB-IIS ASP contents view || bugtraq,1861 || cve,2000-0942 || url,www.microsoft.com/technet/security/bulletin/MS00-006.mspx
+980 || WEB-IIS CGImail.exe access || bugtraq,1623 || cve,2000-0726
+981 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537
+982 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537
+983 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537
+984 || WEB-IIS JET VBA access || bugtraq,307 || cve,1999-0874 || nessus,10116
+985 || WEB-IIS JET VBA access || bugtraq,286 || cve,1999-0874
+986 || WEB-IIS MSProxy access || url,support.microsoft.com/?kbid=331066
+987 || WEB-IIS .htr access || bugtraq,1488 || cve,2000-0630 || nessus,10680
+988 || WEB-IIS SAM Attempt || url,www.ciac.org/ciac/bulletins/h-45.shtml
+989 || BACKDOOR sensepost.exe command shell attempt || nessus,11003
+990 || WEB-FRONTPAGE _vti_inf.html access || nessus,11455
+991 || WEB-IIS achg.htr access || bugtraq,2110 || cve,1999-0407
+992 || WEB-IIS adctest.asp access
+993 || WEB-IIS iisadmin access || bugtraq,189 || cve,1999-1538 || nessus,11032
+994 || WEB-IIS /scripts/iisadmin/default.htm access
+995 || WEB-IIS ism.dll access || bugtraq,189 || cve,1999-1538 || cve,2000-0630
+996 || WEB-IIS anot.htr access || bugtraq,2110 || cve,1999-0407
+997 || WEB-IIS asp-dot attempt || bugtraq,1814 || nessus,10363
+998 || WEB-IIS asp-srch attempt
+999 || WEB-IIS bdir access || bugtraq,2280
+1000 || WEB-IIS bdir.htr access || bugtraq,2280 || nessus,10577
+1001 || WEB-MISC carbo.dll access || bugtraq,2126 || cve,1999-1069
+1002 || WEB-IIS cmd.exe access
+1003 || WEB-IIS cmd? access
+1004 || WEB-IIS codebrowser Exair access || cve,1999-0499 || cve,1999-0815
+1005 || WEB-IIS codebrowser SDK access || bugtraq,167 || cve,1999-0736
+1007 || WEB-IIS cross-site scripting attempt || bugtraq,119 || bugtraq,1594 || bugtraq,1595 || cve,2000-0746 || cve,2000-1104 || nessus,10572 || url,www.microsoft.com/technet/security/bulletin/MS00-028.mspx
+1008 || WEB-IIS del attempt
+1009 || WEB-IIS directory listing || nessus,10573
+1010 || WEB-IIS encoding access || arachnids,200 || bugtraq,886 || cve,2000-0024 || url,http//www.microsoft.com/technet/security/bulletin/MS99-061.mspx
+1011 || WEB-IIS exec-src access
+1012 || WEB-IIS fpcount attempt || bugtraq,2252 || cve,1999-1376
+1013 || WEB-IIS fpcount access || bugtraq,2252 || cve,1999-1376
+1015 || WEB-IIS getdrvs.exe access
+1016 || WEB-IIS global.asa access || cve,2000-0778 || nessus,10491 || nessus,10991
+1017 || WEB-IIS idc-srch attempt || cve,1999-0874
+1018 || WEB-IIS iisadmpwd attempt || bugtraq,2110 || cve,1999-0407
+1019 || IIS Malformed Hit-Highlighting Argument File Access Attempt || bugtraq,950 || cve,2000-0097 || url,www.microsoft.com/technet/security/bulletin/ms00-006.mspx || url,www.securityfocus.com/archive/1/43762
+1020 || WEB-IIS isc$data attempt || bugtraq,307 || cve,1999-0874 || nessus,10116
+1021 || WEB-IIS ism.dll attempt || bugtraq,1193 || cve,2000-0457 || nessus,10680 || url,www.microsoft.com/technet/security/bulletin/MS00-031.mspx
+1022 || WEB-IIS jet vba access || bugtraq,286 || cve,1999-0874
+1023 || WEB-IIS msadcs.dll access || bugtraq,529 || cve,1999-1011 || nessus,10357
+1024 || WEB-IIS newdsn.exe access || bugtraq,1818 || cve,1999-0191 || nessus,10360
+1025 || WEB-IIS perl access
+1026 || WEB-IIS perl-browse newline attempt || bugtraq,6833
+1027 || WEB-IIS perl-browse space attempt || bugtraq,6833
+1028 || WEB-IIS query.asp access || bugtraq,193 || cve,1999-0449
+1029 || WEB-IIS scripts-browse access || nessus,11032
+1030 || WEB-IIS search97.vts access || bugtraq,162
+1031 || WEB-IIS /SiteServer/Publishing/viewcode.asp access || nessus,10576
+1032 || WEB-IIS showcode access || nessus,10576
+1033 || WEB-IIS showcode access || nessus,10576
+1034 || WEB-IIS showcode access || nessus,10576
+1035 || WEB-IIS showcode access || nessus,10576
+1036 || WEB-IIS showcode access || nessus,10576
+1037 || WEB-IIS showcode.asp access || bugtraq,167 || cve,1999-0736 || nessus,10007 || url,www.microsoft.com/technet/security/bulletin/MS99-013.mspx
+1038 || WEB-IIS site server config access || bugtraq,256 || cve,1999-1520
+1039 || WEB-IIS srch.htm access
+1040 || WEB-IIS srchadm access || nessus,11032
+1041 || WEB-IIS uploadn.asp access || bugtraq,1811 || cve,1999-0360
+1042 || WEB-IIS view source via translate header || arachnids,305 || bugtraq,1578 || cve,2000-0778
+1043 || WEB-IIS viewcode.asp access || cve,1999-0737 || nessus,10576
+1044 || WEB-IIS webhits access || arachnids,237 || bugtraq,950 || cve,2000-0097
+1045 || WEB-IIS Unauthorized IP Access Attempt
+1046 || WEB-IIS site/iisamples access || nessus,10370
+1047 || WEB-MISC Netscape Enterprise DOS || bugtraq,2294 || cve,2001-0251
+1048 || WEB-MISC Netscape Enterprise directory listing attempt || bugtraq,2285 || cve,2001-0250
+1049 || WEB-MISC iPlanet ../../ DOS attempt || bugtraq,2282 || cve,2001-0252
+1050 || WEB-MISC iPlanet GETPROPERTIES attempt || bugtraq,2732 || cve,2001-0746
+1051 || WEB-CGI technote main.cgi file directory traversal attempt || bugtraq,2156 || cve,2001-0075 || nessus,10584
+1052 || WEB-CGI technote print.cgi directory traversal attempt || bugtraq,2156 || cve,2001-0075 || nessus,10584
+1053 || WEB-CGI ads.cgi command execution attempt || bugtraq,2103 || cve,2001-0025 || nessus,11464
+1054 || WEB-MISC weblogic/tomcat .jsp view source attempt || bugtraq,2527
+1055 || WEB-MISC Tomcat directory traversal attempt || bugtraq,2518
+1056 || WEB-MISC Tomcat view source attempt || bugtraq,2527 || cve,2001-0590
+1057 || WEB-MISC ftp attempt
+1058 || WEB-MISC xp_enumdsn attempt
+1059 || WEB-MISC xp_filelist attempt
+1060 || WEB-MISC xp_availablemedia attempt
+1061 || WEB-MISC xp_cmdshell attempt
+1062 || WEB-MISC nc.exe attempt
+1064 || WEB-MISC wsh attempt
+1065 || WEB-MISC rcmd attempt
+1066 || WEB-MISC telnet attempt
+1067 || WEB-MISC net attempt
+1068 || WEB-MISC tftp attempt
+1069 || WEB-MISC xp_regread attempt
+1070 || WEB-MISC WebDAV search access || arachnids,474 || bugtraq,1756 || cve,2000-0951
+1071 || WEB-MISC .htpasswd access
+1072 || WEB-MISC Lotus Domino directory traversal || bugtraq,2173 || cve,2001-0009 || nessus,12248
+1073 || WEB-MISC webhits.exe access || bugtraq,950 || cve,2000-0097
+1075 || WEB-IIS postinfo.asp access || bugtraq,1811 || cve,1999-0360
+1076 || WEB-IIS repost.asp access || nessus,10372
+1077 || WEB-MISC queryhit.htm access || nessus,10370
+1078 || WEB-MISC counter.exe access || bugtraq,267 || cve,1999-1030
+1079 || WEB-MISC WebDAV propfind access || bugtraq,1656 || cve,2000-0869
+1080 || WEB-MISC unify eWave ServletExec upload || bugtraq,1868 || bugtraq,1876 || cve,2000-1024 || cve,2000-1025 || nessus,10570
+1081 || WEB-MISC Netscape Servers suite DOS || bugtraq,1868 || cve,2000-1025
+1082 || WEB-MISC amazon 1-click cookie theft || bugtraq,1194 || cve,2000-0439
+1083 || WEB-MISC unify eWave ServletExec DOS || bugtraq,1868 || cve,2000-1025
+1084 || WEB-MISC Allaire JRUN DOS attempt || bugtraq,2337 || cve,2000-1049
+1085 || WEB-PHP strings overflow || arachnids,431 || bugtraq,802
+1086 || WEB-PHP strings overflow || arachnids,430 || bugtraq,1786 || cve,2000-0967
+1087 || WEB-MISC whisker tab splice attack || arachnids,415 || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html
+1088 || WEB-CGI eXtropia webstore directory traversal || bugtraq,1774 || cve,2000-1005 || nessus,10532
+1089 || WEB-CGI shopping cart directory traversal || bugtraq,1777 || cve,2000-0921
+1090 || WEB-CGI Allaire Pro Web Shell attempt
+1091 || WEB-MISC ICQ Webfront HTTP DOS || bugtraq,1463 || cve,2000-1078
+1092 || WEB-CGI Armada Style Master Index directory traversal || bugtraq,1772 || cve,2000-0924 || nessus,10562 || url,www.synnergy.net/downloads/advisories/SLA-2000-16.masterindex.txt
+1093 || WEB-CGI cached_feed.cgi moreover shopping cart directory traversal || bugtraq,1762 || cve,2000-0906
+1094 || WEB-CGI webstore directory traversal || bugtraq,1774 || cve,2000-1005
+1095 || WEB-MISC Talentsoft Web+ Source Code view access || bugtraq,1722 || url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html
+1096 || WEB-MISC Talentsoft Web+ internal IP Address access || bugtraq,1720 || url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html
+1097 || WEB-CGI Talentsoft Web+ exploit attempt || bugtraq,1725
+1098 || WEB-MISC SmartWin CyberOffice Shopping Cart access || bugtraq,1734 || cve,2000-0925
+1099 || WEB-MISC cybercop scan || arachnids,374
+1100 || WEB-MISC L3retriever HTTP Probe || arachnids,310
+1101 || WEB-MISC Webtrends HTTP probe || arachnids,309
+1102 || WEB-MISC nessus 1.X 404 probe || arachnids,301
+1103 || WEB-MISC Netscape admin passwd || bugtraq,1579 || nessus,10468
+1104 || WEB-MISC whisker space splice attack || arachnids,296 || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html
+1105 || WEB-MISC BigBrother access || bugtraq,1455 || cve,2000-0638 || nessus,10460
+1106 || WEB-CGI Poll-it access || bugtraq,1431 || cve,2000-0590 || nessus,10459
+1107 || WEB-MISC ftp.pl access || bugtraq,1471 || cve,2000-0674 || nessus,10467
+1108 || WEB-MISC Tomcat server snoop access || bugtraq,1532 || cve,2000-0760
+1109 || WEB-MISC ROXEN directory list attempt || bugtraq,1510 || cve,2000-0671
+1110 || WEB-MISC apache source.asp file access || bugtraq,1457 || cve,2000-0628 || nessus,10480
+1111 || WEB-MISC Tomcat server exploit access || bugtraq,1548 || cve,2000-0672 || nessus,10477
+1112 || WEB-MISC http directory traversal || arachnids,298
+1113 || WEB-MISC http directory traversal || arachnids,297
+1114 || WEB-MISC prefix-get //
+1115 || WEB-MISC ICQ webserver DOS || cve,1999-0474 || url,www.securiteam.com/exploits/2ZUQ1QAQOG.html
+1116 || WEB-MISC Lotus DelDoc attempt
+1117 || WEB-MISC Lotus EditDoc attempt || url,www.securiteam.com/exploits/5NP080A1RE.html
+1118 || WEB-MISC ls%20-l
+1119 || WEB-MISC mlog.phtml access || bugtraq,713 || cve,1999-0068 || cve,1999-0346
+1120 || WEB-MISC mylog.phtml access || bugtraq,713 || cve,1999-0068 || cve,1999-0346
+1121 || WEB-MISC O'Reilly args.bat access
+1122 || WEB-MISC /etc/passwd
+1123 || WEB-MISC ?PageServices access || bugtraq,1063 || bugtraq,7621 || cve,1999-0269
+1124 || WEB-MISC Ecommerce check.txt access
+1125 || WEB-MISC webcart access || cve,1999-0610 || nessus,10298
+1126 || WEB-MISC AuthChangeUrl access || bugtraq,2110 || cve,1999-0407
+1127 || WEB-MISC convert.bas access || bugtraq,2025 || cve,1999-0175
+1128 || WEB-MISC cpshost.dll access || bugtraq,1811 || bugtraq,4002 || cve,1999-0360
+1129 || WEB-MISC .htaccess access
+1130 || WEB-MISC .wwwacl access
+1131 || WEB-MISC .wwwacl access
+1132 || WEB-MISC Netscape Unixware overflow || arachnids,180 || bugtraq,908 || cve,1999-0744
+1133 || SCAN cybercop os probe || arachnids,145
+1134 || WEB-PHP Phorum admin access || arachnids,205 || bugtraq,2271
+1136 || WEB-MISC cd..
+1137 || WEB-PHP Phorum authentication access || arachnids,206 || bugtraq,2274
+1138 || WEB-MISC Cisco Web DOS attempt || arachnids,275
+1139 || WEB-MISC whisker HEAD/./ || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html
+1140 || WEB-MISC guestbook.pl access || arachnids,228 || bugtraq,776 || cve,1999-0237 || cve,1999-1053 || nessus,10099
+1141 || WEB-MISC handler access || arachnids,235 || bugtraq,380 || cve,1999-0148 || nessus,10100
+1142 || WEB-MISC /.... access
+1143 || WEB-MISC ///cgi-bin access || nessus,11032
+1144 || WEB-MISC /cgi-bin/// access || nessus,11032
+1145 || WEB-MISC /~root access
+1146 || WEB-MISC Ecommerce import.txt access
+1147 || WEB-MISC cat%20 access || bugtraq,374 || cve,1999-0039
+1148 || WEB-MISC Ecommerce import.txt access
+1149 || WEB-CGI count.cgi access || bugtraq,128 || cve,1999-0021 || nessus,10049
+1150 || WEB-MISC Domino catalog.nsf access || nessus,10629
+1151 || WEB-MISC Domino domcfg.nsf access || nessus,10629
+1152 || WEB-MISC Domino domlog.nsf access || nessus,10629
+1153 || WEB-MISC Domino log.nsf access || nessus,10629
+1154 || WEB-MISC Domino names.nsf access || nessus,10629
+1155 || WEB-MISC Ecommerce checks.txt access || bugtraq,2281
+1156 || WEB-MISC apache directory disclosure attempt || bugtraq,2503
+1157 || WEB-MISC Netscape PublishingXpert access || cve,2000-1196 || nessus,10364
+1158 || WEB-MISC windmail.exe access || arachnids,465 || bugtraq,1073 || cve,2000-0242 || nessus,10365
+1159 || WEB-MISC webplus access || bugtraq,1174 || bugtraq,1720 || bugtraq,1722 || bugtraq,1725 || cve,2000-1005
+1160 || WEB-MISC Netscape dir index wp || arachnids,270 || bugtraq,1063 || cve,2000-0236
+1161 || WEB-PHP piranha passwd.php3 access || arachnids,272 || bugtraq,1149 || cve,2000-0322
+1162 || WEB-MISC cart 32 AdminPwd access || bugtraq,1153 || cve,2000-0429
+1163 || WEB-CGI webdist.cgi access || bugtraq,374 || cve,1999-0039 || nessus,10299
+1164 || WEB-MISC shopping cart access || bugtraq,1983 || bugtraq,2049 || cve,1999-0607 || cve,2000-1188
+1165 || WEB-MISC Novell Groupwise gwweb.exe access || bugtraq,879 || cve,1999-1005 || cve,1999-1006 || nessus,10877
+1166 || WEB-MISC ws_ftp.ini access || bugtraq,547 || cve,1999-1078
+1167 || WEB-MISC rpm_query access || bugtraq,1036 || cve,2000-0192 || nessus,10340
+1168 || WEB-MISC mall log order access || bugtraq,2266 || cve,1999-0606
+1171 || WEB-MISC whisker HEAD with large datagram || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html
+1172 || WEB-CGI bigconf.cgi access || bugtraq,778 || cve,1999-1550 || nessus,10027
+1173 || WEB-MISC architext_query.pl access || bugtraq,2248 || cve,1999-0279 || nessus,10064 || url,www2.fedcirc.gov/alerts/advisories/1998/txt/fedcirc.98.03.txt
+1174 || WEB-CGI /cgi-bin/jj access || bugtraq,2002 || cve,1999-0260 || nessus,10131
+1175 || WEB-MISC wwwboard.pl access || bugtraq,1795 || bugtraq,649 || cve,1999-0930 || cve,1999-0954
+1176 || WEB-MISC order.log access
+1177 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063
+1178 || WEB-PHP Phorum read access || arachnids,208
+1179 || WEB-PHP Phorum violation access || arachnids,209 || bugtraq,2272
+1180 || WEB-MISC get32.exe access || arachnids,258 || bugtraq,1485 || bugtraq,770 || cve,1999-0885 || nessus,10011
+1181 || WEB-MISC Annex Terminal DOS attempt || arachnids,260 || cve,1999-1070 || nessus,10017
+1182 || WEB-MISC cgitest.exe attempt || arachnids,265 || bugtraq,1313 || bugtraq,3885 || cve,2000-0521 || cve,2002-0128 || nessus,10040 || nessus,10623
+1183 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 || nessus,10352
+1184 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236
+1185 || WEB-CGI bizdbsearch attempt || bugtraq,1104 || cve,2000-0287 || nessus,10383
+1186 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236
+1187 || WEB-MISC SalesLogix Eviewer web command attempt || bugtraq,1078 || bugtraq,1089 || cve,2000-0278 || cve,2000-0289
+1188 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236
+1189 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236
+1190 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236
+1191 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236
+1192 || WEB-MISC Trend Micro OfficeScan access || bugtraq,1057
+1193 || WEB-MISC oracle web arbitrary command execution attempt || bugtraq,1053 || cve,2000-0169 || nessus,10348
+1194 || WEB-CGI sojourn.cgi File attempt || bugtraq,1052 || cve,2000-0180 || nessus,10349
+1195 || WEB-CGI sojourn.cgi access || bugtraq,1052 || cve,2000-0180 || nessus,10349
+1196 || WEB-CGI SGI InfoSearch fname attempt || arachnids,290 || bugtraq,1031 || cve,2000-0207
+1197 || WEB-PHP Phorum code access || arachnids,207
+1198 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236
+1199 || WEB-MISC Compaq Insight directory traversal || arachnids,244 || bugtraq,282 || cve,1999-0771
+1200 || ATTACK-RESPONSES Invalid URL || url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx
+1201 || ATTACK-RESPONSES 403 Forbidden
+1202 || WEB-MISC search.vts access || bugtraq,162
+1204 || WEB-CGI ax-admin.cgi access
+1205 || WEB-CGI axs.cgi access
+1206 || WEB-CGI cachemgr.cgi access || bugtraq,2059 || cve,1999-0710 || nessus,10034
+1207 || WEB-MISC htgrep access || cve,2000-0832
+1208 || WEB-CGI responder.cgi access || bugtraq,3155
+1209 || WEB-MISC .nsconfig access || url,www.osvdb.org/5709
+1211 || WEB-CGI web-map.cgi access
+1212 || WEB-MISC Admin_files access
+1213 || WEB-MISC backup access
+1214 || WEB-MISC intranet access || nessus,11626
+1215 || WEB-CGI ministats admin access
+1216 || WEB-MISC filemail access || cve,1999-1154 || cve,1999-1155 || url,www.securityfocus.com/archive/1/11175
+1217 || WEB-MISC plusmail access || bugtraq,2653 || cve,2000-0074 || nessus,10181
+1218 || WEB-MISC adminlogin access || bugtraq,1164 || bugtraq,1175 || nessus,11748
+1219 || WEB-CGI dfire.cgi access || bugtraq,564 || cve,1999-0913
+1220 || WEB-MISC ultraboard access || bugtraq,1164 || bugtraq,1175 || nessus,11748
+1221 || WEB-MISC musicat empower access || bugtraq,2374 || cve,2001-0224 || nessus,10609
+1222 || WEB-CGI pals-cgi arbitrary file access attempt || bugtraq,2372 || cve,2001-0217 || nessus,10611
+1224 || WEB-MISC ROADS search.pl attempt || bugtraq,2371 || cve,2001-0215 || nessus,10627
+1225 || X11 MIT Magic Cookie detected || arachnids,396
+1226 || X11 xopen || arachnids,395
+1227 || X11 outbound client connection detected || arachnids,126
+1228 || SCAN nmap XMAS || arachnids,30
+1229 || FTP CWD ... || bugtraq,9237
+1230 || WEB-MISC VirusWall FtpSave access || bugtraq,2808 || cve,2001-0432 || nessus,10733
+1231 || WEB-MISC VirusWall catinfo access || bugtraq,2579 || bugtraq,2808 || cve,2001-0432 || nessus,10650
+1232 || WEB-MISC VirusWall catinfo access || bugtraq,2579 || bugtraq,2808 || cve,2001-0432 || nessus,10650
+1233 || WEB-CLIENT Outlook EML access || nessus,10767
+1234 || WEB-MISC VirusWall FtpSaveCSP access || bugtraq,2808 || cve,2001-0432 || nessus,10733
+1235 || WEB-MISC VirusWall FtpSaveCVP access || bugtraq,2808 || cve,2001-0432 || nessus,10733
+1236 || WEB-MISC Tomcat sourecode view
+1237 || WEB-MISC Tomcat sourecode view
+1238 || WEB-MISC Tomcat sourecode view
+1239 || NETBIOS RFParalyze Attempt || bugtraq,1163 || cve,2000-0347 || nessus,10392
+1240 || EXPLOIT MDBMS overflow || bugtraq,1252 || cve,2000-0446
+1241 || WEB-MISC SWEditServlet directory traversal attempt || bugtraq,2868 || cve,2001-0555
+1242 || WEB-IIS ISAPI .ida access || arachnids,552 || bugtraq,1065 || cve,2000-0071
+1243 || WEB-IIS ISAPI .ida attempt || arachnids,552 || bugtraq,1065 || cve,2000-0071
+1244 || WEB-IIS ISAPI .idq attempt || arachnids,553 || bugtraq,1065 || bugtraq,968 || cve,2000-0071 || cve,2000-0126 || nessus,10115
+1245 || WEB-IIS ISAPI .idq access || arachnids,553 || bugtraq,1065 || cve,2000-0071
+1246 || WEB-FRONTPAGE rad overflow attempt || arachnids,555 || bugtraq,2906 || cve,2001-0341 || url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx
+1247 || WEB-FRONTPAGE rad overflow attempt || bugtraq,2906 || cve,2001-0341
+1248 || WEB-FRONTPAGE rad fp30reg.dll access || arachnids,555 || bugtraq,2906 || cve,2001-0341 || url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx
+1249 || WEB-FRONTPAGE frontpage rad fp4areg.dll access || bugtraq,2906 || cve,2001-0341
+1250 || WEB-MISC Cisco IOS HTTP configuration attempt || bugtraq,2936 || cve,2001-0537
+1251 || INFO TELNET Bad Login
+1252 || TELNET bsd telnet exploit response || bugtraq,3064 || cve,2001-0554 || nessus,10709
+1253 || TELNET bsd exploit client finishing || bugtraq,3064 || cve,2001-0554 || nessus,10709
+1254 || WEB-PHP PHPLIB remote command attempt || bugtraq,3079 || cve,2001-1370
+1255 || WEB-PHP PHPLIB remote command attempt || bugtraq,3079 || cve,2001-1370
+1256 || WEB-IIS CodeRed v2 root.exe access || url,www.cert.org/advisories/CA-2001-19.html
+1257 || DOS Winnuke attack || bugtraq,2010 || cve,1999-0153
+1258 || WEB-MISC HP OpenView Manager DOS || bugtraq,2845 || cve,2001-0552
+1259 || WEB-MISC SWEditServlet access || bugtraq,2868
+1260 || WEB-MISC long basic authorization string || bugtraq,3230 || cve,2001-1067
+1261 || EXPLOIT AIX pdnsd overflow || bugtraq,3237 || bugtraq,590 || cve,1999-0745
+1262 || RPC portmap admind request TCP || arachnids,18
+1263 || RPC portmap amountd request TCP || arachnids,19
+1264 || RPC portmap bootparam request TCP || arachnids,16 || cve,1999-0647
+1265 || RPC portmap cmsd request TCP || arachnids,17
+1266 || RPC portmap mountd request TCP || arachnids,13
+1267 || RPC portmap nisd request TCP || arachnids,21
+1268 || RPC portmap pcnfsd request TCP || arachnids,22
+1269 || RPC portmap rexd request TCP || arachnids,23
+1270 || RPC portmap rstatd request TCP || arachnids,10
+1271 || RPC portmap rusers request TCP || arachnids,133 || cve,1999-0626
+1272 || RPC portmap sadmind request TCP || arachnids,20
+1273 || RPC portmap selection_svc request TCP || arachnids,25
+1274 || RPC portmap ttdbserv request TCP || arachnids,24 || bugtraq,122 || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html
+1275 || RPC portmap yppasswd request TCP || arachnids,14
+1276 || RPC portmap ypserv request TCP || arachnids,12 || bugtraq,5914 || bugtraq,6016 || cve,2000-1042 || cve,2000-1043 || cve,2002-1232
+1277 || RPC portmap ypupdated request UDP || arachnids,125
+1278 || RPC rstatd query || arachnids,9
+1279 || RPC portmap snmpXdmi request UDP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html
+1280 || RPC portmap listing UDP 111 || arachnids,428
+1281 || RPC portmap listing UDP 32771 || arachnids,429
+1282 || RPC EXPLOIT statdx || arachnids,442
+1283 || WEB-IIS outlook web dos || bugtraq,3223
+1284 || WEB-CLIENT readme.eml download attempt || url,www.cert.org/advisories/CA-2001-26.html
+1285 || WEB-IIS msdac access || nessus,11032
+1286 || WEB-IIS _mem_bin access || nessus,11032
+1287 || WEB-IIS scripts access
+1288 || WEB-FRONTPAGE /_vti_bin/ access || nessus,11032
+1289 || TFTP GET Admin.dll || url,www.cert.org/advisories/CA-2001-26.html
+1290 || WEB-CLIENT readme.eml autoload attempt || url,www.cert.org/advisories/CA-2001-26.html
+1291 || WEB-MISC sml3com access || bugtraq,2721 || cve,2001-0740
+1292 || ATTACK-RESPONSES directory listing
+1293 || NETBIOS nimda .eml || url,www.f-secure.com/v-descs/nimda.shtml
+1294 || NETBIOS nimda .nws || url,www.f-secure.com/v-descs/nimda.shtml
+1295 || NETBIOS nimda RICHED20.DLL || url,www.f-secure.com/v-descs/nimda.shtml
+1296 || RPC portmap request yppasswdd || bugtraq,2763
+1297 || RPC portmap request yppasswdd || bugtraq,2763
+1298 || RPC portmap tooltalk request TCP || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html
+1299 || RPC portmap tooltalk request UDP || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html
+1300 || WEB-PHP admin.php file upload attempt || bugtraq,3361 || cve,2001-1032
+1301 || WEB-PHP admin.php access || bugtraq,3361 || bugtraq,7532 || bugtraq,9270 || cve,2001-1032
+1302 || WEB-MISC console.exe access || bugtraq,3375 || cve,2001-1252
+1303 || WEB-MISC cs.exe access || bugtraq,3375 || cve,2001-1252
+1304 || WEB-CGI txt2html.cgi access
+1305 || WEB-CGI txt2html.cgi directory traversal attempt
+1306 || WEB-CGI store.cgi product directory traversal attempt || bugtraq,2385 || cve,2001-0305
+1307 || WEB-CGI store.cgi access || bugtraq,2385 || cve,2001-0305 || nessus,10639
+1308 || WEB-CGI sendmessage.cgi access || bugtraq,3673 || cve,2001-1100
+1309 || WEB-CGI zsh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html
+1321 || BAD-TRAFFIC 0 ttl || url,support.microsoft.com/default.aspx?scid=kb\ || url,www.isi.edu/in-notes/rfc1122.txt
+1322 || BAD-TRAFFIC bad frag bits
+1323 || EXPLOIT rwhoisd format string attempt || bugtraq,3474 || cve,2001-0838
+1324 || EXPLOIT ssh CRC32 overflow /bin/sh || bugtraq,2347 || cve,2001-0144 || cve,2001-0572
+1325 || EXPLOIT ssh CRC32 overflow filler || bugtraq,2347 || cve,2001-0144 || cve,2001-0572
+1326 || EXPLOIT ssh CRC32 overflow NOOP || bugtraq,2347 || cve,2001-0144 || cve,2001-0572
+1327 || EXPLOIT ssh CRC32 overflow || bugtraq,2347 || cve,2001-0144 || cve,2001-0572
+1328 || WEB-ATTACKS /bin/ps command attempt
+1329 || WEB-ATTACKS ps command attempt
+1330 || WEB-ATTACKS wget command attempt || bugtraq,10361
+1331 || WEB-ATTACKS uname -a command attempt
+1332 || WEB-ATTACKS /usr/bin/id command attempt
+1333 || WEB-ATTACKS id command attempt
+1334 || WEB-ATTACKS echo command attempt
+1335 || WEB-ATTACKS kill command attempt
+1336 || WEB-ATTACKS chmod command attempt
+1337 || WEB-ATTACKS chgrp command attempt
+1338 || WEB-ATTACKS chown command attempt
+1339 || WEB-ATTACKS chsh command attempt
+1340 || WEB-ATTACKS tftp command attempt
+1341 || WEB-ATTACKS /usr/bin/gcc command attempt
+1342 || WEB-ATTACKS gcc command attempt
+1343 || WEB-ATTACKS /usr/bin/cc command attempt
+1344 || WEB-ATTACKS cc command attempt
+1345 || WEB-ATTACKS /usr/bin/cpp command attempt
+1346 || WEB-ATTACKS cpp command attempt
+1347 || WEB-ATTACKS /usr/bin/g++ command attempt
+1348 || WEB-ATTACKS g++ command attempt
+1349 || WEB-ATTACKS bin/python access attempt
+1350 || WEB-ATTACKS python access attempt
+1351 || WEB-ATTACKS bin/tclsh execution attempt
+1352 || WEB-ATTACKS tclsh execution attempt
+1353 || WEB-ATTACKS bin/nasm command attempt
+1354 || WEB-ATTACKS nasm command attempt
+1355 || WEB-ATTACKS /usr/bin/perl execution attempt
+1356 || WEB-ATTACKS perl execution attempt
+1357 || WEB-ATTACKS nt admin addition attempt
+1358 || WEB-ATTACKS traceroute command attempt
+1359 || WEB-ATTACKS ping command attempt
+1360 || WEB-ATTACKS netcat command attempt
+1361 || WEB-ATTACKS nmap command attempt
+1362 || WEB-ATTACKS xterm command attempt
+1363 || WEB-ATTACKS X application to remote host attempt
+1364 || WEB-ATTACKS lsof command attempt
+1365 || WEB-ATTACKS rm command attempt
+1366 || WEB-ATTACKS mail command attempt
+1367 || WEB-ATTACKS mail command attempt
+1368 || WEB-ATTACKS /bin/ls| command attempt
+1369 || WEB-ATTACKS /bin/ls command attempt
+1370 || WEB-ATTACKS /etc/inetd.conf access
+1371 || WEB-ATTACKS /etc/motd access
+1372 || WEB-ATTACKS /etc/shadow access
+1373 || WEB-ATTACKS conf/httpd.conf attempt
+1374 || WEB-MISC .htgroup access
+1375 || WEB-MISC sadmind worm access || url,www.cert.org/advisories/CA-2001-11.html
+1376 || WEB-MISC jrun directory browse attempt || bugtraq,3592
+1377 || FTP wu-ftp bad file completion attempt [ || bugtraq,3581 || bugtraq,3707 || cve,2001-0550 || cve,2001-0886
+1378 || FTP wu-ftp bad file completion attempt { || bugtraq,3581 || bugtraq,3707 || cve,2001-0550 || cve,2001-0886
+1379 || FTP STAT overflow attempt || bugtraq,3507 || bugtraq,8542 || cve,2001-0325 || cve,2001-1021 || url,labs.defcom.com/adv/2001/def-2001-31.txt
+1380 || WEB-IIS cross-site scripting attempt || bugtraq,119 || bugtraq,1594 || bugtraq,1595 || cve,2000-0746 || cve,2000-1104 || nessus,10572
+1381 || WEB-MISC Trend Micro OfficeScan attempt || bugtraq,1057
+1382 || EXPLOIT CHAT IRC Ettercap parse overflow attempt || url,www.bugtraq.org/dev/GOBBLES-12.txt
+1383 || P2P Fastrack kazaa/morpheus GET request || url,www.kazaa.com || url,www.musiccity.com/technology.htm
+1384 || MISC UPnP malformed advertisement || bugtraq,3723 || cve,2001-0876 || cve,2001-0877 || url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx
+1385 || WEB-MISC mod-plsql administration access || bugtraq,3726 || bugtraq,3727 || cve,2001-1216 || cve,2001-1217 || nessus,10849
+1386 || MS-SQL/SMB raiserror possible buffer overflow || bugtraq,3733 || cve,2001-0542 || url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx
+1387 || MS-SQL raiserror possible buffer overflow || bugtraq,3733 || cve,2001-0542 || nessus,11217
+1388 || MISC UPnP Location overflow || bugtraq,3723 || cve,2001-0876
+1389 || WEB-MISC viewcode.jse access || bugtraq,3715
+1390 || SHELLCODE x86 inc ebx NOOP
+1391 || WEB-MISC Phorecast remote code execution attempt || bugtraq,3388 || cve,2001-1049
+1392 || WEB-CGI lastlines.cgi access || bugtraq,3754 || bugtraq,3755 || cve,2001-1205 || cve,2001-1206
+1393 || MISC AIM AddGame attempt || bugtraq,3769 || cve,2002-0005 || url,www.w00w00.org/files/w00aimexp/
+1394 || SHELLCODE x86 NOOP
+1395 || WEB-CGI zml.cgi attempt || bugtraq,3759 || cve,2001-1209
+1396 || WEB-CGI zml.cgi access || bugtraq,3759 || cve,2001-1209
+1397 || WEB-CGI wayboard attempt || bugtraq,2370 || cve,2001-0214
+1398 || EXPLOIT CDE dtspcd exploit attempt || bugtraq,3517 || cve,2001-0803 || url,www.cert.org/advisories/CA-2002-01.html
+1399 || WEB-PHP PHP-Nuke remote file include attempt || bugtraq,3889 || cve,2002-0206
+1400 || WEB-IIS /scripts/samples/ access || nessus,10370
+1401 || WEB-IIS /msadc/samples/ access || bugtraq,167 || cve,1999-0736 || nessus,1007
+1402 || WEB-IIS iissamples access || nessus,11032
+1403 || WEB-MISC viewcode access || cve,1999-0737 || nessus,10576 || nessus,12048
+1404 || WEB-MISC showcode access || bugtraq,167 || cve,1999-0736 || nessus,10007
+1405 || WEB-CGI AHG search.cgi access || bugtraq,3985
+1406 || WEB-CGI agora.cgi access || bugtraq,3702 || bugtraq,3976 || cve,2001-1199 || cve,2002-0215 || nessus,10836
+1407 || WEB-PHP smssend.php access || bugtraq,3982 || cve,2002-0220
+1408 || DOS MSDTC attempt || bugtraq,4006 || cve,2002-0224 || nessus,10939
+1409 || SNMP community string buffer overflow attempt || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 || url,www.cert.org/advisories/CA-2002-03.html
+1410 || WEB-CGI dcboard.cgi access || bugtraq,2728 || cve,2001-0527 || nessus,10583
+1411 || SNMP public access udp || bugtraq,2112 || bugtraq,4088 || bugtraq,4089 || cve,1999-0517 || cve,2002-0012 || cve,2002-0013
+1412 || SNMP public access tcp || bugtraq,2112 || bugtraq,4088 || bugtraq,4089 || bugtraq,7212 || cve,1999-0517 || cve,2002-0012 || cve,2002-0013
+1413 || SNMP private access udp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || bugtraq,7212 || cve,2002-0012 || cve,2002-0013
+1414 || SNMP private access tcp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013
+1415 || SNMP Broadcast request || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013
+1416 || SNMP broadcast trap || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013
+1417 || SNMP request udp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013
+1418 || SNMP request tcp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013
+1419 || SNMP trap udp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013
+1420 || SNMP trap tcp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013
+1421 || SNMP AgentX/tcp request || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013
+1422 || SNMP community string buffer overflow attempt with evasion || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 || url,www.cert.org/advisories/CA-2002-03.html
+1423 || WEB-PHP content-disposition memchr overflow || bugtraq,4183 || cve,2002-0081 || nessus,10867
+1424 || SHELLCODE x86 0xEB0C NOOP
+1425 || WEB-PHP content-disposition || bugtraq,4183 || cve,2002-0081 || nessus,10867
+1426 || SNMP PROTOS test-suite-req-app attempt || url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html
+1427 || SNMP PROTOS test-suite-trap-app attempt || url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html
+1428 || MULTIMEDIA audio galaxy keepalive
+1429 || POLICY poll.gotomypc.com access || url,www.gotomypc.com/help2.tmpl
+1430 || TELNET Solaris memory mismanagement exploit attempt
+1431 || BAD-TRAFFIC syn to multicast address
+1432 || P2P GNUTella client request
+1433 || WEB-MISC .history access
+1434 || WEB-MISC .bash_history access || bugtraq,337 || cve,1999-0408
+1435 || DNS named authors attempt || arachnids,480 || nessus,10728
+1436 || MULTIMEDIA Quicktime User Agent access
+1437 || MULTIMEDIA Windows Media download
+1438 || MULTIMEDIA Windows Media Video download
+1439 || MULTIMEDIA Shoutcast playlist redirection
+1440 || MULTIMEDIA Icecast playlist redirection
+1441 || TFTP GET nc.exe
+1442 || TFTP GET shadow
+1443 || TFTP GET passwd
+1444 || TFTP Get
+1445 || POLICY FTP file_id.diz access possible warez site
+1446 || SMTP vrfy root
+1447 || MISC MS Terminal server request RDP || bugtraq,3099 || cve,2001-0540 || url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx
+1448 || MISC MS Terminal server request || bugtraq,3099 || cve,2001-0540 || url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx
+1449 || POLICY FTP anonymous ftp login attempt
+1450 || SMTP expn *@ || cve,1999-1200
+1451 || WEB-CGI NPH-publish access || bugtraq,2563 || cve,2001-0400
+1452 || WEB-CGI args.cmd access || cve,1999-1180 || nessus,11465
+1453 || WEB-CGI AT-generated.cgi access || cve,1999-1072
+1454 || WEB-CGI wwwwais access || cve,2001-0223 || nessus,10597
+1455 || WEB-CGI calendar.pl access || bugtraq,1215 || cve,2000-0432
+1456 || WEB-CGI calender_admin.pl access || cve,2000-0432
+1457 || WEB-CGI user_update_admin.pl access || bugtraq,1486 || cve,2000-0627
+1458 || WEB-CGI user_update_passwd.pl access || bugtraq,1486 || cve,2000-0627
+1459 || WEB-CGI bb-histlog.sh access || bugtraq,142 || cve,1999-1462 || nessus,10025
+1460 || WEB-CGI bb-histsvc.sh access || bugtraq,142 || cve,1999-1462
+1461 || WEB-CGI bb-rep.sh access || bugtraq,142 || cve,1999-1462
+1462 || WEB-CGI bb-replog.sh access || bugtraq,142 || cve,1999-1462
+1463 || CHAT IRC message
+1464 || ATTACK-RESPONSES oracle one hour install || nessus,10737
+1465 || WEB-CGI auktion.cgi access || bugtraq,2367 || cve,2001-0212 || nessus,10638
+1466 || WEB-CGI cgiforum.pl access || bugtraq,1963 || cve,2000-1171 || nessus,10552
+1467 || WEB-CGI directorypro.cgi access || bugtraq,2793 || cve,2001-0780
+1468 || WEB-CGI Web Shopper shopper.cgi attempt || bugtraq,1776 || cve,2000-0922
+1469 || WEB-CGI Web Shopper shopper.cgi access || bugtraq,1776 || cve,2000-0922
+1470 || WEB-CGI listrec.pl access || bugtraq,3328 || cve,2001-0997
+1471 || WEB-CGI mailnews.cgi access || bugtraq,2391 || cve,2001-0271 || nessus,10641
+1472 || WEB-CGI book.cgi access || bugtraq,3178 || cve,2001-1114 || nessus,10721
+1473 || WEB-CGI newsdesk.cgi access || bugtraq,2172 || cve,2001-0232
+1474 || WEB-CGI cal_make.pl access || bugtraq,2663 || cve,2001-0463 || nessus,10664
+1475 || WEB-CGI mailit.pl access || nessus,10417
+1476 || WEB-CGI sdbsearch.cgi access || bugtraq,1658 || cve,2001-1130 || nessus,10503 || nessus,10720
+1477 || WEB-CGI swc attempt
+1478 || WEB-CGI swc access || nessus,10493
+1479 || WEB-CGI ttawebtop.cgi arbitrary file attempt || bugtraq,2890 || cve,2001-0805 || nessus,10696
+1480 || WEB-CGI ttawebtop.cgi access || bugtraq,2890 || cve,2001-0805 || nessus,10696
+1481 || WEB-CGI upload.cgi access || nessus,10290
+1482 || WEB-CGI view_source access || bugtraq,2251 || cve,1999-0174 || nessus,10294
+1483 || WEB-CGI ustorekeeper.pl access || cve,2001-0466 || nessus,10645
+1484 || WEB-IIS /isapi/tstisapi.dll access || bugtraq,2381 || cve,2001-0302
+1485 || WEB-IIS mkilog.exe access || nessus,10359 || url,www.osvdb.org/274
+1486 || WEB-IIS ctss.idc access || nessus,10359
+1487 || WEB-IIS /iisadmpwd/aexp2.htr access || bugtraq,2110 || bugtraq,4236 || cve,1999-0407 || cve,2002-0421 || nessus,10371
+1488 || WEB-CGI store.cgi directory traversal attempt || bugtraq,2385 || cve,2001-0305 || nessus,10639
+1489 || WEB-MISC /~nobody access || nessus,10484
+1490 || WEB-PHP Phorum /support/common.php attempt || bugtraq,1997
+1491 || WEB-PHP Phorum /support/common.php access || bugtraq,1997 || bugtraq,9361
+1492 || WEB-MISC RBS ISP /newuser  directory traversal attempt || bugtraq,1704 || cve,2000-1036 || nessus,10521
+1493 || WEB-MISC RBS ISP /newuser access || bugtraq,1704 || cve,2000-1036 || nessus,10521
+1494 || WEB-CGI SIX webboard generate.cgi attempt || bugtraq,3175 || cve,2001-1115 || nessus,10725
+1495 || WEB-CGI SIX webboard generate.cgi access || bugtraq,3175 || cve,2001-1115
+1496 || WEB-CGI spin_client.cgi access || nessus,10393
+1497 || WEB-MISC cross site scripting attempt
+1498 || WEB-MISC PIX firewall manager directory traversal attempt || bugtraq,691 || cve,1999-0158 || nessus,10819
+1499 || WEB-MISC SiteScope Service access || nessus,10778
+1500 || WEB-MISC ExAir access || bugtraq,193 || cve,1999-0449 || nessus,10002 || nessus,10003 || nessus,10004
+1501 || WEB-CGI a1stats a1disp3.cgi directory traversal attempt || bugtraq,2705 || cve,2001-0561 || nessus,10669
+1502 || WEB-CGI a1stats a1disp3.cgi access || bugtraq,2705 || cve,2001-0561 || nessus,10669
+1503 || WEB-CGI admentor admin.asp access || bugtraq,4152 || cve,2002-0308 || nessus,10880 || url,www.securiteam.com/windowsntfocus/5DP0N1F6AW.html
+1504 || MISC AFS access || nessus,10441
+1505 || WEB-CGI alchemy http server PRN arbitrary command execution attempt || bugtraq,3599 || cve,2001-0871
+1506 || WEB-CGI alchemy http server NUL arbitrary command execution attempt || bugtraq,3599 || cve,2001-0871
+1507 || WEB-CGI alibaba.pl arbitrary command execution attempt || bugtraq,770 || cve,1999-0885 || nessus,10013
+1508 || WEB-CGI alibaba.pl access || bugtraq,770 || cve ,CAN-1999-0885 || nessus,10013
+1509 || WEB-CGI AltaVista Intranet Search directory traversal attempt || bugtraq,896 || cve,2000-0039 || nessus,10015
+1510 || WEB-CGI test.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016
+1511 || WEB-CGI test.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016
+1512 || WEB-CGI input.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016
+1513 || WEB-CGI input.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016
+1514 || WEB-CGI input2.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016
+1515 || WEB-CGI input2.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016
+1516 || WEB-CGI envout.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016
+1517 || WEB-CGI envout.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016
+1518 || WEB-MISC nstelemetry.adp access || nessus,10753
+1519 || WEB-MISC apache ?M=D directory list attempt || bugtraq,3009 || cve,2001-0731
+1520 || WEB-MISC server-info access || url,httpd.apache.org/docs/mod/mod_info.html
+1521 || WEB-MISC server-status access || url,httpd.apache.org/docs/mod/mod_info.html
+1522 || WEB-MISC ans.pl attempt || bugtraq,4147 || bugtraq,4149 || cve,2002-0306 || cve,2002-0307 || nessus,10875
+1523 || WEB-MISC ans.pl access || bugtraq,4147 || bugtraq,4149 || cve,2002-0306 || cve,2002-0307 || nessus,10875
+1524 || WEB-MISC AxisStorpoint CD attempt || bugtraq,1025 || cve,2000-0191 || nessus,10023
+1525 || WEB-MISC Axis Storpoint CD access || bugtraq,1025 || cve,2000-0191 || nessus,10023
+1526 || WEB-MISC basilix sendmail.inc access || bugtraq,2198 || cve,2001-1044 || nessus,10601
+1527 || WEB-MISC basilix mysql.class access || bugtraq,2198 || cve,2001-1044 || nessus,10601
+1528 || WEB-MISC BBoard access || bugtraq,1459 || cve,2000-0629 || nessus,10507
+1529 || FTP SITE overflow attempt || cve,1999-0838 || cve,2001-0755 || cve,2001-0770
+1530 || FTP format string attempt || bugtraq,1387 || bugtraq,2240 || bugtraq,726 || cve,1999-0997 || cve,2000-0573 || nessus,10452
+1531 || WEB-CGI bb-hist.sh attempt || bugtraq,142 || cve,1999-1462 || nessus,10025
+1532 || WEB-CGI bb-hostscv.sh attempt || bugtraq,1455 || cve,2000-0638 || nessus,10460
+1533 || WEB-CGI bb-hostscv.sh access || bugtraq,1455 || cve,2000-0638 || nessus,10460
+1534 || WEB-CGI agora.cgi attempt || bugtraq,3702 || bugtraq,3976 || cve,2001-1199 || cve,2002-0215 || nessus,10836
+1535 || WEB-CGI bizdbsearch access || bugtraq,1104 || cve,2000-0287 || nessus,10383
+1536 || WEB-CGI calendar_admin.pl arbitrary command execution attempt || cve,2000-0432
+1537 || WEB-CGI calendar_admin.pl access || cve,2000-0432
+1538 || NNTP AUTHINFO USER overflow attempt || arachnids,274 || bugtraq,1156 || cve,2000-0341
+1539 || WEB-CGI /cgi-bin/ls access || bugtraq,936 || cve,2000-0079
+1540 || WEB-COLDFUSION ?Mode=debug attempt || nessus,10797
+1541 || FINGER version query
+1542 || WEB-CGI cgimail access || bugtraq,1623 || cve,2000-0726 || nessus,11721
+1543 || WEB-CGI cgiwrap access || bugtraq,1238 || bugtraq,3084 || bugtraq,777 || cve,1999-1530 || cve,2000-0431 || cve,2001-0987 || nessus,10041
+1544 || WEB-MISC Cisco Catalyst command execution attempt || bugtraq,1846 || cve,2000-0945 || nessus,10545
+1545 || DOS Cisco attempt
+1546 || WEB-MISC Cisco /%% DOS attempt || bugtraq,1154 || cve,2000-0380
+1547 || WEB-CGI csSearch.cgi arbitrary command execution attempt || bugtraq,4368 || cve,2002-0495 || nessus,10924
+1548 || WEB-CGI csSearch.cgi access || bugtraq,4368 || cve,2002-0495 || nessus,10924
+1549 || SMTP HELO overflow attempt || bugtraq,7726 || bugtraq,895 || cve,2000-0042 || nessus,10324 || nessus,11674
+1550 || SMTP ETRN overflow attempt || bugtraq,1297 || bugtraq,7515 || cve,2000-0490 || nessus,10438
+1551 || WEB-MISC /CVS/Entries access || nessus,10922 || nessus,11032
+1552 || WEB-MISC cvsweb version access || cve,2000-0670
+1553 || WEB-CGI /cart/cart.cgi access || bugtraq,1115 || cve,2000-0252
+1554 || WEB-CGI dbman db.cgi access || bugtraq,1178 || cve,2000-0381 || nessus,10403
+1555 || WEB-CGI DCShop access || bugtraq,2889 || cve,2001-0821
+1556 || WEB-CGI DCShop orders.txt access || bugtraq,2889 || cve,2001-0821
+1557 || WEB-CGI DCShop auth_user_file.txt access || bugtraq,2889 || cve,2001-0821
+1558 || WEB-MISC Delegate whois overflow attempt || cve,2000-0165
+1559 || WEB-MISC /doc/packages access || bugtraq,1707 || cve,2000-1016 || nessus,10518 || nessus,11032
+1560 || WEB-MISC /doc/ access || bugtraq,318 || cve,1999-0678
+1561 || WEB-MISC ?open access
+1562 || FTP SITE CHOWN overflow attempt || bugtraq,2120 || cve,2001-0065
+1563 || WEB-MISC login.htm attempt || bugtraq,665 || cve,1999-1533
+1564 || WEB-MISC login.htm access || bugtraq,665 || cve,1999-1533
+1565 || WEB-CGI eshop.pl arbitrary commane execution attempt || bugtraq,3340 || cve,2001-1014
+1566 || WEB-CGI eshop.pl access || bugtraq,3340 || cve,2001-1014
+1567 || WEB-IIS /exchange/root.asp attempt || bugtraq,3301 || cve,2001-0660 || nessus,10755 || nessus,10781 || url,www.microsoft.com/technet/security/bulletin/MS01-047.mspx
+1568 || WEB-IIS /exchange/root.asp access || bugtraq,3301 || cve,2001-0660 || nessus,10755 || nessus,10781
+1569 || WEB-CGI loadpage.cgi directory traversal attempt || bugtraq,2109 || cve,2000-1092
+1570 || WEB-CGI loadpage.cgi access || bugtraq,2109 || cve,2000-1092
+1571 || WEB-CGI dcforum.cgi directory traversal attempt || bugtraq,2611 || cve,2001-0436 || cve,2001-0437
+1572 || WEB-CGI commerce.cgi arbitrary file access attempt || bugtraq,2361 || cve,2001-0210 || nessus,10612
+1573 || WEB-CGI cgiforum.pl attempt || bugtraq,1963 || cve,2000-1171 || nessus,10552
+1574 || WEB-CGI directorypro.cgi attempt || bugtraq,2793 || cve,2001-0780
+1575 || WEB-MISC Domino mab.nsf access || bugtraq,4022 || nessus,10953
+1576 || WEB-MISC Domino cersvr.nsf access || nessus,10629
+1577 || WEB-MISC Domino setup.nsf access || nessus,10629
+1578 || WEB-MISC Domino statrep.nsf access || nessus,10629
+1579 || WEB-MISC Domino webadmin.nsf access || bugtraq,9900 || bugtraq,9901 || nessus,10629
+1580 || WEB-MISC Domino events4.nsf access || nessus,10629
+1581 || WEB-MISC Domino ntsync4.nsf access || nessus,10629
+1582 || WEB-MISC Domino collect4.nsf access || nessus,10629
+1583 || WEB-MISC Domino mailw46.nsf access || nessus,10629
+1584 || WEB-MISC Domino bookmark.nsf access || nessus,10629
+1585 || WEB-MISC Domino agentrunner.nsf access || nessus,10629
+1586 || WEB-MISC Domino mail.box access || bugtraq,881 || nessus,10629
+1587 || WEB-MISC cgitest.exe access || arachnids,265 || bugtraq,1313 || bugtraq,3885 || cve,2000-0521 || cve,2002-0128 || nessus,10040 || nessus,10623 || nessus,11131
+1588 || WEB-MISC SalesLogix Eviewer access || bugtraq,1078 || bugtraq,1089 || cve,2000-0278 || cve,2000-0289
+1589 || WEB-MISC musicat empower attempt || bugtraq,2374 || cve,2001-0224 || nessus,10609
+1590 || WEB-CGI faqmanager.cgi arbitrary file access attempt || bugtraq,3810 || nessus,10837
+1591 || WEB-CGI faqmanager.cgi access || bugtraq,3810 || nessus,10837
+1592 || WEB-CGI /fcgi-bin/echo.exe access || nessus,10838
+1593 || WEB-CGI FormHandler.cgi external site redirection attempt || bugtraq,798 || bugtraq,799 || cve,1999-1050 || nessus,10075
+1594 || WEB-CGI FormHandler.cgi access || bugtraq,798 || bugtraq,799 || cve,1999-1050 || nessus,10075
+1595 || WEB-IIS htimage.exe access || bugtraq,1117 || bugtraq,964 || cve,2000-0122 || cve,2000-0256 || nessus,10376
+1597 || WEB-CGI guestbook.cgi access || cve,1999-0237 || nessus,10098
+1598 || WEB-CGI Home Free search.cgi directory traversal attempt || bugtraq,921 || cve,2000-0054
+1599 || WEB-CGI search.cgi access || bugtraq,921 || cve,2000-0054
+1600 || WEB-CGI htsearch arbitrary configuration file attempt || cve,2000-0208
+1601 || WEB-CGI htsearch arbitrary file read attempt || bugtraq,1026 || cve,2000-0208 || nessus,10105
+1602 || WEB-CGI htsearch access || bugtraq,1026 || cve,2000-0208 || nessus,10105
+1603 || WEB-MISC DELETE attempt || nessus,10498
+1604 || WEB-MISC iChat directory traversal attempt || cve,1999-0897
+1605 || DOS iParty DOS attempt || bugtraq,6844 || cve,1999-1566
+1606 || WEB-CGI icat access || cve,1999-1069
+1607 || WEB-CGI HyperSeek hsx.cgi access || bugtraq,2314 || cve,2001-0253 || nessus,10602
+1608 || WEB-CGI htmlscript attempt || bugtraq,2001 || cve,1999-0264 || nessus,10106
+1609 || WEB-CGI faxsurvey arbitrary file read attempt || bugtraq,2056 || cve,1999-0262 || nessus,10067
+1610 || WEB-CGI formmail arbitrary command execution attempt || arachnids,226 || bugtraq,1187 || bugtraq,2079 || cve,1999-0172 || cve,2000-0411 || nessus,10076 || nessus,10782
+1611 || WEB-CGI eXtropia webstore access || bugtraq,1774 || cve,2000-1005 || nessus,10532
+1612 || WEB-MISC ftp.pl attempt || bugtraq,1471 || cve,2000-0674 || nessus,10467
+1613 || WEB-MISC handler attempt || arachnids,235 || bugtraq,380 || cve,1999-0148 || nessus,10100
+1614 || WEB-MISC Novell Groupwise gwweb.exe attempt || bugtraq,879 || cve,1999-1005 || cve,1999-1006 || nessus,10877
+1615 || WEB-MISC htgrep attempt || cve,2000-0832
+1616 || DNS named version attempt || arachnids,278 || nessus,10028
+1617 || WEB-CGI Bugzilla doeditvotes.cgi access || bugtraq,3800 || cve,2002-0011
+1618 || WEB-IIS .asp chunked Transfer-Encoding || bugtraq,4474 || bugtraq,4485 || cve,2002-0071 || cve,2002-0079 || nessus,10932
+1619 || EXPERIMENTAL WEB-IIS .htr request || bugtraq,4474 || cve,2002-0071 || nessus,10932
+1620 || BAD TRAFFIC Non-Standard IP protocol
+1621 || FTP CMD overflow attempt
+1622 || FTP RNFR ././ attempt
+1623 || FTP invalid MODE
+1624 || FTP large PWD command
+1625 || FTP large SYST command
+1626 || WEB-IIS /StoreCSVS/InstantOrder.asmx request
+1627 || BAD-TRAFFIC Unassigned/Reserved IP protocol || url,www.iana.org/assignments/protocol-numbers
+1628 || WEB-CGI FormHandler.cgi directory traversal attempt attempt || bugtraq,798 || bugtraq,799 || cve,1999-1050 || nessus,10075
+1629 || OTHER-IDS SecureNetPro traffic
+1631 || CHAT AIM login
+1632 || CHAT AIM send message
+1633 || CHAT AIM receive message
+1634 || POP3 PASS overflow attempt || bugtraq,791 || cve,1999-1511 || nessus,10325
+1635 || POP3 APOP overflow attempt || bugtraq,1652 || cve,2000-0840 || cve,2000-0841 || nessus,10559
+1636 || MISC Xtramail Username overflow attempt || bugtraq,791 || cve,1999-1511 || nessus,10323
+1637 || WEB-CGI yabb access || arachnids,462 || bugtraq,1668 || cve,2000-0853
+1638 || SCAN SSH Version map attempt
+1639 || CHAT IRC DCC file transfer request
+1640 || CHAT IRC DCC chat request
+1641 || DOS DB2 dos attempt || bugtraq,3010 || cve,2001-1143 || nessus,10871
+1642 || WEB-CGI document.d2w access || bugtraq,2017 || cve,2000-1110
+1643 || WEB-CGI db2www access || cve,2000-0677
+1644 || WEB-CGI test-cgi attempt || arachnids,218 || bugtraq,2003 || cve,1999-0070 || nessus,10282
+1645 || WEB-CGI testcgi access || bugtraq,7214 || nessus,11610
+1646 || WEB-CGI test.cgi access
+1647 || WEB-CGI faxsurvey attempt full path || bugtraq,2056 || cve,1999-0262 || nessus,10067
+1648 || WEB-CGI perl.exe command attempt || arachnids,219 || cve,1999-0509 || nessus,10173 || url,www.cert.org/advisories/CA-1996-11.html
+1649 || WEB-CGI perl command attempt || arachnids,219 || cve,1999-0509 || nessus,10173 || url,www.cert.org/advisories/CA-1996-11.html
+1650 || WEB-CGI tst.bat access || bugtraq,770 || cve,1999-0885 || nessus,10014
+1651 || WEB-CGI environ.pl access
+1652 || WEB-CGI campus attempt || bugtraq,1975 || cve,1999-0146 || nessus,10035
+1653 || WEB-CGI campus access || bugtraq,1975 || cve,1999-0146 || nessus,10035
+1654 || WEB-CGI cart32.exe access || bugtraq,1153
+1655 || WEB-CGI pfdispaly.cgi arbitrary command execution attempt || cve,1999-0270 || nessus,10174
+1656 || WEB-CGI pfdispaly.cgi access || cve,1999-0270 || nessus,10174
+1657 || WEB-CGI pagelog.cgi directory traversal attempt || bugtraq,1864 || cve,2000-0940 || nessus,10591
+1658 || WEB-CGI pagelog.cgi access || bugtraq,1864 || cve,2000-0940 || nessus,10591
+1659 || WEB-COLDFUSION sendmail.cfm access
+1660 || WEB-IIS trace.axd access || nessus,10993
+1661 || WEB-IIS cmd32.exe access
+1662 || WEB-MISC /~ftp access
+1663 || WEB-MISC *%0a.pl access || nessus,11007 || url,www.securityfocus.com/archive/1/149482
+1664 || WEB-MISC mkplog.exe access
+1665 || WEB-MISC mkilog.exe access
+1666 || ATTACK-RESPONSES index of /cgi-bin/ response || nessus,10039
+1667 || WEB-MISC cross site scripting HTML Image tag set to javascript attempt || bugtraq,4858 || cve,2002-0902
+1668 || WEB-CGI /cgi-bin/ access
+1669 || WEB-CGI /cgi-dos/ access
+1670 || WEB-MISC /home/ftp access || nessus,11032
+1671 || WEB-MISC /home/www access || nessus,11032
+1672 || FTP CWD ~ attempt || bugtraq,2601 || bugtraq,9215 || cve,2001-0421
+1673 || ORACLE EXECUTE_SYSTEM attempt
+1674 || ORACLE connect_data remote version detection attempt
+1675 || ORACLE misparsed login response
+1676 || ORACLE select union attempt
+1677 || ORACLE select like '%' attempt
+1678 || ORACLE select like '%' attempt backslash escaped
+1679 || ORACLE describe attempt
+1680 || ORACLE all_constraints access
+1681 || ORACLE all_views access
+1682 || ORACLE all_source access
+1683 || ORACLE all_tables access
+1684 || ORACLE all_tab_columns access
+1685 || ORACLE all_tab_privs access
+1686 || ORACLE dba_tablespace access
+1687 || ORACLE dba_tables access
+1688 || ORACLE user_tablespace access
+1689 || ORACLE sys.all_users access
+1690 || ORACLE grant attempt
+1691 || ORACLE ALTER USER attempt
+1692 || ORACLE drop table attempt
+1693 || ORACLE create table attempt
+1694 || ORACLE alter table attempt
+1695 || ORACLE truncate table attempt
+1696 || ORACLE create database attempt
+1697 || ORACLE alter database attempt
+1698 || ORACLE execute_system attempt
+1699 || P2P Fastrack kazaa/morpheus traffic || url,www.kazaa.com
+1700 || WEB-CGI imagemap.exe access || arachnids,412 || bugtraq,739 || cve,1999-0951 || nessus,10122
+1701 || WEB-CGI calendar-admin.pl access || bugtraq,1215
+1702 || WEB-CGI Amaya templates sendtemp.pl access || bugtraq,2504 || cve,2001-0272
+1703 || WEB-CGI auktion.cgi directory traversal attempt || bugtraq,2367 || cve,2001-0212 || nessus,10638
+1704 || WEB-CGI cal_make.pl directory traversal attempt || bugtraq,2663 || cve,2001-0463 || nessus,10664
+1705 || WEB-CGI echo.bat arbitrary command execution attempt || bugtraq,1002 || cve,2000-0213 || nessus,10246
+1706 || WEB-CGI echo.bat access || bugtraq,1002 || cve,2000-0213 || nessus,10246
+1707 || WEB-CGI hello.bat arbitrary command execution attempt || bugtraq,1002 || cve,2000-0213 || nessus,10246
+1708 || WEB-CGI hello.bat access || bugtraq,1002 || cve,2000-0213 || nessus,10246
+1709 || WEB-CGI ad.cgi access || bugtraq,2103 || cve,2001-0025 || nessus,11464
+1710 || WEB-CGI bbs_forum.cgi access || bugtraq,2177 || cve,2001-0123 || url,www.cgisecurity.com/advisory/3.1.txt
+1711 || WEB-CGI bsguest.cgi access || bugtraq,2159 || cve,2001-0099
+1712 || WEB-CGI bslist.cgi access || bugtraq,2160 || cve,2001-0100
+1713 || WEB-CGI cgforum.cgi access || bugtraq,1951 || cve,2000-1132
+1714 || WEB-CGI newdesk access
+1715 || WEB-CGI register.cgi access || bugtraq,2157 || cve,2001-0076
+1716 || WEB-CGI gbook.cgi access || bugtraq,1940 || cve,2000-1131
+1717 || WEB-CGI simplestguest.cgi access || bugtraq,2106 || cve,2001-0022
+1718 || WEB-CGI statsconfig.pl access || bugtraq,2211 || cve,2001-0113
+1719 || WEB-CGI talkback.cgi directory traversal attempt || bugtraq,2547 || cve,2001-0420
+1720 || WEB-CGI talkback.cgi access || bugtraq,2547 || cve,2001-0420
+1721 || WEB-CGI adcycle access || bugtraq,3741 || cve,2001-1226
+1722 || WEB-CGI MachineInfo access || cve,1999-1067
+1723 || WEB-CGI emumail.cgi NULL attempt || bugtraq,5824 || cve,2002-1526
+1724 || WEB-CGI emumail.cgi access || bugtraq,5824 || cve,2002-1526
+1725 || WEB-IIS +.htr code fragment attempt || bugtraq,1488 || cve,2000-0630 || nessus,10680 || url,www.microsoft.com/technet/security/bulletin/MS00-044.mspx
+1726 || WEB-IIS doctodep.btr access
+1727 || WEB-CGI SGI InfoSearch fname access || arachnids,290 || bugtraq,1031 || cve,2000-0207
+1728 || FTP CWD ~<CR><NEWLINE> attempt || bugtraq,2601 || cve,2001-0421
+1729 || CHAT IRC channel join
+1730 || WEB-CGI ustorekeeper.pl directory traversal attempt || bugtraq,2536 || cve,2001-0466 || nessus,10645
+1731 || WEB-CGI a1stats access || bugtraq,2705 || cve,2001-0561 || nessus,10669
+1732 || RPC portmap rwalld request UDP
+1733 || RPC portmap rwalld request TCP
+1734 || FTP USER overflow attempt || bugtraq,10078 || bugtraq,1227 || bugtraq,1504 || bugtraq,1690 || bugtraq,4638 || bugtraq,7307 || bugtraq,8376 || cve,1999-1510 || cve,1999-1514 || cve,1999-1519 || cve,1999-1539 || cve,2000-0479 || cve,2000-0656 || cve,2000-0761 || cve,2000-0943 || cve,2000-1035 || cve,2000-1194 || cve,2001-0256 || cve,2001-0794 || cve,2001-0826 || cve,2002-0126 || cve,2002-1522 || cve,2003-0271 || cve,2004-0286
+1735 || WEB-CLIENT XMLHttpRequest attempt || bugtraq,4628 || cve,2002-0354
+1736 || WEB-PHP squirrel mail spell-check arbitrary command attempt || bugtraq,3952
+1737 || WEB-PHP squirrel mail theme arbitrary command attempt || bugtraq,4385 || cve,2002-0516
+1738 || WEB-MISC global.inc access || bugtraq,4612 || cve,2002-0614
+1739 || WEB-PHP DNSTools administrator authentication bypass attempt || bugtraq,4617 || cve,2002-0613
+1740 || WEB-PHP DNSTools authentication bypass attempt || bugtraq,4617 || cve,2002-0613
+1741 || WEB-PHP DNSTools access || bugtraq,4617 || cve,2002-0613
+1742 || WEB-PHP Blahz-DNS dostuff.php modify user attempt || bugtraq,4618 || cve,2002-0599
+1743 || WEB-PHP Blahz-DNS dostuff.php access || bugtraq,4618 || cve,2002-0599
+1744 || WEB-MISC SecureSite authentication bypass attempt || bugtraq,4621
+1745 || WEB-PHP Messagerie supp_membre.php access || bugtraq,4635
+1746 || RPC portmap cachefsd request UDP || bugtraq,4674 || cve,2002-0033 || cve,2002-0084
+1747 || RPC portmap cachefsd request TCP || bugtraq,4674 || cve,2002-0033 || cve,2002-0084
+1748 || FTP command overflow attempt || bugtraq,4638 || cve,2002-0606
+1749 || EXPERIMENTAL WEB-IIS .NET trace.axd access
+1750 || WEB-IIS users.xml access
+1751 || EXPLOIT cachefsd buffer overflow attempt || bugtraq,4631 || cve,2002-0084 || nessus,10951
+1752 || MISC AIM AddExternalApp attempt || url,www.w00w00.org/files/w00aimexp/
+1753 || WEB-IIS as_web.exe access || bugtraq,4670
+1754 || WEB-IIS as_web4.exe access || bugtraq,4670
+1755 || IMAP partial body buffer overflow attempt || bugtraq,4713 || cve,2002-0379
+1756 || WEB-IIS NewsPro administration authentication attempt || bugtraq,4672
+1757 || WEB-MISC b2 arbitrary command execution attempt || bugtraq,4673 || cve,2002-0734 || cve,2002-1466 || nessus,11667
+1758 || WEB-MISC b2 access || bugtraq,4673 || cve,2002-0734 || cve,2002-1466 || nessus,11667
+1759 || MS-SQL xp_cmdshell program execution 445
+1760 || OTHER-IDS ISS RealSecure 6 event collector connection attempt
+1761 || OTHER-IDS ISS RealSecure 6 daemon connection attempt
+1762 || WEB-CGI phf arbitrary command execution attempt || arachnids,128 || bugtraq,629 || cve,1999-0067
+1763 || WEB-CGI Nortel Contivity cgiproc DOS attempt || bugtraq,938 || cve,2000-0063 || cve,2000-0064 || nessus,10160
+1764 || WEB-CGI Nortel Contivity cgiproc DOS attempt || bugtraq,938 || cve,2000-0063 || cve,2000-0064 || nessus,10160
+1765 || WEB-CGI Nortel Contivity cgiproc access || bugtraq,938 || cve,2000-0063 || cve,2000-0064 || nessus,10160
+1766 || WEB-MISC search.dll directory listing attempt || bugtraq,1684 || cve,2000-0835 || nessus,10514
+1767 || WEB-MISC search.dll access || bugtraq,1684 || cve,2000-0835 || nessus,10514
+1768 || WEB-IIS header field buffer overflow attempt || bugtraq,4476 || cve,2002-0150
+1769 || WEB-MISC .DS_Store access || url,www.macintouch.com/mosxreaderreports46.html
+1770 || WEB-MISC .FBCIndex access || url,www.securiteam.com/securitynews/5LP0O005FS.html
+1771 || POLICY IPSec PGPNet connection attempt
+1772 || WEB-IIS pbserver access || cve,2000-1089 || url,www.microsoft.com/technet/security/bulletin/ms00-094.mspx
+1773 || WEB-PHP php.exe access || url,www.securitytracker.com/alerts/2002/Jan/1003104.html
+1774 || WEB-PHP bb_smilies.php access || url,www.securiteam.com/securitynews/Serious_security_hole_in_PHP-Nuke__bb_smilies_.html
+1775 || MYSQL root login attempt
+1776 || MYSQL show databases attempt
+1777 || FTP EXPLOIT STAT * dos attempt || bugtraq,4482 || cve,2002-0073 || nessus,10934 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx
+1778 || FTP EXPLOIT STAT ? dos attempt || bugtraq,4482 || cve,2002-0073 || nessus,10934 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx
+1779 || FTP CWD .... attempt || bugtraq,4884
+1780 || IMAP EXPLOIT partial body overflow attempt || bugtraq,4713 || cve,2002-0379
+1787 || WEB-CGI csPassword.cgi access || bugtraq,4885 || bugtraq,4886 || bugtraq,4887 || bugtraq,4889 || cve,2002-0917 || cve,2002-0918
+1788 || WEB-CGI csPassword password.cgi.tmp access || bugtraq,4889 || cve,2002-0920
+1789 || CHAT IRC dns request
+1790 || CHAT IRC dns response
+1791 || BACKDOOR fragroute trojan connection attempt || bugtraq,4898
+1792 || NNTP return code buffer overflow attempt || bugtraq,4900 || cve,2002-0909
+1800 || VIRUS Klez Incoming
+1801 || WEB-IIS .asp HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx
+1802 || WEB-IIS .asa HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx
+1803 || WEB-IIS .cer HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx
+1804 || WEB-IIS .cdx HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx
+1805 || WEB-CGI Oracle reports CGI access || bugtraq,4848 || cve,2002-0947
+1806 || WEB-IIS .htr chunked Transfer-Encoding || bugtraq,4855 || bugtraq,5003 || cve,2002-0364
+1807 || WEB-MISC Chunked-Encoding transfer attempt || bugtraq,4474 || bugtraq,4485 || bugtraq,5033 || cve,2002-0071 || cve,2002-0079 || cve,2002-0392
+1808 || WEB-MISC apache chunked encoding memory corruption exploit attempt || bugtraq,5033 || cve,2002-0392
+1809 || WEB-MISC Apache Chunked-Encoding worm attempt || bugtraq,4474 || bugtraq,4485 || bugtraq,5033 || cve,2002-0071 || cve,2002-0079 || cve,2002-0392
+1810 || ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE || bugtraq,5093 || cve,2002-0390 || cve,2002-0639
+1811 || ATTACK-RESPONSES successful gobbles ssh exploit uname || bugtraq,5093 || cve,2002-0390 || cve,2002-0639
+1812 || EXPLOIT gobbles SSH exploit attempt || bugtraq,5093 || cve,2002-0390 || cve,2002-0639
+1813 || ICMP digital island bandwidth query
+1814 || WEB-MISC CISCO VoIP DOS ATTEMPT || bugtraq,4794 || cve,2002-0882 || nessus,11013
+1815 || WEB-PHP directory.php arbitrary command attempt || bugtraq,4278 || cve,2002-0434
+1816 || WEB-PHP directory.php access || bugtraq,4278 || cve,2002-0434
+1817 || WEB-IIS MS Site Server default login attempt || nessus,11018
+1818 || WEB-IIS MS Site Server admin attempt || nessus,11018
+1819 || MISC Alcatel PABX 4400 connection attempt || nessus,11019
+1820 || WEB-MISC IBM Net.Commerce orderdspc.d2w access || bugtraq,2350 || cve,2001-0319 || nessus,11020
+1821 || EXPLOIT LPD dvips remote command execution attempt || bugtraq,3241 || cve,2001-1002 || nessus,11023
+1822 || WEB-CGI alienform.cgi directory traversal attempt || bugtraq,4983 || cve,2002-0934 || nessus,11027
+1823 || WEB-CGI AlienForm af.cgi directory traversal attempt || bugtraq,4983 || cve,2002-0934 || nessus,11027
+1824 || WEB-CGI alienform.cgi access || bugtraq,4983 || cve,2002-0934 || nessus,11027
+1825 || WEB-CGI AlienForm af.cgi access || bugtraq,4983 || cve,2002-0934 || nessus,11027
+1826 || WEB-MISC WEB-INF access || bugtraq,1830 || bugtraq,5119 || cve,2000-1050 || cve,2001-0179 || nessus,11037
+1827 || WEB-MISC Tomcat servlet mapping cross site scripting attempt || bugtraq,5193 || cve,2002-0682 || nessus,11041
+1828 || WEB-MISC iPlanet Search directory traversal attempt || bugtraq,5191 || cve,2002-1042 || nessus,11043
+1829 || WEB-MISC Tomcat TroubleShooter servlet access || bugtraq,4575 || nessus,11046
+1830 || WEB-MISC Tomcat SnoopServlet servlet access || bugtraq,4575 || nessus,11046
+1831 || WEB-MISC jigsaw dos attempt || nessus,11047
+1832 || CHAT ICQ forced user addition || bugtraq,3226 || cve,2001-1305
+1834 || WEB-PHP PHP-Wiki cross site scripting attempt || bugtraq,5254 || cve,2002-1070
+1835 || WEB-MISC Macromedia SiteSpring cross site scripting attempt || bugtraq,5249 || cve,2002-1027
+1838 || EXPLOIT SSH server banner overflow || bugtraq,5287 || cve,2002-1059
+1839 || WEB-MISC mailman cross site scripting attempt || bugtraq,5298 || cve,2002-0855
+1840 || WEB-CLIENT Javascript document.domain attempt || bugtraq,5346 || cve,2002-0815
+1841 || WEB-CLIENT Javascript URL host spoofing attempt || bugtraq,5293
+1842 || IMAP login buffer overflow attempt || bugtraq,13727 || bugtraq,502 || cve,1999-0005 || cve,1999-1557 || cve,2005-1255 || nessus,10123 || nessus,10125
+1843 || BACKDOOR trinity connection attempt || cve,2000-0138 || nessus,10501
+1844 || IMAP authenticate overflow attempt || bugtraq,12995 || bugtraq,130 || cve,1999-0005 || cve,1999-0042 || nessus,10292
+1845 || IMAP list literal overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374
+1846 || POLICY vncviewer Java applet download attempt || nessus,10758
+1847 || WEB-MISC webalizer access || bugtraq,3473 || cve,2001-0835 || nessus,10816
+1848 || WEB-MISC webcart-lite access || cve,1999-0610 || nessus,10298
+1849 || WEB-MISC webfind.exe access || bugtraq,1487 || cve,2000-0622 || nessus,10475
+1850 || WEB-CGI way-board.cgi access || nessus,10610
+1851 || WEB-MISC active.log access || bugtraq,1497 || cve,2000-0642 || nessus,10470
+1852 || WEB-MISC robots.txt access || nessus,10302
+1853 || BACKDOOR win-trin00 connection attempt || cve,2000-0138 || nessus,10307
+1854 || DDOS Stacheldraht handler->agent niggahbitch || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis
+1855 || DDOS Stacheldraht agent->handler skillz || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis
+1856 || DDOS Stacheldraht handler->agent ficken || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis
+1857 || WEB-MISC robot.txt access || nessus,10302
+1858 || WEB-MISC CISCO PIX Firewall Manager directory traversal attempt || bugtraq,691 || cve,1999-0158 || nessus,10819
+1859 || WEB-MISC Sun JavaServer default password login attempt || cve,1999-0508 || nessus,10995
+1860 || WEB-MISC Linksys router default password login attempt || nessus,10999
+1861 || WEB-MISC Linksys router default username and password login attempt || nessus,10999
+1862 || WEB-CGI mrtg.cgi directory traversal attempt || bugtraq,4017 || cve,2002-0232 || nessus,11001
+1864 || FTP SITE NEWER attempt || cve,1999-0880 || nessus,10319
+1865 || WEB-CGI webdist.cgi arbitrary command attempt || bugtraq,374 || cve,1999-0039 || nessus,10299
+1866 || POP3 USER overflow attempt || bugtraq,11256 || bugtraq,789 || cve,1999-0494 || nessus,10311
+1867 || MISC xdmcp info query || nessus,10891
+1868 || WEB-CGI story.pl arbitrary file read attempt || bugtraq,3028 || cve,2001-0804 || nessus,10817
+1869 || WEB-CGI story.pl access || bugtraq,3028 || cve,2001-0804 || nessus,10817
+1870 || WEB-CGI siteUserMod.cgi access || bugtraq,951 || cve,2000-0117 || nessus,10253
+1871 || WEB-MISC Oracle XSQLConfig.xml access || bugtraq,4290 || cve,2002-0568 || nessus,10855
+1872 || WEB-MISC Oracle Dynamic Monitoring Services dms access || nessus,10848
+1873 || WEB-MISC globals.jsa access || bugtraq,4034 || cve,2002-0562 || nessus,10850
+1874 || WEB-MISC Oracle Java Process Manager access || nessus,10851
+1875 || WEB-CGI cgicso access || bugtraq,6141 || nessus,10779 || nessus,10780
+1876 || WEB-CGI nph-publish.cgi access || cve,1999-1177 || nessus,10164
+1877 || WEB-CGI printenv access || bugtraq,1658 || cve,2000-0868 || nessus,10188 || nessus,10503
+1878 || WEB-CGI sdbsearch.cgi access || bugtraq,1658 || cve,2000-0868 || nessus,10503
+1879 || WEB-CGI book.cgi arbitrary command execution attempt || bugtraq,3178 || cve,2001-1114 || nessus,10721
+1880 || WEB-MISC oracle web application server access || bugtraq,1053 || cve,2000-0169 || nessus,10348
+1881 || WEB-MISC bad HTTP/1.1 request, Potentially worm attack || url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html
+1882 || ATTACK-RESPONSES id check returned userid
+1883 || ATTACK-RESPONSES id check returned nobody
+1884 || ATTACK-RESPONSES id check returned web
+1885 || ATTACK-RESPONSES id check returned http
+1886 || ATTACK-RESPONSES id check returned apache
+1887 || MISC OpenSSL Worm traffic || url,www.cert.org/advisories/CA-2002-27.html
+1888 || FTP SITE CPWD overflow attempt || bugtraq,5427 || cve,2002-0826
+1889 || MISC slapper worm admin traffic || url,isc.incidents.org/analysis.html?id=167 || url,www.cert.org/advisories/CA-2002-27.html
+1890 || RPC status GHBN format string attack || bugtraq,1480 || cve,2000-0666
+1891 || RPC status GHBN format string attack || bugtraq,1480 || cve,2000-0666
+1892 || SNMP null community string attempt || bugtraq,2112 || bugtraq,8974 || cve,1999-0517
+1893 || SNMP missing community string attempt || bugtraq,2112 || cve,1999-0517
+1894 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073
+1895 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073
+1896 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073
+1897 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073
+1898 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073
+1899 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073
+1900 || ATTACK-RESPONSES successful kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073
+1901 || ATTACK-RESPONSES successful kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073
+1902 || IMAP lsub literal overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374
+1903 || IMAP rename overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374
+1904 || IMAP find overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374
+1905 || RPC AMD UDP amqproc_mount plog overflow attempt || bugtraq,614 || cve,1999-0704
+1906 || RPC AMD TCP amqproc_mount plog overflow attempt || bugtraq,614 || cve,1999-0704
+1907 || RPC CMSD UDP CMSD_CREATE buffer overflow attempt || bugtraq,524 || cve,1999-0696
+1908 || RPC CMSD TCP CMSD_CREATE buffer overflow attempt || bugtraq,524 || cve,1999-0696
+1909 || RPC CMSD TCP CMSD_INSERT buffer overflow attempt || bugtraq,524 || cve,1999-0696 || url,www.cert.org/advisories/CA-99-08-cmsd.html
+1910 || RPC CMSD udp CMSD_INSERT buffer overflow attempt || cve,1999-0696 || url,www.cert.org/advisories/CA-99-08-cmsd.html
+1911 || RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt || bugtraq,866 || cve,1999-0977
+1912 || RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt || bugtraq,0866 || bugtraq,866 || cve,1999-0977
+1913 || RPC STATD UDP stat mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666
+1914 || RPC STATD TCP stat mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666
+1915 || RPC STATD UDP monitor mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666
+1916 || RPC STATD TCP monitor mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666
+1917 || SCAN UPnP service discover attempt
+1918 || SCAN SolarWinds IP scan attempt
+1919 || FTP CWD overflow attempt || bugtraq,11069 || bugtraq,1227 || bugtraq,1690 || bugtraq,6869 || bugtraq,7251 || bugtraq,7950 || cve,1999-0219 || cve,1999-1058 || cve,1999-1510 || cve,2000-1035 || cve,2000-1194 || cve,2001-0781 || cve,2002-0126 || cve,2002-0405
+1920 || FTP SITE NEWER overflow attempt || bugtraq,229 || cve,1999-0800
+1921 || FTP SITE ZIPCHK overflow attempt || cve,2000-0040
+1922 || RPC portmap proxy attempt TCP
+1923 || RPC portmap proxy attempt UDP
+1924 || RPC mountd UDP export request || arachnids,26
+1925 || RPC mountd TCP exportall request || arachnids,26
+1926 || RPC mountd UDP exportall request || arachnids,26
+1927 || FTP authorized_keys
+1928 || FTP shadow retrieval attempt
+1929 || BACKDOOR TCPDUMP/PCAP trojan traffic || url,hlug.fscker.com
+1930 || IMAP auth literal overflow attempt || cve,1999-0005
+1931 || WEB-CGI rpc-nlog.pl access || cve,1999-1278 || url,marc.theaimsgroup.com/?l=bugtraq&m=91470326629357&w=2 || url,marc.theaimsgroup.com/?l=bugtraq&m=91471400632145&w=2
+1932 || WEB-CGI rpc-smb.pl access || cve,1999-1278
+1933 || WEB-CGI cart.cgi access || bugtraq,1115 || cve,2000-0252 || nessus,10368
+1934 || POP2 FOLD overflow attempt || bugtraq,283 || cve,1999-0920 || nessus,10130
+1935 || POP2 FOLD arbitrary file attempt
+1936 || POP3 AUTH overflow attempt || bugtraq,830 || cve,1999-0822 || nessus,10184
+1937 || POP3 LIST overflow attempt || bugtraq,948 || cve,2000-0096 || nessus,10197
+1938 || POP3 XTND overflow attempt
+1939 || MISC bootp hardware address length overflow || cve,1999-0798
+1940 || MISC bootp invalid hardware type || cve,1999-0798
+1941 || TFTP GET filename overflow attempt || bugtraq,5328 || cve,2002-0813
+1942 || FTP RMDIR overflow attempt || bugtraq,819
+1943 || WEB-MISC /Carello/add.exe access || bugtraq,1245 || cve,2000-0396 || nessus,11776
+1944 || WEB-MISC /ecscripts/ecware.exe access || bugtraq,6066
+1945 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537
+1946 || WEB-MISC answerbook2 admin attempt || bugtraq,5383 || cve,2000-0696
+1947 || WEB-MISC answerbook2 arbitrary command execution attempt || bugtraq,1556 || cve,2000-0697
+1948 || DNS zone transfer UDP || arachnids,212 || cve,1999-0532 || nessus,10595
+1949 || RPC portmap SET attempt TCP 111
+1950 || RPC portmap SET attempt UDP 111
+1951 || RPC mountd TCP mount request
+1952 || RPC mountd UDP mount request
+1953 || RPC AMD TCP pid request
+1954 || RPC AMD UDP pid request
+1955 || RPC AMD TCP version request
+1956 || RPC AMD UDP version request || bugtraq,1554 || cve,2000-0696
+1957 || RPC sadmind UDP PING || bugtraq,866
+1958 || RPC sadmind TCP PING || bugtraq,866
+1959 || RPC portmap NFS request UDP
+1960 || RPC portmap NFS request TCP
+1961 || RPC portmap RQUOTA request UDP
+1962 || RPC portmap RQUOTA request TCP
+1963 || RPC RQUOTA getquota overflow attempt UDP || bugtraq,864 || cve,1999-0974
+1964 || RPC tooltalk UDP overflow attempt || bugtraq,122 || cve,1999-0003
+1965 || RPC tooltalk TCP overflow attempt || bugtraq,122 || cve,1999-0003
+1966 || MISC GlobalSunTech Access Point Information Disclosure attempt || bugtraq,6100
+1967 || WEB-PHP phpbb quick-reply.php arbitrary command attempt || bugtraq,6173
+1968 || WEB-PHP phpbb quick-reply.php access || bugtraq,6173
+1969 || WEB-MISC ion-p access || bugtraq,6091 || cve,2002-1559
+1970 || WEB-IIS MDAC Content-Type overflow attempt || bugtraq,6214 || cve,2002-1142 || url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337 || url,www.microsoft.com/technet/security/bulletin/MS02-065.mspx || url,www.microsoft.com/technet/security/bulletin/MS98-004.mspx
+1971 || FTP SITE EXEC format string attempt
+1972 || FTP PASS overflow attempt || bugtraq,10078 || bugtraq,10720 || bugtraq,1690 || bugtraq,3884 || bugtraq,8601 || bugtraq,9285 || cve,1999-1519 || cve,1999-1539 || cve,2000-1035 || cve,2002-0126 || cve,2002-0895
+1973 || FTP MKD overflow attempt || bugtraq,612 || bugtraq,7278 || bugtraq,9872 || cve,1999-0911 || nessus,12108
+1974 || FTP REST overflow attempt || bugtraq,2972 || cve,2001-0826
+1975 || FTP DELE overflow attempt || bugtraq,2972 || cve,2001-0826 || cve,2001-1021
+1976 || FTP RMD overflow attempt || bugtraq,2972 || cve,2000-0133 || cve,2001-0826 || cve,2001-1021
+1977 || WEB-MISC xp_regwrite attempt
+1978 || WEB-MISC xp_regdeletekey attempt
+1979 || WEB-MISC perl post attempt || bugtraq,5520 || cve,2002-1436 || nessus,11158
+1980 || BACKDOOR DeepThroat 3.1 Connection attempt || mcafee,98574 || nessus,10053
+1981 || BACKDOOR DeepThroat 3.1 Connection attempt [3150] || mcafee,98574 || nessus,10053
+1982 || BACKDOOR DeepThroat 3.1 Server Response [3150] || arachnids,106 || mcafee,98574 || nessus,10053
+1983 || BACKDOOR DeepThroat 3.1 Connection attempt [4120] || mcafee,98574 || nessus,10053
+1984 || BACKDOOR DeepThroat 3.1 Server Response [4120] || arachnids,106 || mcafee,98574 || nessus,10053
+1985 || BACKDOOR Doly 1.5 server response
+1986 || CHAT MSN outbound file transfer request
+1987 || MISC xfs overflow attempt || bugtraq,6241 || cve,2002-1317 || nessus,11188
+1988 || CHAT MSN outbound file transfer accept
+1989 || CHAT MSN outbound file transfer rejected
+1990 || CHAT MSN user search
+1991 || CHAT MSN login attempt
+1992 || FTP LIST directory traversal attempt || bugtraq,2618 || cve,2001-0680 || cve,2002-1054 || nessus,11112
+1993 || IMAP login literal buffer overflow attempt || bugtraq,6298
+1994 || WEB-CGI vpasswd.cgi access || bugtraq,6038 || nessus,11165
+1995 || WEB-CGI alya.cgi access || nessus,11118
+1996 || WEB-CGI viralator.cgi access || bugtraq,3495 || cve,2001-0849 || nessus,11107
+1997 || WEB-PHP read_body.php access attempt || bugtraq,6302 || cve,2002-1341
+1998 || WEB-PHP calendar.php access || bugtraq,5820 || bugtraq,9353 || nessus,11179
+1999 || WEB-PHP edit_image.php access || bugtraq,3288 || cve,2001-1020 || nessus,11104
+2000 || WEB-PHP readmsg.php access || cve,2001-1408 || nessus,11073
+2001 || WEB-CGI smartsearch.cgi access || bugtraq,7133
+2002 || WEB-PHP remote include path
+2003 || MS-SQL Worm propagation attempt || bugtraq,5310 || bugtraq,5311 || cve,2002-0649 || nessus,11214 || url,vil.nai.com/vil/content/v_99992.htm
+2004 || MS-SQL Worm propagation attempt OUTBOUND || bugtraq,5310 || bugtraq,5311 || cve,2002-0649 || nessus,11214 || url,vil.nai.com/vil/content/v_99992.htm
+2005 || RPC portmap kcms_server request UDP || bugtraq,6665 || cve,2003-0027 || url,www.kb.cert.org/vuls/id/850785
+2006 || RPC portmap kcms_server request TCP || bugtraq,6665 || cve,2003-0027 || url,www.kb.cert.org/vuls/id/850785
+2007 || RPC kcms_server directory traversal attempt || bugtraq,6665 || cve,2003-0027 || url,www.kb.cert.org/vuls/id/850785
+2008 || MISC CVS invalid user authentication response
+2009 || MISC CVS invalid repository response
+2010 || MISC CVS double free exploit attempt response || bugtraq,6650 || cve,2003-0015
+2011 || MISC CVS invalid directory response || bugtraq,6650 || cve,2003-0015
+2012 || MISC CVS missing cvsroot response
+2013 || MISC CVS invalid module response
+2014 || RPC portmap UNSET attempt TCP 111 || bugtraq,1892
+2015 || RPC portmap UNSET attempt UDP 111 || bugtraq,1892
+2016 || RPC portmap status request TCP || arachnids,15
+2017 || RPC portmap espd request UDP || bugtraq,2714 || cve,2001-0331
+2018 || RPC mountd TCP dump request
+2019 || RPC mountd UDP dump request
+2020 || RPC mountd TCP unmount request
+2021 || RPC mountd UDP unmount request
+2022 || RPC mountd TCP unmountall request
+2023 || RPC mountd UDP unmountall request
+2024 || RPC RQUOTA getquota overflow attempt TCP || bugtraq,864 || cve,1999-0974
+2025 || RPC yppasswd username overflow attempt UDP || bugtraq,2763 || cve,2001-0779
+2026 || RPC yppasswd username overflow attempt TCP || bugtraq,2763 || cve,2001-0779
+2027 || RPC yppasswd old password overflow attempt UDP || bugtraq,2763 || cve,2001-0779
+2028 || RPC yppasswd old password overflow attempt TCP || bugtraq,2763 || cve,2001-0779
+2029 || RPC yppasswd new password overflow attempt UDP || bugtraq,2763 || cve,2001-0779
+2030 || RPC yppasswd new password overflow attempt TCP || bugtraq,2763 || cve,2001-0779
+2031 || RPC yppasswd user update UDP || bugtraq,2763 || cve,2001-0779
+2032 || RPC yppasswd user update TCP || bugtraq,2763 || cve,2001-0779
+2033 || RPC ypserv maplist request UDP || bugtraq,5914 || bugtraq,6016 || cve,2002-1232
+2034 || RPC ypserv maplist request TCP || Cve,CAN-2002-1232 || bugtraq,5914 || bugtraq,6016
+2035 || RPC portmap network-status-monitor request UDP
+2036 || RPC portmap network-status-monitor request TCP
+2037 || RPC network-status-monitor mon-callback request UDP
+2038 || RPC network-status-monitor mon-callback request TCP
+2039 || MISC bootp hostname format string attempt || bugtraq,4701 || cve,2002-0702 || nessus,11312
+2040 || POLICY xtacacs login attempt
+2041 || MISC xtacacs failed login response
+2042 || POLICY xtacacs accepted login response
+2043 || MISC isakmp login failed
+2044 || POLICY PPTP Start Control Request attempt
+2045 || RPC snmpXdmi overflow attempt UDP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html
+2046 || IMAP partial body.peek buffer overflow attempt || bugtraq,4713 || cve,2002-0379
+2047 || MISC rsyncd module list access
+2048 || MISC rsyncd overflow attempt || bugtraq,9153 || cve,2003-0962 || nessus,11943
+2049 || MS-SQL ping attempt || nessus,10674
+2050 || MS-SQL version overflow attempt || bugtraq,5310 || cve,2002-0649 || nessus,10674
+2051 || WEB-CGI cached_feed.cgi moreover shopping cart access || bugtraq,1762 || cve,2000-0906
+2052 || WEB-CGI overflow.cgi access || bugtraq,6326 || cve,2002-1361 || nessus,11190 || url,www.cert.org/advisories/CA-2002-35.html
+2053 || WEB-CGI process_bug.cgi access || bugtraq,3272 || cve,2002-0008
+2054 || WEB-CGI enter_bug.cgi arbitrary command attempt || bugtraq,3272 || cve,2002-0008
+2055 || WEB-CGI enter_bug.cgi access || bugtraq,3272 || cve,2002-0008
+2056 || WEB-MISC TRACE attempt || bugtraq,9561 || nessus,11213 || url,www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
+2057 || WEB-MISC helpout.exe access || bugtraq,6002 || cve,2002-1169 || nessus,11162
+2058 || WEB-MISC MsmMask.exe attempt || nessus,11163
+2059 || WEB-MISC MsmMask.exe access || nessus,11163
+2060 || WEB-MISC DB4Web access || nessus,11180
+2061 || WEB-MISC Tomcat null byte directory listing attempt || bugtraq,2518 || bugtraq,6721 || cve,2003-0042
+2062 || WEB-MISC iPlanet .perf access || nessus,11220
+2063 || WEB-MISC Demarc SQL injection attempt || bugtraq,4520 || cve,2002-0539
+2064 || WEB-MISC Lotus Notes .csp script source download attempt || bugtraq,6841
+2065 || WEB-MISC Lotus Notes .csp script source download attempt
+2066 || WEB-MISC Lotus Notes .pl script source download attempt || bugtraq,6841
+2067 || WEB-MISC Lotus Notes .exe script source download attempt || bugtraq,6841
+2068 || WEB-MISC BitKeeper arbitrary command attempt || bugtraq,6588
+2069 || WEB-MISC chip.ini access || bugtraq,2755 || bugtraq,2775 || cve,2001-0749 || cve,2001-0771
+2070 || WEB-MISC post32.exe arbitrary command attempt || bugtraq,1485
+2071 || WEB-MISC post32.exe access || bugtraq,1485
+2072 || WEB-MISC lyris.pl access || bugtraq,1584 || cve,2000-0758
+2073 || WEB-MISC globals.pl access || bugtraq,2671 || cve,2001-0330
+2074 || WEB-PHP Mambo uploadimage.php upload php file attempt || bugtraq,6572
+2075 || WEB-PHP Mambo upload.php upload php file attempt || bugtraq,6572
+2076 || WEB-PHP Mambo uploadimage.php access || bugtraq,6572
+2077 || WEB-PHP Mambo upload.php access || bugtraq,6572
+2078 || WEB-PHP phpBB privmsg.php access || bugtraq,6634
+2079 || RPC portmap nlockmgr request UDP || bugtraq,1372 || cve,2000-0508
+2080 || RPC portmap nlockmgr request TCP || bugtraq,1372 || cve,2000-0508
+2081 || RPC portmap rpc.xfsmd request UDP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359
+2082 || RPC portmap rpc.xfsmd request TCP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359
+2083 || RPC rpc.xfsmd xfs_export attempt UDP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359
+2084 || RPC rpc.xfsmd xfs_export attempt TCP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359
+2085 || WEB-CGI parse_xml.cgi access || bugtraq,6960 || cve,2003-0054
+2086 || WEB-CGI streaming server parse_xml.cgi access || bugtraq,6960 || cve,2003-0054
+2087 || SMTP From comment overflow attempt || bugtraq,6991 || cve,2002-1337 || url,www.kb.cert.org/vuls/id/398025
+2088 || RPC ypupdated arbitrary command attempt UDP
+2089 || RPC ypupdated arbitrary command attempt TCP
+2090 || WEB-IIS WEBDAV exploit attempt || bugtraq,7116 || bugtraq,7716 || cve,2003-0109 || nessus,11413 || url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx
+2091 || WEB-IIS WEBDAV nessus safe scan attempt || bugtraq,7116 || cve,2003-0109 || nessus,11412 || nessus,11413 || url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx
+2092 || RPC portmap proxy integer overflow attempt UDP || bugtraq,7123 || cve,2003-0028
+2093 || RPC portmap proxy integer overflow attempt TCP || bugtraq,7123 || cve,2003-0028
+2094 || RPC CMSD UDP CMSD_CREATE array buffer overflow attempt || bugtraq,5356 || cve,2002-0391
+2095 || RPC CMSD TCP CMSD_CREATE array buffer overflow attempt || bugtraq,5356 || cve,2002-0391
+2100 || BACKDOOR SubSeven 2.1 Gold server connection response || mcafee,10566 || nessus,10409
+2101 || NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt || bugtraq,5556 || cve,2002-0724 || nessus,11110 || url,www.corest.com/common/showdoc.php?idx=262 || url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx
+2102 || NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt || bugtraq,5556 || cve,2002-0724 || nessus,11110 || url,www.corest.com/common/showdoc.php?idx=262 || url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx
+2103 || NETBIOS SMB trans2open buffer overflow attempt || bugtraq,7294 || cve,2003-0201 || url,www.digitaldefense.net/labs/advisories/DDI-1013.txt
+2104 || ATTACK-RESPONSES rexec username too long response || bugtraq,7459
+2105 || IMAP authenticate literal overflow attempt || cve,1999-0042 || nessus,10292
+2106 || IMAP lsub overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374
+2107 || IMAP create buffer overflow attempt || bugtraq,7446
+2108 || POP3 CAPA overflow attempt
+2109 || POP3 TOP overflow attempt
+2110 || POP3 STAT overflow attempt
+2111 || POP3 DELE overflow attempt
+2112 || POP3 RSET overflow attempt
+2113 || RSERVICES rexec username overflow attempt
+2114 || RSERVICES rexec password overflow attempt
+2115 || WEB-CGI album.pl access || bugtraq,7444 || nessus,11581
+2116 || WEB-CGI chipcfg.cgi access || bugtraq,2767 || cve,2001-1341 || url,archives.neohapsis.com/archives/bugtraq/2001-05/0233.html
+2117 || WEB-IIS Battleaxe Forum login.asp access || bugtraq,7416 || cve,2003-0215
+2118 || IMAP list overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374
+2119 || IMAP rename literal overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374
+2120 || IMAP create literal buffer overflow attempt || bugtraq,7446
+2121 || POP3 DELE negative argument attempt || bugtraq,6053 || bugtraq,7445 || cve,2002-1539
+2122 || POP3 UIDL negative argument attempt || bugtraq,6053 || cve,2002-1539 || nessus,11570
+2123 || ATTACK-RESPONSES Microsoft cmd.exe banner || nessus,11633
+2124 || BACKDOOR Remote PC Access connection attempt || nessus,11673
+2125 || FTP CWD Root directory transversal attempt || bugtraq,7674 || cve,2003-0392 || nessus,11677
+2126 || MISC Microsoft PPTP Start Control Request buffer overflow attempt || bugtraq,5807 || cve,2002-1214 || url,www.microsoft.com/technet/security/bulletin/MS02-063.mspx
+2127 || WEB-CGI ikonboard.cgi access || bugtraq,7361 || nessus,11605
+2128 || WEB-CGI swsrv.cgi access || bugtraq,7510 || cve,2003-0217 || nessus,11608
+2129 || WEB-IIS nsiislog.dll access || bugtraq,8035 || cve,2003-0227 || cve,2003-0349 || nessus,11664 || url,www.microsoft.com/technet/security/bulletin/ms03-018.mspx
+2130 || WEB-IIS IISProtect siteadmin.asp access || bugtraq,7675 || cve,2003-0377 || nessus,11662
+2131 || WEB-IIS IISProtect access || nessus,11661
+2132 || WEB-IIS Synchrologic Email Accelerator userid list access attempt || nessus,11657
+2133 || WEB-IIS MS BizTalk server access || bugtraq,7469 || bugtraq,7470 || cve,2003-0117 || cve,2003-0118 || nessus,11638 || url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx
+2134 || WEB-IIS register.asp access || nessus,11621
+2135 || WEB-MISC philboard.mdb access || nessus,11682
+2136 || WEB-MISC philboard_admin.asp authentication bypass attempt || bugtraq,7739 || nessus,11675
+2137 || WEB-MISC philboard_admin.asp access || bugtraq,7739 || nessus,11675
+2138 || WEB-MISC logicworks.ini access || bugtraq,6996 || nessus,11639
+2139 || WEB-MISC /*.shtml access || bugtraq,1517 || cve,2000-0683 || nessus,11604
+2140 || WEB-PHP p-news.php access || nessus,11669
+2141 || WEB-PHP shoutbox.php directory traversal attempt || nessus,11668
+2142 || WEB-PHP shoutbox.php access || nessus,11668
+2143 || WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt || nessus,11667
+2144 || WEB-PHP b2 cafelog gm-2-b2.php access || nessus,11667
+2145 || WEB-PHP TextPortal admin.php default password admin attempt || bugtraq,7673 || nessus,11660
+2146 || WEB-PHP TextPortal admin.php default password 12345 attempt || bugtraq,7673 || nessus,11660
+2147 || WEB-PHP BLNews objects.inc.php4 remote file include attempt || bugtraq,7677 || cve,2003-0394 || nessus,11647
+2148 || WEB-PHP BLNews objects.inc.php4 access || bugtraq,7677 || cve,2003-0394 || nessus,11647
+2149 || WEB-PHP Turba status.php access || nessus,11646
+2150 || WEB-PHP ttCMS header.php remote file include attempt || bugtraq,7542 || bugtraq,7543 || bugtraq,7625 || nessus,11636
+2151 || WEB-PHP ttCMS header.php access || bugtraq,7542 || bugtraq,7543 || bugtraq,7625 || nessus,11636
+2152 || WEB-PHP test.php access || nessus,11617
+2153 || WEB-PHP autohtml.php directory traversal attempt || nessus,11630
+2154 || WEB-PHP autohtml.php access || nessus,11630
+2155 || WEB-PHP ttforum remote file include attempt || bugtraq,7542 || bugtraq,7543 || nessus,11615
+2156 || WEB-MISC mod_gzip_status access || nessus,11685
+2157 || WEB-IIS IISProtect globaladmin.asp access || nessus,11661
+2158 || MISC BGP invalid length || bugtraq,6213 || cve,2002-1350 || url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575
+2159 || MISC BGP invalid type 0 || bugtraq,6213 || cve,2002-1350
+2160 || VIRUS OUTBOUND .exe file attachment
+2161 || VIRUS OUTBOUND .doc file attachment
+2162 || VIRUS OUTBOUND .hta file attachment
+2163 || VIRUS OUTBOUND .chm file attachment
+2164 || VIRUS OUTBOUND .reg file attachment
+2165 || VIRUS OUTBOUND .ini file attachment
+2166 || VIRUS OUTBOUND .bat file attachment
+2167 || VIRUS OUTBOUND .diz file attachment
+2168 || VIRUS OUTBOUND .cpp file attachment
+2169 || VIRUS OUTBOUND .dll file attachment
+2170 || VIRUS OUTBOUND .vxd file attachment
+2171 || VIRUS OUTBOUND .sys file attachment
+2172 || VIRUS OUTBOUND .com file attachment
+2173 || VIRUS OUTBOUND .hsq file attachment
+2174 || NETBIOS SMB winreg create tree attempt
+2175 || NETBIOS SMB winreg unicode create tree attempt
+2176 || NETBIOS SMB startup folder access
+2177 || NETBIOS SMB startup folder unicode access
+2178 || FTP USER format string attempt || bugtraq,7474 || bugtraq,7776 || bugtraq,9262 || bugtraq,9402 || bugtraq,9600 || bugtraq,9800 || cve,2004-0277 || nessus,10041 || nessus,11687
+2179 || FTP PASS format string attempt || bugtraq,7474 || bugtraq,9262 || bugtraq,9800 || cve,2000-0699
+2180 || P2P BitTorrent announce request
+2181 || P2P BitTorrent transfer
+2182 || BACKDOOR typot trojan traffic || mcafee,100406
+2183 || SMTP Content-Transfer-Encoding overflow attempt || cve,2003-0161 || url,www.cert.org/advisories/CA-2003-12.html
+2184 || RPC mountd TCP mount path overflow attempt || bugtraq,8179 || cve,2003-0252 || nessus,11800
+2185 || RPC mountd UDP mount path overflow attempt || bugtraq,8179 || cve,2003-0252 || nessus,11800
+2186 || BAD-TRAFFIC IP Proto 53 SWIPE || bugtraq,8211 || cve,2003-0567
+2187 || BAD-TRAFFIC IP Proto 55 IP Mobility || bugtraq,8211 || cve,2003-0567
+2188 || BAD-TRAFFIC IP Proto 77 Sun ND || bugtraq,8211 || cve,2003-0567
+2189 || BAD-TRAFFIC IP Proto 103 PIM || bugtraq,8211 || cve,2003-0567
+2190 || NETBIOS DCERPC invalid bind attempt
+2191 || NETBIOS SMB DCERPC invalid bind attempt
+2192 || NETBIOS DCERPC ISystemActivator bind attempt || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+2193 || NETBIOS SMB-DS DCERPC ISystemActivator bind attempt || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+2194 || WEB-CGI CSMailto.cgi access || bugtraq,4579 || bugtraq,6265 || cve,2002-0749 || nessus,11748
+2195 || WEB-CGI alert.cgi access || bugtraq,4211 || bugtraq,4579 || cve,2002-0346 || nessus,11748
+2196 || WEB-CGI catgy.cgi access || bugtraq,3714 || bugtraq,4579 || cve,2001-1212 || nessus,11748
+2197 || WEB-CGI cvsview2.cgi access || bugtraq,4579 || bugtraq,5517 || cve,2003-0153 || nessus,11748
+2198 || WEB-CGI cvslog.cgi access || bugtraq,4579 || bugtraq,5517 || cve,2003-0153 || nessus,11748
+2199 || WEB-CGI multidiff.cgi access || bugtraq,4579 || bugtraq,5517 || cve,2003-0153 || nessus,11748
+2200 || WEB-CGI dnewsweb.cgi access || bugtraq,1172 || bugtraq,4579 || cve,2000-0423 || nessus,11748
+2201 || WEB-CGI download.cgi access || bugtraq,4579 || cve,1999-1377 || nessus,11748
+2202 || WEB-CGI edit_action.cgi access || bugtraq,3698 || bugtraq,4579 || cve,2001-1196 || nessus,11748
+2203 || WEB-CGI everythingform.cgi access || bugtraq,2101 || bugtraq,4579 || cve,2001-0023 || nessus,11748
+2204 || WEB-CGI ezadmin.cgi access || bugtraq,4068 || bugtraq,4579 || cve,2002-0263 || nessus,11748
+2205 || WEB-CGI ezboard.cgi access || bugtraq,4068 || bugtraq,4579 || cve,2002-0263 || nessus,11748
+2206 || WEB-CGI ezman.cgi access || bugtraq,4068 || bugtraq,4579 || cve,2002-0263 || nessus,11748
+2207 || WEB-CGI fileseek.cgi access || bugtraq,4579 || bugtraq,6784 || cve,2002-0611 || nessus,11748
+2208 || WEB-CGI fom.cgi access || bugtraq,4579 || cve,2002-0230 || nessus,11748
+2209 || WEB-CGI getdoc.cgi access || bugtraq,4579 || cve,2000-0288 || nessus,11748
+2210 || WEB-CGI global.cgi access || bugtraq,4579 || cve,2000-0952 || nessus,11748
+2211 || WEB-CGI guestserver.cgi access || bugtraq,4579 || cve,2001-0180 || nessus,11748
+2212 || WEB-CGI imageFolio.cgi access || bugtraq,4579 || bugtraq,6265 || cve,2002-1334 || nessus,11748
+2213 || WEB-CGI mailfile.cgi access || bugtraq,1807 || bugtraq,4579 || cve,2000-0977 || nessus,11748
+2214 || WEB-CGI mailview.cgi access || bugtraq,1335 || bugtraq,4579 || cve,2000-0526 || nessus,11748
+2215 || WEB-CGI nsManager.cgi access || bugtraq,1710 || bugtraq,4579 || cve,2000-1023 || nessus,11748
+2216 || WEB-CGI readmail.cgi access || bugtraq,3427 || bugtraq,4579 || cve,2001-1283 || nessus,11748
+2217 || WEB-CGI printmail.cgi access || bugtraq,3427 || bugtraq,4579 || cve,2001-1283 || nessus,11748
+2218 || WEB-CGI service.cgi access || bugtraq,4211 || bugtraq,4579 || cve,2002-0346 || nessus,11748
+2219 || WEB-CGI setpasswd.cgi access || bugtraq,2212 || bugtraq,4579 || cve,2001-0133 || nessus,11748
+2220 || WEB-CGI simplestmail.cgi access || bugtraq,2106 || bugtraq,4579 || cve,2001-0022 || nessus,11748
+2221 || WEB-CGI ws_mail.cgi access || bugtraq,2861 || bugtraq,4579 || cve,2001-1343 || nessus,11748
+2222 || WEB-CGI nph-exploitscanget.cgi access || bugtraq,7910 || bugtraq,7911 || bugtraq,7913 || cve,2003-0434 || nessus,11740
+2223 || WEB-CGI csNews.cgi access || bugtraq,4994 || cve,2002-0923 || nessus,11726
+2224 || WEB-CGI psunami.cgi access || bugtraq,6607 || nessus,11750
+2225 || WEB-CGI gozila.cgi access || bugtraq,6086 || cve,2002-1236 || nessus,11773
+2226 || WEB-PHP pmachine remote file include attempt || bugtraq,7919 || nessus,11739
+2227 || WEB-PHP forum_details.php access || bugtraq,7933 || nessus,11760
+2228 || WEB-PHP phpMyAdmin db_details_importdocsql.php access || bugtraq,7962 || bugtraq,7965 || nessus,11761
+2229 || WEB-PHP viewtopic.php access || bugtraq,7979 || cve,2003-0486 || nessus,11767
+2230 || WEB-MISC NetGear router default password login attempt admin/password || nessus,11737
+2231 || WEB-MISC register.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747
+2232 || WEB-MISC ContentFilter.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747
+2233 || WEB-MISC SFNofitication.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747
+2234 || WEB-MISC TOP10.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747
+2235 || WEB-MISC SpamExcp.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747
+2236 || WEB-MISC spamrule.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747
+2237 || WEB-MISC cgiWebupdate.exe access || bugtraq,3216 || cve,2001-1150 || nessus,11722
+2238 || WEB-MISC WebLogic ConsoleHelp view source attempt || bugtraq,1518 || cve,2000-0682 || nessus,11724
+2239 || WEB-MISC redirect.exe access || bugtraq,1256 || cve,2000-0401
+2240 || WEB-MISC changepw.exe access || bugtraq,1256 || cve,2000-0401
+2241 || WEB-MISC cwmail.exe access || bugtraq,4093 || cve,2002-0273 || nessus,11727
+2242 || WEB-MISC ddicgi.exe access || bugtraq,1657 || cve,2000-0826 || nessus,11728
+2243 || WEB-MISC ndcgi.exe access || bugtraq,3583 || cve,2001-0922 || nessus,11730
+2244 || WEB-MISC VsSetCookie.exe access || bugtraq,3784 || cve,2002-0236 || nessus,11731
+2245 || WEB-MISC Webnews.exe access || bugtraq,4124 || cve,2002-0290 || nessus,11732
+2246 || WEB-MISC webadmin.dll access || bugtraq,7438 || bugtraq,7439 || bugtraq,8024 || cve,2003-0471 || nessus,11771
+2247 || WEB-IIS UploadScript11.asp access || cve,2001-0938
+2248 || WEB-IIS DirectoryListing.asp access || cve,2001-0938
+2249 || WEB-IIS /pcadmin/login.asp access || bugtraq,8103 || nessus,11785
+2250 || POP3 USER format string attempt || bugtraq,10976 || bugtraq,7667 || cve,2003-0391 || nessus,11742
+2251 || NETBIOS DCERPC Remote Activation bind attempt || bugtraq,8234 || bugtraq,8458 || cve,2003-0528 || cve,2003-0605 || cve,2003-0715 || nessus,11798 || nessus,11835 || url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx
+2252 || NETBIOS SMB-DS DCERPC Remote Activation bind attempt || bugtraq,8234 || bugtraq,8458 || cve,2003-0528 || cve,2003-0605 || cve,2003-0715 || nessus,11798 || nessus,11835 || url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx
+2253 || SMTP XEXCH50 overflow attempt || bugtraq,8838 || cve,2003-0714 || nessus,11889 || url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx
+2254 || SMTP XEXCH50 overflow with evasion attempt || url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx
+2255 || RPC sadmind query with root credentials attempt TCP
+2256 || RPC sadmind query with root credentials attempt UDP
+2257 || NETBIOS DCERPC Messenger Service buffer overflow attempt || bugtraq,8826 || cve,2003-0717 || nessus,11888 || nessus,11890 || url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx
+2258 || NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt || bugtraq,8826 || cve,2003-0717 || nessus,11888 || nessus,11890 || url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx
+2259 || SMTP EXPN overflow attempt || bugtraq,6991 || bugtraq,7230 || cve,2002-1337 || cve,2003-0161
+2260 || SMTP VRFY overflow attempt || bugtraq,6991 || bugtraq,7230 || cve,2002-1337 || cve,2003-0161
+2261 || SMTP SEND FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 || nessus,11316
+2262 || SMTP SEND FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161
+2263 || SMTP SAML FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337
+2264 || SMTP SAML FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161
+2265 || SMTP SOML FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337
+2266 || SMTP SOML FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161
+2267 || SMTP MAIL FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337
+2268 || SMTP MAIL FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161
+2269 || SMTP RCPT TO sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337
+2270 || SMTP RCPT TO sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161
+2271 || BACKDOOR FsSniffer connection attempt || nessus,11854
+2272 || FTP LIST integer overflow attempt || bugtraq,8875 || cve,2003-0853 || cve,2003-0854
+2273 || IMAP login brute force attempt
+2274 || POP3 login brute force attempt
+2275 || SMTP AUTH LOGON brute force attempt
+2276 || WEB-MISC oracle portal demo access || nessus,11918
+2277 || WEB-MISC PeopleSoft PeopleBooks psdoccgi access || bugtraq,9037 || bugtraq,9038 || cve,2003-0626 || cve,2003-0627
+2278 || WEB-MISC client negative Content-Length attempt || bugtraq,9098 || bugtraq,9476 || bugtraq,9576 || cve,2004-0095
+2279 || WEB-PHP UpdateClasses.php access || bugtraq,9057
+2280 || WEB-PHP Title.php access || bugtraq,9057
+2281 || WEB-PHP Setup.php access || bugtraq,9057
+2282 || WEB-PHP GlobalFunctions.php access || bugtraq,9057
+2283 || WEB-PHP DatabaseFunctions.php access || bugtraq,9057
+2284 || WEB-PHP rolis guestbook remote file include attempt || bugtraq,9057
+2285 || WEB-PHP rolis guestbook access || bugtraq,9057
+2286 || WEB-PHP friends.php access || bugtraq,9088
+2287 || WEB-PHP Advanced Poll admin_comment.php access || bugtraq,8890 || nessus,11487
+2288 || WEB-PHP Advanced Poll admin_edit.php access || bugtraq,8890 || nessus,11487
+2289 || WEB-PHP Advanced Poll admin_embed.php access || bugtraq,8890 || nessus,11487
+2290 || WEB-PHP Advanced Poll admin_help.php access || bugtraq,8890 || nessus,11487
+2291 || WEB-PHP Advanced Poll admin_license.php access || bugtraq,8890 || nessus,11487
+2292 || WEB-PHP Advanced Poll admin_logout.php access || bugtraq,8890 || nessus,11487
+2293 || WEB-PHP Advanced Poll admin_password.php access || bugtraq,8890 || nessus,11487
+2294 || WEB-PHP Advanced Poll admin_preview.php access || bugtraq,8890 || nessus,11487
+2295 || WEB-PHP Advanced Poll admin_settings.php access || bugtraq,8890 || nessus,11487
+2296 || WEB-PHP Advanced Poll admin_stats.php access || bugtraq,8890 || nessus,11487
+2297 || WEB-PHP Advanced Poll admin_templates_misc.php access || bugtraq,8890 || nessus,11487
+2298 || WEB-PHP Advanced Poll admin_templates.php access || bugtraq,8890 || nessus,11487
+2299 || WEB-PHP Advanced Poll admin_tpl_misc_new.php access || bugtraq,8890 || nessus,11487
+2300 || WEB-PHP Advanced Poll admin_tpl_new.php access || bugtraq,8890 || nessus,11487
+2301 || WEB-PHP Advanced Poll booth.php access || bugtraq,8890 || nessus,11487
+2302 || WEB-PHP Advanced Poll poll_ssi.php access || bugtraq,8890 || nessus,11487
+2303 || WEB-PHP Advanced Poll popup.php access || bugtraq,8890 || nessus,11487
+2304 || WEB-PHP files.inc.php access || bugtraq,8910
+2305 || WEB-PHP chatbox.php access || bugtraq,8930
+2306 || WEB-PHP gallery remote file include attempt || bugtraq,8814 || nessus,11876
+2307 || WEB-PHP PayPal Storefront remote file include attempt || bugtraq,8791 || nessus,11873
+2308 || NETBIOS SMB DCERPC Workstation Service unicode bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx
+2309 || NETBIOS SMB DCERPC Workstation Service bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx
+2310 || NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx
+2311 || NETBIOS SMB-DS DCERPC Workstation Service bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx
+2312 || SHELLCODE x86 0x71FB7BAB NOOP
+2313 || SHELLCODE x86 0x71FB7BAB NOOP unicode
+2314 || SHELLCODE x86 0x90 NOOP unicode
+2315 || NETBIOS DCERPC Workstation Service direct service bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx
+2316 || NETBIOS DCERPC Workstation Service direct service access attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx
+2317 || MISC CVS non-relative path error response || bugtraq,9178 || cve,2003-0977
+2318 || MISC CVS non-relative path access attempt || bugtraq,9178 || cve,2003-0977
+2319 || EXPLOIT ebola PASS overflow attempt || bugtraq,9156
+2320 || EXPLOIT ebola USER overflow attempt || bugtraq,9156
+2321 || WEB-IIS foxweb.exe access || nessus,11939
+2322 || WEB-IIS foxweb.dll access || nessus,11939
+2323 || WEB-CGI quickstore.cgi access || bugtraq,9282 || nessus,11975
+2324 || WEB-IIS VP-ASP shopsearch.asp access || bugtraq,9133 || bugtraq,9134 || nessus,11942
+2325 || WEB-IIS VP-ASP ShopDisplayProducts.asp access || bugtraq,9133 || bugtraq,9134 || nessus,11942
+2326 || WEB-IIS sgdynamo.exe access || bugtraq,4720 || cve,2002-0375 || nessus,11955
+2327 || WEB-MISC bsml.pl access || bugtraq,9311 || nessus,11973
+2328 || WEB-PHP authentication_index.php access || cve,2004-0032 || nessus,11982
+2329 || MS-SQL probe response overflow attempt || bugtraq,9407 || cve,2003-0903 || url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx
+2330 || IMAP auth overflow attempt || bugtraq,8861
+2331 || WEB-PHP MatrikzGB privilege escalation attempt || bugtraq,8430
+2332 || FTP MKDIR format string attempt || bugtraq,9262
+2333 || FTP RENAME format string attempt || bugtraq,9262
+2334 || FTP Yak! FTP server default account login attempt || bugtraq,9072
+2335 || FTP RMD / attempt || bugtraq,9159
+2336 || TFTP NULL command attempt || bugtraq,7575
+2337 || TFTP PUT filename overflow attempt || bugtraq,7819 || bugtraq,8505 || cve,2003-0380
+2338 || FTP LIST buffer overflow attempt || bugtraq,10181 || bugtraq,6869 || bugtraq,7251 || bugtraq,7861 || bugtraq,8486 || bugtraq,9675 || cve,1999-0349 || cve,1999-1510 || cve,2000-0129 || url,www.microsoft.com/technet/security/bulletin/MS99-003.mspx
+2339 || TFTP NULL command attempt || bugtraq,7575
+2340 || FTP SITE CHMOD overflow attempt || bugtraq,10181 || bugtraq,9483 || bugtraq,9675 || cve,1999-0838 || nessus,12037
+2341 || WEB-PHP DCP-Portal remote file include attempt || bugtraq,6525
+2342 || WEB-PHP DCP-Portal remote file include attempt || bugtraq,6525
+2343 || FTP STOR overflow attempt || bugtraq,8668 || cve,2000-0133
+2344 || FTP XCWD overflow attempt || bugtraq,11542 || bugtraq,8704
+2345 || WEB-PHP PhpGedView search.php access || bugtraq,9369 || cve,2004-0032
+2346 || WEB-PHP myPHPNuke chatheader.php access || bugtraq,6544
+2347 || WEB-PHP myPHPNuke partner.php access || bugtraq,6544
+2348 || NETBIOS SMB-DS DCERPC print spool bind attempt
+2349 || NETBIOS SMB-DS DCERPC enumerate printers request attempt
+2350 || NETBIOS DCERPC ISystemActivator bind accept || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+2351 || NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+2352 || NETBIOS DCERPC ISystemActivator path overflow attempt big endian unicode || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+2353 || WEB-PHP IdeaBox cord.php file include || bugtraq,7488
+2354 || WEB-PHP IdeaBox notification.php file include || bugtraq,7488
+2355 || WEB-PHP Invision Board emailer.php file include || bugtraq,7204
+2356 || WEB-PHP WebChat db_mysql.php file include || bugtraq,7000
+2357 || WEB-PHP WebChat english.php file include || bugtraq,7000
+2358 || WEB-PHP Typo3 translations.php file include || bugtraq,6984
+2359 || WEB-PHP Invision Board ipchat.php file include || bugtraq,6976
+2360 || WEB-PHP myphpPagetool pt_config.inc file include || bugtraq,6744
+2361 || WEB-PHP news.php file include || bugtraq,6674
+2362 || WEB-PHP YaBB SE packages.php file include || bugtraq,6663
+2363 || WEB-PHP Cyboards default_header.php access || bugtraq,6597
+2364 || WEB-PHP Cyboards options_form.php access || bugtraq,6597
+2365 || WEB-PHP newsPHP Language file include attempt || bugtraq,8488
+2366 || WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt || bugtraq,9368 || cve,2004-0030
+2367 || WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt || bugtraq,9368 || cve,2004-0030
+2368 || WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt || bugtraq,9368 || cve,2004-0030
+2369 || WEB-MISC ISAPISkeleton.dll access || bugtraq,9516
+2370 || WEB-MISC BugPort config.conf file access || bugtraq,9542
+2371 || WEB-MISC Sample_showcode.html access || bugtraq,9555
+2372 || WEB-PHP Photopost PHP Pro showphoto.php access || bugtraq,9557
+2373 || FTP XMKD overflow attempt || bugtraq,7909 || cve,2000-0133 || cve,2001-1021
+2374 || FTP NLST overflow attempt || bugtraq,10184 || bugtraq,7909 || bugtraq,9675 || cve,1999-1544
+2375 || BACKDOOR DoomJuice file upload attempt || url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html
+2376 || EXPLOIT ISAKMP first payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040
+2377 || EXPLOIT ISAKMP second payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040
+2378 || EXPLOIT ISAKMP third payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040
+2379 || EXPLOIT ISAKMP forth payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040
+2380 || EXPLOIT ISAKMP fifth payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040
+2381 || WEB-MISC schema overflow attempt || bugtraq,9581 || cve,2004-0039 || nessus,12084
+2382 || NETBIOS SMB Session Setup NTMLSSP asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx
+2383 || NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx
+2384 || NETBIOS SMB NTLMSSP invalid mechlistMIC attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12054 || nessus,12065
+2385 || NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12054 || nessus,12065
+2386 || WEB-IIS NTLM ASN.1 vulnerability scan attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12055 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx
+2387 || WEB-CGI view_broadcast.cgi access || bugtraq,8257 || cve,2003-0422
+2388 || WEB-CGI streaming server view_broadcast.cgi access || bugtraq,8257 || cve,2003-0422
+2389 || FTP RNTO overflow attempt || bugtraq,8315 || cve,2000-0133 || cve,2001-1021 || cve,2003-0466
+2390 || FTP STOU overflow attempt || bugtraq,8315 || cve,2003-0466
+2391 || FTP APPE overflow attempt || bugtraq,8315 || bugtraq,8542 || cve,2000-0133 || cve,2003-0466
+2392 || FTP RETR overflow attempt || bugtraq,8315 || cve,2003-0466 || cve,2004-0287 || cve,2004-0298
+2393 || WEB-PHP /_admin access || bugtraq,9537 || nessus,12032
+2394 || WEB-MISC Compaq web-based management agent denial of service attempt || bugtraq,8014
+2395 || WEB-MISC InteractiveQuery.jsp access || bugtraq,8938 || cve,2003-0624
+2396 || WEB-CGI CCBill whereami.cgi arbitrary command execution attempt || bugtraq,8095 || url,secunia.com/advisories/9191/
+2397 || WEB-CGI CCBill whereami.cgi access || bugtraq,8095 || url,secunia.com/advisories/9191/
+2398 || WEB-PHP WAnewsletter newsletter.php file include attempt || bugtraq,6965
+2399 || WEB-PHP WAnewsletter db_type.php access || bugtraq,6964
+2400 || WEB-MISC edittag.pl access || bugtraq,6675
+2401 || NETBIOS SMB Session Setup AndX request username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html
+2402 || NETBIOS SMB-DS Session Setup AndX request username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html
+2403 || NETBIOS SMB Session Setup AndX request unicode username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html
+2404 || NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html
+2405 || WEB-PHP phptest.php access || bugtraq,9737
+2406 || TELNET APC SmartSlot default admin account attempt || bugtraq,9681 || cve,2004-0311 || nessus,12066
+2407 || WEB-MISC util.pl access || bugtraq,9748
+2408 || WEB-MISC Invision Power Board search.pl access || bugtraq,9766
+2409 || POP3 APOP USER overflow attempt || bugtraq,9794
+2410 || WEB-PHP IGeneric Free Shopping Cart page.php access || bugtraq,9773
+2411 || WEB-MISC Real Server DESCRIBE buffer overflow attempt || bugtraq,8476 || url,www.service.real.com/help/faq/security/rootexploit091103.html
+2412 || ATTACK-RESPONSES successful cross site scripting forced download attempt
+2413 || EXPLOIT ISAKMP delete hash with empty hash attempt || bugtraq,9416 || bugtraq,9417 || cve,2004-0164
+2414 || EXPLOIT ISAKMP initial contact notification without SPI attempt || bugtraq,9416 || bugtraq,9417 || cve,2004-0164
+2415 || EXPLOIT ISAKMP second payload initial contact notification without SPI attempt || bugtraq,9416 || bugtraq,9417 || cve,2004-0164
+2416 || FTP invalid MDTM command attempt || bugtraq,9751 || cve,2001-1021 || cve,2004-0330
+2417 || FTP format string attempt
+2418 || MISC MS Terminal Server no encryption session initiation attempt || url,www.microsoft.com/technet/security/bulletin/MS01-052.mspx
+2419 || MULTIMEDIA realplayer .ram playlist download attempt
+2420 || MULTIMEDIA realplayer .rmp playlist download attempt
+2421 || MULTIMEDIA realplayer .smi playlist download attempt
+2422 || MULTIMEDIA realplayer .rt playlist download attempt
+2423 || MULTIMEDIA realplayer .rp playlist download attempt
+2424 || NNTP sendsys overflow attempt || bugtraq,9382 || cve,2004-0045
+2425 || NNTP senduuname overflow attempt || bugtraq,9382 || cve,2004-0045
+2426 || NNTP version overflow attempt || bugtraq,9382 || cve,2004-0045
+2427 || NNTP checkgroups overflow attempt || bugtraq,9382 || cve,2004-0045
+2428 || NNTP ihave overflow attempt || bugtraq,9382 || cve,2004-0045
+2429 || NNTP sendme overflow attempt || bugtraq,9382 || cve,2004-0045
+2430 || NNTP newgroup overflow attempt || bugtraq,9382 || cve,2004-0045
+2431 || NNTP rmgroup overflow attempt || bugtraq,9382 || cve,2004-0045
+2432 || NNTP article post without path attempt
+2433 || WEB-CGI MDaemon form2raw.cgi overflow attempt || bugtraq,9317 || url,secunia.com/advisories/10512/
+2434 || WEB-CGI MDaemon form2raw.cgi access || bugtraq,9317 || url,secunia.com/advisories/10512/
+2435 || WEB-CLIENT Microsoft emf metafile access || bugtraq,10120 || bugtraq,9707 || cve,2003-0906 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2436 || WEB-CLIENT Microsoft wmf metafile access || bugtraq,10120 || bugtraq,9707 || cve,2003-0906 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2437 || WEB-CLIENT RealPlayer arbitrary javascript command attempt || bugtraq,8453 || bugtraq,9378 || cve,2003-0726
+2438 || WEB-CLIENT RealPlayer playlist file URL overflow attempt || bugtraq,9579 || cve,2004-0258
+2439 || WEB-CLIENT RealPlayer playlist http URL overflow attempt || bugtraq,9579 || cve,2004-0258
+2440 || WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt || bugtraq,9579 || cve,2004-0258
+2441 || WEB-MISC NetObserve authentication bypass attempt || bugtraq,9319
+2442 || WEB-MISC Quicktime User-Agent buffer overflow attempt || bugtraq,9735 || cve,2004-0169
+2443 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html
+2444 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html
+2445 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html
+2446 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER overflow attempt || cve,2004-0362 || url,www.eeye.com/html/Research/Advisories/AD20040318.html
+2447 || WEB-MISC ServletManager access || bugtraq,3697 || cve,2001-1195 || nessus,12122
+2448 || WEB-MISC setinfo.hts access || bugtraq,9973 || nessus,12120
+2449 || FTP ALLO overflow attempt || bugtraq,9953
+2450 || CHAT Yahoo IM successful logon
+2451 || CHAT Yahoo IM voicechat
+2452 || CHAT Yahoo IM ping
+2453 || CHAT Yahoo IM conference invitation
+2454 || CHAT Yahoo IM conference logon success
+2455 || CHAT Yahoo IM conference message
+2456 || CHAT Yahoo Messenger File Transfer Receive Request
+2457 || CHAT Yahoo IM message
+2458 || CHAT Yahoo IM successful chat join
+2459 || CHAT Yahoo IM conference offer invitation
+2460 || CHAT Yahoo IM conference request
+2461 || CHAT Yahoo IM conference watch
+2462 || EXPLOIT IGMP IGAP account overflow attempt || bugtraq,9952 || cve,2004-0176 || cve,2004-0367
+2463 || EXPLOIT IGMP IGAP message overflow attempt || bugtraq,9952 || cve,2004-0176 || cve,2004-0367
+2464 || EXPLOIT EIGRP prefix length overflow attempt || bugtraq,9952 || cve,2004-0176 || cve,2004-0367
+2465 || NETBIOS SMB-DS IPC$ share access
+2466 || NETBIOS SMB-DS IPC$ unicode share access
+2467 || NETBIOS SMB D$ unicode share access
+2468 || NETBIOS SMB-DS D$ share access
+2469 || NETBIOS SMB-DS D$ unicode share access
+2470 || NETBIOS SMB C$ unicode share access
+2471 || NETBIOS SMB-DS C$ share access
+2472 || NETBIOS SMB-DS C$ unicode share access
+2473 || NETBIOS SMB ADMIN$ unicode share access
+2474 || NETBIOS SMB-DS ADMIN$ share access
+2475 || NETBIOS SMB-DS ADMIN$ unicode share access
+2476 || NETBIOS SMB-DS winreg create tree attempt
+2477 || NETBIOS SMB-DS winreg unicode create tree attempt
+2478 || NETBIOS SMB-DS winreg bind attempt
+2479 || NETBIOS SMB-DS winreg unicode bind attempt
+2480 || NETBIOS SMB-DS InitiateSystemShutdown unicode attempt
+2481 || NETBIOS SMB-DS InitiateSystemShutdown unicode little endian attempt
+2482 || NETBIOS SMB-DS InitiateSystemShutdown attempt
+2483 || NETBIOS SMB-DS InitiateSystemShutdown little endian attempt
+2484 || WEB-MISC source.jsp access || nessus,12119
+2485 || WEB-CLIENT Norton antivirus sysmspam.dll load attempt || bugtraq,9916 || cve,2004-0363
+2486 || DOS ISAKMP invalid identification payload attempt || bugtraq,10004 || cve,2004-0184
+2487 || SMTP WinZip MIME content-type buffer overflow || bugtraq,9758 || cve,2004-0333 || nessus,12621
+2488 || SMTP WinZip MIME content-disposition buffer overflow || bugtraq,9758 || cve,2004-0333 || nessus,12621
+2489 || EXPLOIT esignal STREAMQUOTE buffer overflow attempt || bugtraq,9978
+2490 || EXPLOIT esignal SNAPQUOTE buffer overflow attempt || bugtraq,9978
+2491 || NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2492 || NETBIOS SMB DCERPC ISystemActivator bind attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2493 || NETBIOS SMB DCERPC ISystemActivator unicode bind attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2494 || NETBIOS DCEPRC ORPCThis request flood attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2495 || NETBIOS SMB DCEPRC ORPCThis request flood attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2496 || NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2497 || IMAP SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2498 || IMAP SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2499 || MISC LDAP SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2500 || POP3 SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2501 || POP3 SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2502 || POP3 SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2503 || SMTP SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2504 || SMTP SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2505 || WEB-MISC SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2506 || WEB-MISC SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2507 || NETBIOS DCERPC LSASS bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2508 || NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2509 || NETBIOS SMB DCERPC LSASS unicode bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2510 || NETBIOS SMB DCERPC LSASS bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2511 || NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2512 || NETBIOS SMB-DS DCERPC LSASS bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2513 || NETBIOS SMB-DS DCERPC LSASS unicode bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2514 || NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2515 || WEB-MISC PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2516 || POP3 PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2517 || IMAP PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2518 || POP3 PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2520 || WEB-MISC SSLv3 Client_Hello request
+2521 || WEB-MISC SSLv3 Server_Hello request
+2522 || WEB-MISC SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2523 || DOS BGP spoofed connection reset attempt || bugtraq,10183 || cve,2004-0230 || url,www.uniras.gov.uk/vuls/2004/236929/index.htm
+2524 || NETBIOS DCERPC LSASS direct bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2525 || NETBIOS SMB DCERPC LSASS direct bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2526 || NETBIOS SMB-DS DCERPC LSASS direct bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2527 || SMTP STARTTLS attempt
+2528 || SMTP PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2529 || IMAP SSLv3 Client_Hello request
+2530 || IMAP SSLv3 Server_Hello request
+2531 || IMAP SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2532 || POP3 SSLv3 Client_Hello request
+2533 || POP3 SSLv3 Server_Hello request
+2534 || POP3 SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2535 || POP3 SSLv3 Client_Hello request
+2536 || POP3 SSLv3 Server_Hello request
+2537 || POP3 SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2541 || SMTP TLS SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2542 || SMTP SSLv3 Client_Hello request
+2543 || SMTP TLS SSLv3 Server_Hello request || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2544 || SMTP SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2545 || EXPLOIT AFP FPLoginExt username buffer overflow attempt || bugtraq,10271 || cve,2004-0430 || url,www.atstake.com/research/advisories/2004/a050304-1.txt
+2546 || FTP MDTM overflow attempt || bugtraq,9751 || cve,2001-1021 || cve,2004-0330 || nessus,12080
+2547 || MISC HP Web JetAdmin remote file upload attempt || bugtraq,9978
+2548 || MISC HP Web JetAdmin setinfo access || bugtraq,9972
+2549 || MISC HP Web JetAdmin file write attempt || bugtraq,9973
+2550 || EXPLOIT winamp XM module name overflow || url,www.nextgenss.com/advisories/winampheap.txt
+2551 || EXPLOIT Oracle Web Cache GET overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126
+2552 || EXPLOIT Oracle Web Cache HEAD overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126
+2553 || EXPLOIT Oracle Web Cache PUT overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126
+2554 || EXPLOIT Oracle Web Cache POST overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126
+2555 || EXPLOIT Oracle Web Cache TRACE overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126
+2556 || EXPLOIT Oracle Web Cache DELETE overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126
+2557 || EXPLOIT Oracle Web Cache LOCK overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126
+2558 || EXPLOIT Oracle Web Cache MKCOL overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126
+2559 || EXPLOIT Oracle Web Cache COPY overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126
+2560 || EXPLOIT Oracle Web Cache MOVE overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126
+2561 || MISC rsync backup-dir directory traversal attempt || bugtraq,10247 || cve,2004-0426 || nessus,12230
+2562 || WEB-MISC McAfee ePO file upload attempt || bugtraq,10200 || cve,2004-0038
+2563 || NETBIOS NS lookup response name overflow attempt || bugtraq,10333 || bugtraq,10334 || cve,2004-0444 || cve,2004-0445 || url,www.eeye.com/html/Research/Advisories/AD20040512A.html
+2564 || NETBIOS NS lookup short response attempt || bugtraq,10334 || bugtraq,10335 || cve,2004-0444 || cve,2004-0445 || url,www.eeye.com/html/Research/Advisories/AD20040512C.html
+2565 || WEB-PHP modules.php access || bugtraq,9879
+2566 || WEB-PHP PHPBB viewforum.php access || bugtraq,9865 || bugtraq,9866 || nessus,12093
+2567 || WEB-CGI Emumail init.emu access || bugtraq,9861 || nessus,12095
+2568 || WEB-CGI Emumail emumail.fcgi access || bugtraq,9861 || nessus,12095
+2569 || WEB-MISC cPanel resetpass access || bugtraq,9848
+2570 || WEB-MISC Invalid HTTP Version String || bugtraq,9809 || nessus,11593
+2571 || WEB-IIS SmarterTools SmarterMail frmGetAttachment.aspx access || bugtraq,9805
+2572 || WEB-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt || bugtraq,9805
+2573 || WEB-IIS SmarterTools SmarterMail frmCompose.asp access || bugtraq,9805
+2574 || FTP RETR format string attempt || bugtraq,9800
+2575 || WEB-PHP Opt-X header.php remote file include attempt || bugtraq,9732
+2576 || ORACLE dbms_repcat.generate_replication_support buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck93.html
+2577 || WEB-CLIENT local resource redirection attempt || cve,2004-0549 || url,www.kb.cert.org/vuls/id/713878
+2578 || EXPLOIT kerberos principal name overflow UDP || url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt
+2579 || EXPLOIT kerberos principal name overflow TCP || url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt
+2580 || WEB-MISC server negative Content-Length attempt || cve,2004-0492 || url,www.guninski.com/modproxy1.html
+2581 || WEB-MISC Crystal Reports crystalimagehandler.aspx access || cve,2004-0204 || url,www.microsoft.com/security/bulletins/200406_crystal.mspx
+2582 || WEB-MISC Crystal Reports crystalImageHandler.aspx directory traversal attempt || bugtraq,10260 || cve,2004-0204 || nessus,12271 || url,www.microsoft.com/security/bulletins/200406_crystal.mspx
+2583 || MISC CVS Max-dotdot integer overflow attempt || bugtraq,10499 || cve,2004-0417
+2584 || EXPLOIT eMule buffer overflow attempt || bugtraq,10039 || nessus,12233
+2585 || WEB-MISC nessus 2.x 404 probe || nessus,10386
+2586 || P2P eDonkey transfer || url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html
+2587 || P2P eDonkey server response || url,www.emule-project.net
+2588 || WEB-PHP TUTOS path disclosure attempt || bugtraq,10129 || url,www.securiteam.com/unixfocus/5FP0J15CKE.html
+2589 || WEB-CLIENT Content-Disposition CLSID command attempt || bugtraq,9510 || cve,2004-0420 || url,www.microsoft.com/technet/security/bulletin/ms04-024.mspx
+2590 || SMTP MAIL FROM overflow attempt || bugtraq,10290 || bugtraq,7506 || cve,2004-0399 || url,www.guninski.com/exim1.html
+2591 || SMTP From command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html
+2592 || SMTP ReplyTo command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html
+2593 || SMTP Sender command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html
+2594 || SMTP To command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html
+2595 || SMTP CC command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html
+2596 || SMTP BCC command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html
+2597 || WEB-MISC Samba SWAT Authorization overflow attempt || bugtraq,10780
+2598 || WEB-MISC Samba SWAT Authorization port 901 overflow attempt || bugtraq,10780
+2599 || ORACLE dbms_repcat.add_grouped_column buffer overflow attempt
+2600 || ORACLE add_grouped_column ordered sname/oname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html
+2601 || ORACLE dbms_repcat.drop_master_repgroup buffer overflow attempt
+2602 || ORACLE drop_master_repgroup ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck87.html
+2603 || ORACLE dbms_repcat.create_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html
+2604 || ORACLE create_mview_repgroup ordered fname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html
+2605 || ORACLE dbms_repcat.compare_old_values buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck91.html
+2606 || ORACLE dbms_repcat.comment_on_repobject buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html
+2607 || ORACLE comment_on_repobject ordered type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html
+2608 || ORACLE sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html
+2609 || ORACLE dbms_repcat.cancel_statistics buffer overflow attempt
+2610 || ORACLE cancel_statistics ordered sname/oname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html
+2611 || ORACLE LINK metadata buffer overflow attempt || bugtraq,7453 || cve,2003-0222 || url,archives.neohapsis.com/archives/bugtraq/2003-04/0360.html
+2612 || ORACLE sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html
+2613 || ORACLE revoke_surrogate_repcat ordered userid buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html
+2614 || ORACLE time_zone buffer overflow attempt || bugtraq,9587 || url,www.nextgenss.com/advisories/ora_time_zone.txt
+2615 || ORACLE sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html
+2616 || ORACLE grant_surrogate_repcat ordered userid buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html
+2617 || ORACLE sys.dbms_repcat.alter_mview_propagation buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html
+2618 || ORACLE alter_mview_propagation ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html
+2619 || ORACLE dbms_repcat.alter_master_repobject buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html
+2620 || ORACLE alter_master_repobject ordered type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html
+2621 || ORACLE dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html
+2622 || ORACLE dbms_repcat_utl.drop_an_object buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html
+2623 || ORACLE dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html
+2624 || ORACLE dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html
+2625 || ORACLE unregister_user_repgroup ordered privilege_type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html
+2626 || ORACLE dbms_repcat.send_old_values buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck91.html
+2627 || ORACLE dbms_repcat.repcat_import_check buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html
+2628 || ORACLE repcat_import_check ordered gowner/gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html
+2629 || ORACLE dbms_repcat_admin.register_user_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html
+2630 || ORACLE register_user_repgroup ordered privilege_type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html
+2631 || ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html
+2632 || ORACLE refresh_mview_repgroup ordered gowner buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html
+2633 || ORACLE sys.dbms_rectifier_diff.rectify buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html
+2634 || ORACLE rectifier_diff ordered sname1 buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html
+2635 || ORACLE dbms_offline_snapshot.end_load buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html
+2636 || ORACLE snapshot.end_load ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html
+2637 || ORACLE dbms_repcat.drop_master_repobject buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html
+2638 || ORACLE drop_master_repobject ordered type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html
+2639 || ORACLE dbms_repcat.drop_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html
+2640 || ORACLE drop_mview_repgroup ordered gowner/gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html
+2641 || ORACLE dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt
+2642 || ORACLE drop_site_instantiation ordered refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck629.html
+2643 || ORACLE sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck96.html
+2644 || ORACLE from_tz buffer overflow attempt || url,www.nextgenss.com/advisories/ora_from_tz.txt
+2645 || ORACLE dbms_repcat_instantiate.instantiate_offline buffer overflow attempt
+2646 || ORACLE instantiate_offline ordered refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck630.html
+2647 || ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt
+2648 || ORACLE instantiate_online ordered refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck631.html
+2649 || ORACLE service_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck52.html
+2650 || ORACLE user name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck62.html
+2651 || ORACLE NUMTODSINTERVAL/NUMTOYMINTERVAL buffer overflow attempt || bugtraq,9587 || url,www.nextgenss.com/advisories/ora_numtodsinterval.txt || url,www.nextgenss.com/advisories/ora_numtoyminterval.txt
+2652 || ORACLE dbms_offline_og.begin_load buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html
+2653 || ORACLE og.begin_load ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html
+2654 || WEB-PHP PHPNuke Forum viewtopic SQL insertion attempt || bugtraq,7193
+2655 || MISC HP Web JetAdmin ExecuteFile admin access || bugtraq,10224
+2656 || WEB-MISC SSLv2 Client_Hello Challenge Length overflow attempt
+2657 || WEB-MISC SSLv2 Client_Hello with pad Challenge Length overflow attempt
+2658 || WEB-MISC SSLv2 Client_Hello request
+2659 || WEB-MISC SSLv2 Client_Hello with pad request
+2660 || WEB-MISC SSLv2 Server_Hello request
+2661 || WEB-MISC TLSv1 Client_Hello request
+2662 || WEB-MISC TLSv1 Server_Hello request
+2663 || WEB-CGI WhatsUpGold instancename overflow attempt || bugtraq,11043 || cve,2004-0798
+2664 || IMAP login format string attempt || bugtraq,10976
+2665 || IMAP login literal format string attempt || bugtraq,10976
+2666 || POP3 PASS format string attempt || bugtraq,10976
+2667 || WEB-IIS ping.asp access || nessus,10968
+2668 || WEB-CGI processit access || nessus,10649
+2669 || WEB-CGI ibillpm.pl access || bugtraq,3476 || nessus,11083
+2670 || WEB-CGI pgpmail.pl access || bugtraq,3605 || cve,2001-0937 || nessus,11070
+2671 || WEB-CLIENT bitmap BitmapOffset integer overflow attempt || bugtraq,9663 || cve,2004-0566
+2672 || WEB-MISC sresult.exe access || bugtraq,10837 || nessus,14186
+2673 || WEB-CLIENT libpng tRNS overflow attempt || bugtraq,10872 || cve,2004-0597
+2674 || ORACLE dbms_repcat.add_delete_resolution buffer overflow attempt
+2675 || ORACLE dbms_repcat_rgt.instantiate_offline buffer overflow attempt
+2676 || ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt
+2677 || ORACLE dbms_repcat_rgt.instantiate_online buffer overflow attempt
+2678 || ORACLE ctx_output.start_log buffer overflow attempt
+2679 || ORACLE sys.dbms_system.ksdwrt buffer overflow attempt
+2680 || ORACLE ctxsys.driddlr.subindexpopulate buffer overflow attempt
+2681 || ORACLE mdsys.sdo_admin.sdo_code_size buffer overflow attempt
+2682 || ORACLE mdsys.md2.validate_geom buffer overflow attempt
+2683 || ORACLE mdsys.md2.sdo_code_size buffer overflow attempt
+2684 || ORACLE sys.ltutil.pushdeferredtxns buffer overflow attempt
+2685 || ORACLE sys.dbms_repcat_rq.add_column buffer overflow attempt
+2686 || ORACLE sys.dbms_rectifier_diff.differences buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html
+2687 || ORACLE sys.dbms_internal_repcat.validate buffer overflow attempt
+2688 || ORACLE sys.dbms_internal_repcat.enable_receiver_trace buffer overflow attempt
+2689 || ORACLE sys.dbms_internal_repcat.disable_receiver_trace buffer overflow attempt
+2690 || ORACLE sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow attempt
+2691 || ORACLE sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow attempt
+2692 || ORACLE sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt
+2693 || ORACLE sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow attempt
+2694 || ORACLE sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow attempt
+2695 || ORACLE sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow attempt
+2696 || ORACLE sys.dbms_repcat_utl.is_master buffer overflow attempt
+2697 || ORACLE alter file buffer overflow attempt
+2698 || ORACLE create file buffer overflow attempt
+2699 || ORACLE TO_CHAR buffer overflow attempt
+2700 || ORACLE numtoyminterval buffer overflow attempt
+2701 || WEB-MISC Oracle iSQLPlus sid overflow attempt || bugtraq,10871 || url,www.nextgenss.com/advisories/ora-isqlplus.txt
+2702 || WEB-MISC Oracle iSQLPlus username overflow attempt || bugtraq,10871 || url,www.nextgenss.com/advisories/ora-isqlplus.txt
+2703 || WEB-MISC Oracle iSQLPlus login.uix username overflow attempt || bugtraq,10871 || url,www.nextgenss.com/advisories/ora-isqlplus.txt
+2704 || WEB-MISC Oracle 10g iSQLPlus login.unix connectID overflow attempt || bugtraq,10871 || url,www.nextgenss.com/advisories/ora-isqlplus.txt
+2705 || WEB-CLIENT JPEG parser heap overflow attempt || bugtraq,11173 || cve,2004-0200 || url,www.microsoft.com/security/bulletins/200409_jpeg.mspx
+2706 || WEB-CLIENT JPEG transfer
+2707 || WEB-CLIENT JPEG parser multipacket heap overflow || bugtraq,11173 || cve,2004-0200 || url,www.microsoft.com/security/bulletins/200409_jpeg.mspx
+2708 || ORACLE dbms_offline_og.begin_flavor_change buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2709 || ORACLE dbms_offline_og.begin_instantiation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2710 || ORACLE dbms_offline_og.begin_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2711 || ORACLE dbms_offline_og.end_flavor_change buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2712 || ORACLE dbms_offline_og.end_instantiation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2713 || ORACLE dbms_offline_og.end_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2714 || ORACLE dbms_offline_og.resume_subset_of_masters buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2715 || ORACLE dbms_offline_snapshot.begin_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2716 || ORACLE dbms_offline_snapshot.end_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2717 || ORACLE dbms_rectifier_diff.differences buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2718 || ORACLE dbms_rectifier_diff.rectify buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2719 || ORACLE dbms_repcat.abort_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2720 || ORACLE dbms_repcat.add_column_group_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2721 || ORACLE dbms_repcat.add_columns_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2722 || ORACLE dbms_repcat.add_object_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2723 || ORACLE dbms_repcat.add_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2724 || ORACLE dbms_repcat.add_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2725 || ORACLE dbms_repcat.add_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2726 || ORACLE dbms_repcat.add_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2727 || ORACLE dbms_repcat.add_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2728 || ORACLE dbms_repcat.add_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2729 || ORACLE dbms_repcat.add_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2730 || ORACLE dbms_repcat.add_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2731 || ORACLE dbms_repcat.add_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2732 || ORACLE dbms_repcat.add_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2733 || ORACLE dbms_repcat.alter_master_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2734 || ORACLE dbms_repcat.alter_mview_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2735 || ORACLE dbms_repcat.alter_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2736 || ORACLE dbms_repcat.alter_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2737 || ORACLE dbms_repcat.alter_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2738 || ORACLE dbms_repcat.alter_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2739 || ORACLE dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2740 || ORACLE dbms_repcat.alter_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2741 || ORACLE dbms_repcat.alter_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2742 || ORACLE dbms_repcat.alter_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2743 || ORACLE dbms_repcat.alter_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2744 || ORACLE dbms_repcat.alter_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2745 || ORACLE dbms_repcat.alter_snapshot_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2746 || ORACLE dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2747 || ORACLE dbms_repcat.begin_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2748 || ORACLE dbms_repcat.comment_on_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2749 || ORACLE dbms_repcat.comment_on_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2750 || ORACLE dbms_repcat.comment_on_mview_repsites buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2751 || ORACLE dbms_repcat.comment_on_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2752 || ORACLE dbms_repcat.comment_on_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2753 || ORACLE dbms_repcat.comment_on_repsites buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2754 || ORACLE dbms_repcat.comment_on_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2755 || ORACLE dbms_repcat.comment_on_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2756 || ORACLE dbms_repcat.comment_on_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2757 || ORACLE dbms_repcat.create_master_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2758 || ORACLE dbms_repcat.create_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2759 || ORACLE dbms_repcat.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2760 || ORACLE dbms_repcat.define_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2761 || ORACLE dbms_repcat.define_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2762 || ORACLE dbms_repcat.define_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2763 || ORACLE dbms_repcat.do_deferred_repcat_admin buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2764 || ORACLE dbms_repcat.drop_column_group_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2765 || ORACLE dbms_repcat.drop_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2766 || ORACLE dbms_repcat.drop_columns_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2767 || ORACLE dbms_repcat.drop_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2768 || ORACLE dbms_repcat.drop_grouped_column buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2769 || ORACLE dbms_repcat.drop_mview_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2770 || ORACLE dbms_repcat.drop_object_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2771 || ORACLE dbms_repcat.drop_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2772 || ORACLE dbms_repcat.drop_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2773 || ORACLE dbms_repcat.drop_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2774 || ORACLE dbms_repcat.drop_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2775 || ORACLE dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2776 || ORACLE dbms_repcat.drop_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2777 || ORACLE dbms_repcat.drop_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2778 || ORACLE dbms_repcat.drop_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2779 || ORACLE dbms_repcat.drop_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2780 || ORACLE dbms_repcat.drop_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2781 || ORACLE dbms_repcat.drop_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2782 || ORACLE dbms_repcat.drop_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2783 || ORACLE dbms_repcat.drop_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2784 || ORACLE dbms_repcat.drop_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2785 || ORACLE dbms_repcat.execute_ddl buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2786 || ORACLE dbms_repcat.generate_replication_package buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2787 || ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2788 || ORACLE dbms_repcat.make_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2789 || ORACLE dbms_repcat.obsolete_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2790 || ORACLE dbms_repcat.publish_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2791 || ORACLE dbms_repcat.purge_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2792 || ORACLE dbms_repcat.purge_master_log buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2793 || ORACLE dbms_repcat.purge_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2794 || ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2795 || ORACLE dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2796 || ORACLE dbms_repcat.register_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2797 || ORACLE dbms_repcat.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2798 || ORACLE dbms_repcat.register_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2799 || ORACLE dbms_repcat.relocate_masterdef buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2800 || ORACLE dbms_repcat.rename_shadow_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2801 || ORACLE dbms_repcat.resume_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2802 || ORACLE dbms_repcat_rgt.check_ddl_text buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2803 || ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2804 || ORACLE dbms_repcat.send_and_compare_old_values buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2805 || ORACLE dbms_repcat.set_columns buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2806 || ORACLE dbms_repcat.set_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2807 || ORACLE dbms_repcat.specify_new_masters buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2808 || ORACLE dbms_repcat.suspend_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2809 || ORACLE dbms_repcat.unregister_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2810 || ORACLE dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2811 || ORACLE dbms_repcat.validate_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2812 || ORACLE dbms_repcat.validate_for_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2813 || ORACLE sys.dbms_repcat_fla.abort_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2814 || ORACLE sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2815 || ORACLE sys.dbms_repcat_fla.begin_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2816 || ORACLE sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2817 || ORACLE sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2818 || ORACLE sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2819 || ORACLE sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2820 || ORACLE sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2821 || ORACLE sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2822 || ORACLE sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2823 || ORACLE sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2824 || ORACLE sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2825 || ORACLE sys.dbms_repcat_fla.validate_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2826 || ORACLE sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2827 || ORACLE sys.dbms_repcat_mas.alter_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2828 || ORACLE sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2829 || ORACLE sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2830 || ORACLE sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2831 || ORACLE sys.dbms_repcat_mas.create_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2832 || ORACLE sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2833 || ORACLE sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2834 || ORACLE sys.dbms_repcat_mas.generate_replication_package buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2835 || ORACLE sys.dbms_repcat_mas.purge_master_log buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2836 || ORACLE sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2837 || ORACLE sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2838 || ORACLE sys.dbms_repcat_mas.resume_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2839 || ORACLE sys.dbms_repcat_mas.suspend_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2840 || ORACLE sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2841 || ORACLE sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2842 || ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2843 || ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2844 || ORACLE sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2845 || ORACLE sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2846 || ORACLE sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2847 || ORACLE sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2848 || ORACLE sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2849 || ORACLE sys.dbms_repcat_utl.drop_an_object buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2850 || ORACLE dbms_repcat.create_mview_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2851 || ORACLE dbms_repcat.create_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2852 || ORACLE dbms_repcat.generate_mview_support buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2853 || ORACLE dbms_repcat.generate_replication_trigger buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2854 || ORACLE dbms_repcat.generate_snapshot_support buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2855 || ORACLE dbms_repcat.remove_master_databases buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2856 || ORACLE dbms_repcat.switch_mview_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2857 || ORACLE dbms_repcat.switch_snapshot_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2858 || ORACLE sys.dbms_repcat_conf.add_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2859 || ORACLE sys.dbms_repcat_conf.add_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2860 || ORACLE sys.dbms_repcat_conf.add_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2861 || ORACLE sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2862 || ORACLE sys.dbms_repcat_conf.add_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2863 || ORACLE sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2864 || ORACLE sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2865 || ORACLE sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2866 || ORACLE sys.dbms_repcat_conf.add_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2867 || ORACLE sys.dbms_repcat_conf.add_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2868 || ORACLE sys.dbms_repcat_conf.add_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2869 || ORACLE sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2870 || ORACLE sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2871 || ORACLE sys.dbms_repcat_conf.alter_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2872 || ORACLE sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2873 || ORACLE sys.dbms_repcat_conf.alter_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2874 || ORACLE sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2875 || ORACLE sys.dbms_repcat_conf.alter_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2876 || ORACLE sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2877 || ORACLE sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2878 || ORACLE sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2879 || ORACLE sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2880 || ORACLE sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2881 || ORACLE sys.dbms_repcat_conf.comment_on_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2882 || ORACLE sys.dbms_repcat_conf.comment_on_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2883 || ORACLE sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2884 || ORACLE sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2885 || ORACLE sys.dbms_repcat_conf.define_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2886 || ORACLE sys.dbms_repcat_conf.define_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2887 || ORACLE sys.dbms_repcat_conf.drop_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2888 || ORACLE sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2889 || ORACLE sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2890 || ORACLE sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2891 || ORACLE sys.dbms_repcat_conf.drop_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2892 || ORACLE sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2893 || ORACLE sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2894 || ORACLE sys.dbms_repcat_conf.drop_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2895 || ORACLE sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2896 || ORACLE sys.dbms_repcat_conf.drop_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2897 || ORACLE sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2898 || ORACLE sys.dbms_repcat_conf.drop_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2899 || ORACLE sys.dbms_repcat_conf.drop_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2900 || ORACLE sys.dbms_repcat_conf.purge_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2901 || ORACLE sys.dbms_repcat_conf.register_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2902 || ORACLE sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2903 || ORACLE sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2904 || ORACLE sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2905 || ORACLE sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2906 || ORACLE sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2907 || ORACLE sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2908 || ORACLE sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2909 || ORACLE sys.dbms_repcat_sna.generate_snapshot_support buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2910 || ORACLE sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2911 || ORACLE sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2912 || ORACLE sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2913 || ORACLE sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2914 || ORACLE sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2915 || ORACLE sys.dbms_repcat_sna.switch_snapshot_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2916 || ORACLE sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2917 || ORACLE sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2918 || ORACLE sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2919 || ORACLE sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
+2921 || DNS UDP inverse query || bugtraq,2302 || cve,2001-0010
+2922 || DNS TCP inverse query || bugtraq,2302 || cve,2001-0010
+2923 || NETBIOS SMB repeated logon failure
+2924 || NETBIOS SMB-DS repeated logon failure
+2925 || INFO web bug 0x0 gif attempt
+2926 || WEB-PHP PhpGedView PGV base directory manipulation || bugtraq,9368
+2927 || NNTP XPAT pattern overflow attempt || cve,2004-0574 || url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx
+2928 || NETBIOS SMB nddeapi create tree attempt || bugtraq,11372 || cve,2004-0206
+2929 || NETBIOS SMB nddeapi unicode create tree attempt || bugtraq,11372 || cve,2004-0206
+2930 || NETBIOS SMB-DS nddeapi create tree attempt || bugtraq,11372 || cve,2004-0206
+2931 || NETBIOS SMB-DS nddeapi unicode create tree attempt || bugtraq,11372 || cve,2004-0206
+2932 || NETBIOS SMB nddeapi bind attempt || bugtraq,11372 || cve,2004-0206
+2933 || NETBIOS SMB nddeapi unicode bind attempt || bugtraq,11372 || cve,2004-0206
+2934 || NETBIOS SMB-DS nddeapi bind attempt || bugtraq,11372 || cve,2004-0206
+2935 || NETBIOS SMB-DS nddeapi unicode bind attempt || bugtraq,11372 || cve,2004-0206
+2936 || NETBIOS SMB NDdeSetTrustedShareW overflow attempt || bugtraq,11372 || cve,2004-0206
+2937 || NETBIOS SMB NDdeSetTrustedShareW unicode overflow attempt || bugtraq,11372 || cve,2004-0206
+2938 || NETBIOS SMB-DS NDdeSetTrustedShareW overflow attempt || bugtraq,11372 || cve,2004-0206
+2939 || NETBIOS SMB-DS NDdeSetTrustedShareW unicode overflow attempt || bugtraq,11372 || cve,2004-0206
+2940 || NETBIOS SMB winreg bind attempt
+2941 || NETBIOS SMB winreg unicode bind attempt
+2942 || NETBIOS SMB InitiateSystemShutdown attempt
+2943 || NETBIOS SMB InitiateSystemShutdown little endian attempt
+2944 || NETBIOS SMB InitiateSystemShutdown unicode attempt
+2945 || NETBIOS SMB InitiateSystemShutdown unicode little endian attempt
+2946 || NETBIOS SMB NDdeSetTrustedShareW little endian overflow attempt || bugtraq,11372 || cve,2004-0206
+2947 || NETBIOS SMB NDdeSetTrustedShareW unicode little endian overflow attempt || bugtraq,11372 || cve,2004-0206
+2948 || NETBIOS SMB-DS NDdeSetTrustedShareW little endian overflow attempt || bugtraq,11372 || cve,2004-0206
+2949 || NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian overflow attempt || bugtraq,11372 || cve,2004-0206
+2950 || NETBIOS SMB too many stacked requests
+2951 || NETBIOS SMB-DS too many stacked requests
+2952 || NETBIOS SMB IPC$ andx share access
+2953 || NETBIOS SMB IPC$ unicode andx share access
+2954 || NETBIOS SMB-DS IPC$ andx share access
+2955 || NETBIOS SMB-DS IPC$ unicode andx share access
+2956 || NETBIOS SMB nddeapi andx create tree attempt || bugtraq,11372 || cve,2004-0206
+2957 || NETBIOS SMB nddeapi unicode andx create tree attempt || bugtraq,11372 || cve,2004-0206
+2958 || NETBIOS SMB-DS nddeapi andx create tree attempt || bugtraq,11372 || cve,2004-0206
+2959 || NETBIOS SMB-DS nddeapi unicode andx create tree attempt || bugtraq,11372 || cve,2004-0206
+2960 || NETBIOS SMB nddeapi andx bind attempt || bugtraq,11372 || cve,2004-0206
+2961 || NETBIOS SMB nddeapi unicode andx bind attempt || bugtraq,11372 || cve,2004-0206
+2962 || NETBIOS SMB-DS nddeapi andx bind attempt || bugtraq,11372 || cve,2004-0206
+2963 || NETBIOS SMB-DS nddeapi unicode andx bind attempt || bugtraq,11372 || cve,2004-0206
+2964 || NETBIOS SMB NDdeSetTrustedShareW andx overflow attempt || bugtraq,11372 || cve,2004-0206
+2965 || NETBIOS SMB NDdeSetTrustedShareW little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206
+2966 || NETBIOS SMB NDdeSetTrustedShareW unicode andx overflow attempt || bugtraq,11372 || cve,2004-0206
+2967 || NETBIOS SMB NDdeSetTrustedShareW unicode little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206
+2968 || NETBIOS SMB-DS NDdeSetTrustedShareW andx overflow attempt || bugtraq,11372 || cve,2004-0206
+2969 || NETBIOS SMB-DS NDdeSetTrustedShareW little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206
+2970 || NETBIOS SMB-DS NDdeSetTrustedShareW unicode andx overflow attempt || bugtraq,11372 || cve,2004-0206
+2971 || NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206
+2972 || NETBIOS SMB D$ andx share access
+2973 || NETBIOS SMB D$ unicode andx share access
+2974 || NETBIOS SMB-DS D$ andx share access
+2975 || NETBIOS SMB-DS D$ unicode andx share access
+2976 || NETBIOS SMB C$ andx share access
+2977 || NETBIOS SMB C$ unicode andx share access
+2978 || NETBIOS SMB-DS C$ andx share access
+2979 || NETBIOS SMB-DS C$ unicode andx share access
+2980 || NETBIOS SMB ADMIN$ andx share access
+2981 || NETBIOS SMB ADMIN$ unicode andx share access
+2982 || NETBIOS SMB-DS ADMIN$ andx share access
+2983 || NETBIOS SMB-DS ADMIN$ unicode andx share access
+2984 || NETBIOS SMB winreg andx create tree attempt
+2985 || NETBIOS SMB winreg unicode andx create tree attempt
+2986 || NETBIOS SMB-DS winreg andx create tree attempt
+2987 || NETBIOS SMB-DS winreg unicode andx create tree attempt
+2988 || NETBIOS SMB winreg andx bind attempt
+2989 || NETBIOS SMB winreg unicode andx bind attempt
+2990 || NETBIOS SMB-DS winreg andx bind attempt
+2991 || NETBIOS SMB-DS winreg unicode andx bind attempt
+2992 || NETBIOS SMB InitiateSystemShutdown andx attempt
+2993 || NETBIOS SMB InitiateSystemShutdown little endian andx attempt
+2994 || NETBIOS SMB InitiateSystemShutdown unicode andx attempt
+2995 || NETBIOS SMB InitiateSystemShutdown unicode little endian andx attempt
+2996 || NETBIOS SMB-DS InitiateSystemShutdown andx attempt
+2997 || NETBIOS SMB-DS InitiateSystemShutdown little endian andx attempt
+2998 || NETBIOS SMB-DS InitiateSystemShutdown unicode andx attempt
+2999 || NETBIOS SMB-DS InitiateSystemShutdown unicode little endian andx attempt
+3000 || NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx
+3001 || NETBIOS SMB Session Setup NTMLSSP andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx
+3002 || NETBIOS SMB Session Setup NTMLSSP unicode andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx
+3003 || NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx
+3004 || NETBIOS SMB-DS Session Setup NTMLSSP andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx
+3005 || NETBIOS SMB-DS Session Setup NTMLSSP unicode andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx
+3006 || EXPLOIT Volition Freespace 2 buffer overflow attempt || bugtraq,9785
+3007 || IMAP delete overflow attempt || bugtraq,11675
+3008 || IMAP delete literal overflow attempt || bugtraq,11675
+3009 || BACKDOOR NetBus Pro 2.0 connection request
+3010 || BACKDOOR RUX the Tick get windows directory attempt
+3011 || BACKDOOR RUX the Tick get system directory attempt
+3012 || BACKDOOR RUX the Tick upload/execute arbitrary file attempt
+3013 || BACKDOOR Asylum 0.1 connection request
+3014 || BACKDOOR Asylum 0.1 connection established
+3015 || BACKDOOR Insane Network 4.0 connection established
+3016 || BACKDOOR Insane Network 4.0 connection established port 63536
+3017 || EXPLOIT WINS overflow attempt || bugtraq,11763 || cve,2004-1080 || url,www.immunitysec.com/downloads/instantanea.pdf || url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx
+3018 || NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt || cve,2004-1154
+3019 || NETBIOS SMB NT Trans NT CREATE andx oversized Security Descriptor attempt || cve,2004-1154
+3020 || NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt || cve,2004-1154
+3021 || NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt || cve,2004-1154
+3022 || NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt || cve,2004-1154
+3023 || NETBIOS SMB-DS NT Trans NT CREATE andx oversized Security Descriptor attempt || cve,2004-1154
+3024 || NETBIOS SMB-DS NT Trans NT CREATE unicode oversized Security Descriptor attempt || cve,2004-1154
+3025 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx oversized Security Descriptor attempt || cve,2004-1154
+3026 || NETBIOS SMB NT Trans NT CREATE SACL overflow attempt || cve,2004-1154
+3027 || NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt || cve,2004-1154
+3028 || NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt || cve,2004-1154
+3029 || NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt || cve,2004-1154
+3030 || NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt || cve,2004-1154
+3031 || NETBIOS SMB-DS NT Trans NT CREATE andx SACL overflow attempt || cve,2004-1154
+3032 || NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow attempt || cve,2004-1154
+3033 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx SACL overflow attempt || cve,2004-1154
+3034 || NETBIOS SMB NT Trans NT CREATE DACL overflow attempt || cve,2004-1154
+3035 || NETBIOS SMB NT Trans NT CREATE andx DACL overflow attempt || cve,2004-1154
+3036 || NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt || cve,2004-1154
+3037 || NETBIOS SMB NT Trans NT CREATE unicode andx DACL overflow attempt || cve,2004-1154
+3038 || NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt || cve,2004-1154
+3039 || NETBIOS SMB-DS NT Trans NT CREATE andx DACL overflow attempt || cve,2004-1154
+3040 || NETBIOS SMB-DS NT Trans NT CREATE unicode DACL overflow attempt || cve,2004-1154
+3041 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx DACL overflow attempt || cve,2004-1154
+3042 || NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt
+3043 || NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt
+3044 || NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt
+3045 || NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt
+3046 || NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt
+3047 || NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt
+3048 || NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt
+3049 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt
+3050 || NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt
+3051 || NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt
+3052 || NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt
+3053 || NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt
+3054 || NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt
+3055 || NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt
+3056 || NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt
+3057 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt
+3058 || IMAP copy literal overflow attempt || bugtraq,1110
+3059 || WEB-MISC TLSv1 Client_Hello via SSLv2 handshake request
+3061 || MISC distccd command execution attempt || url,distcc.samba.org/security.html
+3062 || WEB-CGI NetScreen SA 5000 delhomepage.cgi access || bugtraq,9791
+3063 || BACKDOOR Vampire 1.2 connection request
+3064 || BACKDOOR Vampire 1.2 connection confirmation
+3065 || IMAP append literal overflow attempt || bugtraq,11775
+3066 || IMAP append overflow attempt || bugtraq,11775
+3067 || IMAP examine literal overflow attempt || bugtraq,11775
+3068 || IMAP examine overflow attempt || bugtraq,11775
+3069 || IMAP fetch literal overflow attempt || bugtraq,11775
+3070 || IMAP fetch overflow attempt || bugtraq,11775
+3071 || IMAP status literal overflow attempt || bugtraq,11775
+3072 || IMAP status overflow attempt || bugtraq,11775 || bugtraq,13727 || cve,2005-1256
+3073 || IMAP subscribe literal overflow attempt || bugtraq,11775
+3074 || IMAP subscribe overflow attempt || bugtraq,11775
+3075 || IMAP unsubscribe literal overflow attempt || bugtraq,11775
+3076 || IMAP unsubscribe overflow attempt || bugtraq,11775
+3077 || FTP RNFR overflow attempt
+3078 || NNTP SEARCH pattern overflow attempt || cve,2004-0574 || url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx
+3079 || WEB-CLIENT Microsoft ANI file parsing overflow || cve,2004-1049
+3080 || MISC Unreal Tournament secure overflow attempt || bugtraq,10570 || cve,2004-0608
+3081 || BACKDOOR Y3KRAT 1.5 Connect
+3082 || BACKDOOR Y3KRAT 1.5 Connect Client Response
+3083 || BACKDOOR Y3KRAT 1.5 Connection confirmation
+3084 || EXPLOIT Veritas backup overflow attempt || bugtraq,11974 || cve,2004-1172
+3085 || EXPLOIT AIM goaway message buffer overflow attempt || bugtraq,10889 || cve,2004-0636
+3086 || WEB-MISC 3Com 3CRADSL72 ADSL 11g Wireless Router app_sta.stm access attempt || bugtraq,11408
+3087 || WEB-IIS w3who.dll buffer overflow attempt || bugtraq,11820 || cve,2004-1134
+3088 || WEB-CLIENT winamp .cda file name overflow attempt || bugtraq,11730
+3089 || DOS squid WCCP I_SEE_YOU message overflow attempt || bugtraq,12275 || cve,2005-0095
+3090 || NETBIOS SMB llsrpc create tree attempt
+3091 || NETBIOS SMB llsrpc unicode create tree attempt
+3092 || NETBIOS SMB llsrpc andx create tree attempt
+3093 || NETBIOS SMB llsrpc unicode andx create tree attempt
+3094 || NETBIOS SMB-DS llsrpc create tree attempt
+3095 || NETBIOS SMB-DS llsrpc unicode create tree attempt
+3096 || NETBIOS SMB-DS llsrpc andx create tree attempt
+3097 || NETBIOS SMB-DS llsrpc unicode andx create tree attempt
+3098 || NETBIOS SMB llsrpc bind attempt
+3099 || NETBIOS SMB llsrpc little endian bind attempt
+3100 || NETBIOS SMB llsrpc unicode bind attempt
+3101 || NETBIOS SMB llsrpc unicode little endian bind attempt
+3102 || NETBIOS SMB llsrpc andx bind attempt
+3103 || NETBIOS SMB llsrpc little endian andx bind attempt
+3104 || NETBIOS SMB llsrpc unicode andx bind attempt
+3105 || NETBIOS SMB llsrpc unicode little endian andx bind attempt
+3106 || NETBIOS SMB-DS llsrpc bind attempt
+3107 || NETBIOS SMB-DS llsrpc little endian bind attempt
+3108 || NETBIOS SMB-DS llsrpc unicode bind attempt
+3109 || NETBIOS SMB-DS llsrpc unicode little endian bind attempt
+3110 || NETBIOS SMB-DS llsrpc andx bind attempt
+3111 || NETBIOS SMB-DS llsrpc little endian andx bind attempt
+3112 || NETBIOS SMB-DS llsrpc unicode andx bind attempt
+3113 || NETBIOS SMB-DS llsrpc unicode little endian andx bind attempt
+3114 || NETBIOS SMB llsrconnect overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx
+3115 || NETBIOS SMB llsrconnect little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx
+3116 || NETBIOS SMB llsrconnect unicode overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx
+3117 || NETBIOS SMB llsrconnect unicode little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx
+3118 || NETBIOS SMB llsrconnect andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx
+3119 || NETBIOS SMB llsrconnect little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx
+3120 || NETBIOS SMB llsrconnect unicode andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx
+3121 || NETBIOS SMB llsrconnect unicode little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx
+3122 || NETBIOS SMB-DS llsrconnect overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx
+3123 || NETBIOS SMB-DS llsrconnect little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx
+3124 || NETBIOS SMB-DS llsrconnect unicode overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx
+3125 || NETBIOS SMB-DS llsrconnect unicode little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx
+3126 || NETBIOS SMB-DS llsrconnect andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx
+3127 || NETBIOS SMB-DS llsrconnect little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx
+3128 || NETBIOS SMB-DS llsrconnect unicode andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx
+3129 || NETBIOS SMB-DS llsrconnect unicode little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx
+3130 || EXPLOIT MSN Messenger png overflow || bugtraq,10872 || cve,2004-0957 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx
+3131 || WEB-CGI mailman directory traversal attempt || cve,2005-0202
+3132 || WEB-CLIENT PNG large image width download attempt || bugtraq,11523 || cve,2004-0990 || cve,2004-1244 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx
+3133 || WEB-CLIENT PNG large image height download attempt || bugtraq,11481 || bugtraq,11523 || cve,2004-0599 || cve,2004-0990 || cve,2004-1244 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx
+3134 || WEB-CLIENT PNG large colour depth download attempt || bugtraq,11523 || cve,2004-0990 || cve,2004-1244 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx
+3135 || NETBIOS SMB Trans2 QUERY_FILE_INFO attempt
+3136 || NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt
+3137 || NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt
+3138 || NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt
+3139 || NETBIOS SMB Trans2 FIND_FIRST2 attempt
+3140 || NETBIOS SMB Trans2 FIND_FIRST2 andx attempt
+3141 || NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt
+3142 || NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt
+3143 || NETBIOS SMB Trans2 FIND_FIRST2 response overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx
+3144 || NETBIOS SMB Trans2 FIND_FIRST2 response andx overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx
+3145 || NETBIOS SMB-DS Trans2 FIND_FIRST2 response overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx
+3146 || NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx
+3147 || TELNET login buffer overflow attempt || bugtraq,3681 || cve,2001-0797
+3148 || WEB-CLIENT winhelp clsid attempt || bugtraq,4857 || cve,2002-0823 || url,www.ngssoftware.com/advisories/ms-winhlp.txt
+3149 || WEB-CLIENT object type overflow attempt || cve,2003-0344 || url,www.microsoft.com/technet/security/bulletin/MS03-020.mspx
+3150 || WEB-IIS SQLXML content type overflow || bugtraq,5004 || cve,2002-0186 || url,www.microsoft.com/technet/security/bulletin/MS02-030.mspx || url,www.westpoint.ltd.uk/advisories/wp-02-0007.txt
+3151 || FINGER / execution attempt || cve,1999-0612 || cve,2000-0915
+3152 || MS-SQL sa brute force failed login attempt || bugtraq,4797 || cve,2000-1209 || nessus,10673
+3153 || DNS TCP inverse query overflow || bugtraq,134 || cve,1999-0009
+3154 || DNS UDP inverse query overflow || bugtraq,134 || cve,1999-0009
+3155 || BACKDOOR BackOrifice 2000 Inbound Traffic
+3156 || NETBIOS DCERPC msqueue bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3157 || NETBIOS DCERPC msqueue little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3158 || NETBIOS DCERPC CoGetInstanceFromFile little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3159 || NETBIOS DCERPC CoGetInstanceFromFile overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3160 || NETBIOS SMB msqueue bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3161 || NETBIOS SMB msqueue little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3162 || NETBIOS SMB msqueue unicode bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3163 || NETBIOS SMB msqueue unicode little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3164 || NETBIOS SMB msqueue andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3165 || NETBIOS SMB msqueue little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3166 || NETBIOS SMB msqueue unicode andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3167 || NETBIOS SMB msqueue unicode little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3168 || NETBIOS SMB-DS msqueue bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3169 || NETBIOS SMB-DS msqueue little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3170 || NETBIOS SMB-DS msqueue unicode bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3171 || NETBIOS SMB-DS msqueue unicode little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3172 || NETBIOS SMB-DS msqueue andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3173 || NETBIOS SMB-DS msqueue little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3174 || NETBIOS SMB-DS msqueue unicode andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3175 || NETBIOS SMB-DS msqueue unicode little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3176 || NETBIOS SMB CoGetInstanceFromFile overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3177 || NETBIOS SMB CoGetInstanceFromFile little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3178 || NETBIOS SMB CoGetInstanceFromFile unicode overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3179 || NETBIOS SMB CoGetInstanceFromFile unicode little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3180 || NETBIOS SMB CoGetInstanceFromFile andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3181 || NETBIOS SMB CoGetInstanceFromFile little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3182 || NETBIOS SMB CoGetInstanceFromFile unicode andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3183 || NETBIOS SMB CoGetInstanceFromFile unicode little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3184 || NETBIOS SMB-DS CoGetInstanceFromFile overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3185 || NETBIOS SMB-DS CoGetInstanceFromFile little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3186 || NETBIOS SMB-DS CoGetInstanceFromFile unicode overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3187 || NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3188 || NETBIOS SMB-DS CoGetInstanceFromFile andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3189 || NETBIOS SMB-DS CoGetInstanceFromFile little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3190 || NETBIOS SMB-DS CoGetInstanceFromFile unicode andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3191 || NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3192 || WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt || bugtraq,7517 || cve,2003-0228 || url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx
+3193 || WEB-IIS .cmd executable file parsing attack || bugtraq,1912 || cve,2000-0886
+3194 || WEB-IIS .bat executable file parsing attack || bugtraq,1912 || cve,2000-0886
+3195 || NETBIOS name query overflow attempt TCP || bugtraq,9624 || cve,2003-0825
+3196 || NETBIOS name query overflow attempt UDP || bugtraq,9624 || cve,2003-0825
+3197 || NETBIOS DCERPC ISystemActivator path overflow attempt little endian || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3198 || NETBIOS DCERPC ISystemActivator path overflow attempt big endian || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx
+3199 || EXPLOIT WINS name query overflow attempt TCP || bugtraq,9624 || cve,2003-0825 || url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx
+3200 || EXPLOIT WINS name query overflow attempt UDP || bugtraq,9624 || cve,2003-0825 || url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx
+3201 || WEB-IIS httpodbc.dll access - nimda || bugtraq,2708 || cve,2001-0333
+3202 || NETBIOS SMB winreg bind attempt
+3203 || NETBIOS SMB winreg little endian bind attempt
+3204 || NETBIOS SMB winreg unicode bind attempt
+3205 || NETBIOS SMB winreg unicode little endian bind attempt
+3206 || NETBIOS SMB winreg andx bind attempt
+3207 || NETBIOS SMB winreg little endian andx bind attempt
+3208 || NETBIOS SMB winreg unicode andx bind attempt
+3209 || NETBIOS SMB winreg unicode little endian andx bind attempt
+3210 || NETBIOS SMB-DS winreg bind attempt
+3211 || NETBIOS SMB-DS winreg little endian bind attempt
+3212 || NETBIOS SMB-DS winreg unicode bind attempt
+3213 || NETBIOS SMB-DS winreg unicode little endian bind attempt
+3214 || NETBIOS SMB-DS winreg andx bind attempt
+3215 || NETBIOS SMB-DS winreg little endian andx bind attempt
+3216 || NETBIOS SMB-DS winreg unicode andx bind attempt
+3217 || NETBIOS SMB-DS winreg unicode little endian andx bind attempt
+3218 || NETBIOS SMB OpenKey overflow attempt || bugtraq,1331 || cve,2000-0377 || url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx
+3219 || NETBIOS SMB OpenKey little endian overflow attempt || bugtraq,1331 || cve,2000-0377
+3220 || NETBIOS SMB OpenKey unicode overflow attempt || bugtraq,1331 || cve,2000-0377
+3221 || NETBIOS SMB OpenKey unicode little endian overflow attempt || bugtraq,1331 || cve,2000-0377
+3222 || NETBIOS SMB OpenKey andx overflow attempt || bugtraq,1331 || cve,2000-0377
+3223 || NETBIOS SMB OpenKey little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377
+3224 || NETBIOS SMB OpenKey unicode andx overflow attempt || bugtraq,1331 || cve,2000-0377
+3225 || NETBIOS SMB OpenKey unicode little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377
+3226 || NETBIOS SMB-DS OpenKey overflow attempt || bugtraq,1331 || cve,2000-0377
+3227 || NETBIOS SMB-DS OpenKey little endian overflow attempt || bugtraq,1331 || cve,2000-0377
+3228 || NETBIOS SMB-DS OpenKey unicode overflow attempt || bugtraq,1331 || cve,2000-0377
+3229 || NETBIOS SMB-DS OpenKey unicode little endian overflow attempt || bugtraq,1331 || cve,2000-0377
+3230 || NETBIOS SMB-DS OpenKey andx overflow attempt || bugtraq,1331 || cve,2000-0377
+3231 || NETBIOS SMB-DS OpenKey little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377
+3232 || NETBIOS SMB-DS OpenKey unicode andx overflow attempt || bugtraq,1331 || cve,2000-0377
+3233 || NETBIOS SMB-DS OpenKey unicode little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377 || url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx
+3234 || NETBIOS Messenger message little endian overflow attempt || bugtraq,8826 || cve,2003-0717
+3235 || NETBIOS Messenger message overflow attempt || bugtraq,8826 || cve,2003-0717
+3236 || NETBIOS DCERPC irot bind attempt
+3237 || NETBIOS DCERPC irot little endian bind attempt
+3238 || NETBIOS DCERPC IrotIsRunning attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx
+3239 || NETBIOS DCERPC IrotIsRunning little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx
+3240 || NETBIOS SMB irot bind attempt
+3241 || NETBIOS SMB irot little endian bind attempt
+3242 || NETBIOS SMB irot unicode bind attempt
+3243 || NETBIOS SMB irot unicode little endian bind attempt
+3244 || NETBIOS SMB irot andx bind attempt
+3245 || NETBIOS SMB irot little endian andx bind attempt
+3246 || NETBIOS SMB irot unicode andx bind attempt
+3247 || NETBIOS SMB irot unicode little endian andx bind attempt
+3248 || NETBIOS SMB-DS irot bind attempt
+3249 || NETBIOS SMB-DS irot little endian bind attempt
+3250 || NETBIOS SMB-DS irot unicode bind attempt
+3251 || NETBIOS SMB-DS irot unicode little endian bind attempt
+3252 || NETBIOS SMB-DS irot andx bind attempt
+3253 || NETBIOS SMB-DS irot little endian andx bind attempt
+3254 || NETBIOS SMB-DS irot unicode andx bind attempt
+3255 || NETBIOS SMB-DS irot unicode little endian andx bind attempt
+3256 || NETBIOS SMB IrotIsRunning attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx
+3257 || NETBIOS SMB IrotIsRunning little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx
+3258 || NETBIOS SMB IrotIsRunning unicode attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx
+3259 || NETBIOS SMB IrotIsRunning unicode little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx
+3260 || NETBIOS SMB IrotIsRunning andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx
+3261 || NETBIOS SMB IrotIsRunning little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx
+3262 || NETBIOS SMB IrotIsRunning unicode andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx
+3263 || NETBIOS SMB IrotIsRunning unicode little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx
+3264 || NETBIOS SMB-DS IrotIsRunning attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx
+3265 || NETBIOS SMB-DS IrotIsRunning little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx
+3266 || NETBIOS SMB-DS IrotIsRunning unicode attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx
+3267 || NETBIOS SMB-DS IrotIsRunning unicode little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx
+3268 || NETBIOS SMB-DS IrotIsRunning andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx
+3269 || NETBIOS SMB-DS IrotIsRunning little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx
+3270 || NETBIOS SMB-DS IrotIsRunning unicode andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx
+3271 || NETBIOS SMB-DS IrotIsRunning unicode little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx
+3272 || BACKDOOR mydoom.a backdoor upload/execute attempt
+3273 || MS-SQL sa brute force failed login unicode attempt || bugtraq,4797 || cve,2000-1209 || nessus,10673
+3274 || TELNET login buffer non-evasive overflow attempt || bugtraq,3681 || cve,2001-0797
+3275 || NETBIOS DCERPC IActivation bind attempt
+3276 || NETBIOS DCERPC IActivation little endian bind attempt
+3377 || NETBIOS SMB IActivation bind attempt
+3378 || NETBIOS SMB IActivation little endian bind attempt
+3379 || NETBIOS SMB IActivation unicode bind attempt
+3380 || NETBIOS SMB IActivation unicode little endian bind attempt
+3381 || NETBIOS SMB IActivation andx bind attempt
+3382 || NETBIOS SMB IActivation little endian andx bind attempt
+3383 || NETBIOS SMB IActivation unicode andx bind attempt
+3384 || NETBIOS SMB IActivation unicode little endian andx bind attempt
+3385 || NETBIOS SMB-DS IActivation bind attempt
+3386 || NETBIOS SMB-DS IActivation little endian bind attempt
+3387 || NETBIOS SMB-DS IActivation unicode bind attempt
+3388 || NETBIOS SMB-DS IActivation unicode little endian bind attempt
+3389 || NETBIOS SMB-DS IActivation andx bind attempt
+3390 || NETBIOS SMB-DS IActivation little endian andx bind attempt
+3391 || NETBIOS SMB-DS IActivation unicode andx bind attempt
+3392 || NETBIOS SMB-DS IActivation unicode little endian andx bind attempt
+3393 || NETBIOS SMB ISystemActivator bind attempt
+3394 || NETBIOS SMB ISystemActivator little endian bind attempt
+3395 || NETBIOS SMB ISystemActivator unicode bind attempt
+3396 || NETBIOS SMB ISystemActivator unicode little endian bind attempt
+3397 || NETBIOS SMB ISystemActivator andx bind attempt
+3398 || NETBIOS SMB ISystemActivator little endian andx bind attempt
+3399 || NETBIOS SMB ISystemActivator unicode andx bind attempt
+3400 || NETBIOS SMB ISystemActivator unicode little endian andx bind attempt
+3401 || NETBIOS SMB-DS ISystemActivator bind attempt
+3402 || NETBIOS SMB-DS ISystemActivator little endian bind attempt
+3403 || NETBIOS SMB-DS ISystemActivator unicode bind attempt
+3404 || NETBIOS SMB-DS ISystemActivator unicode little endian bind attempt
+3405 || NETBIOS SMB-DS ISystemActivator andx bind attempt
+3406 || NETBIOS SMB-DS ISystemActivator little endian andx bind attempt
+3407 || NETBIOS SMB-DS ISystemActivator unicode andx bind attempt
+3408 || NETBIOS SMB-DS ISystemActivator unicode little endian andx bind attempt
+3409 || NETBIOS SMB RemoteActivation attempt
+3410 || NETBIOS SMB RemoteActivation little endian attempt
+3411 || NETBIOS SMB RemoteActivation unicode attempt
+3412 || NETBIOS SMB RemoteActivation unicode little endian attempt
+3413 || NETBIOS SMB RemoteActivation andx attempt
+3414 || NETBIOS SMB RemoteActivation little endian andx attempt
+3415 || NETBIOS SMB RemoteActivation unicode andx attempt
+3416 || NETBIOS SMB RemoteActivation unicode little endian andx attempt
+3417 || NETBIOS SMB-DS RemoteActivation attempt
+3418 || NETBIOS SMB-DS RemoteActivation little endian attempt
+3419 || NETBIOS SMB-DS RemoteActivation unicode attempt
+3420 || NETBIOS SMB-DS RemoteActivation unicode little endian attempt
+3421 || NETBIOS SMB-DS RemoteActivation andx attempt
+3422 || NETBIOS SMB-DS RemoteActivation little endian andx attempt
+3423 || NETBIOS SMB-DS RemoteActivation unicode andx attempt
+3424 || NETBIOS SMB-DS RemoteActivation unicode little endian andx attempt
+3425 || NETBIOS SMB CoGetInstanceFromFile attempt
+3426 || NETBIOS SMB CoGetInstanceFromFile little endian attempt
+3427 || NETBIOS SMB CoGetInstanceFromFile unicode attempt
+3428 || NETBIOS SMB CoGetInstanceFromFile unicode little endian attempt
+3429 || NETBIOS SMB CoGetInstanceFromFile andx attempt
+3430 || NETBIOS SMB CoGetInstanceFromFile little endian andx attempt
+3431 || NETBIOS SMB CoGetInstanceFromFile unicode andx attempt
+3432 || NETBIOS SMB CoGetInstanceFromFile unicode little endian andx attempt
+3433 || NETBIOS SMB-DS CoGetInstanceFromFile attempt
+3434 || NETBIOS SMB-DS CoGetInstanceFromFile little endian attempt
+3435 || NETBIOS SMB-DS CoGetInstanceFromFile unicode attempt
+3436 || NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian attempt
+3437 || NETBIOS SMB-DS CoGetInstanceFromFile andx attempt
+3438 || NETBIOS SMB-DS CoGetInstanceFromFile little endian andx attempt
+3439 || NETBIOS SMB-DS CoGetInstanceFromFile unicode andx attempt
+3440 || NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx attempt
+3441 || FTP PORT bounce attempt
+3442 || DOS WIN32 TCP print service denial of service attempt || bugtraq,1082 || cve,2000-0232 || url,www.microsoft.com/technet/security/bulletin/MS00-021.mspx
+3443 || MS-SQL DNS query with 1 requests
+3444 || MS-SQL DNS query with 2 requests
+3445 || MS-SQL DNS query with 3 requests
+3446 || MS-SQL DNS query with 4 requests
+3447 || MS-SQL DNS query with 5 requests
+3448 || MS-SQL DNS query with 6 requests
+3449 || MS-SQL DNS query with 7 requests
+3450 || MS-SQL DNS query with 8 requests
+3451 || MS-SQL DNS query with 9 requests
+3452 || MS-SQL DNS query with 10 requests
+3453 || MISC Arkeia client backup system info probe || bugtraq,12594
+3454 || MISC Arkeia client backup generic info probe || bugtraq,12594
+3455 || EXPLOIT Bontago Game Server Nickname Buffer Overflow || bugtraq,12603 || url,aluigi.altervista.org/adv/bontagobof-adv.txt
+3456 || MYSQL 4.0 root login attempt
+3457 || EXPLOIT Arkeia backup client type 77 overflow attempt || bugtraq,12594
+3458 || EXPLOIT Arkeia backup client type 84 overflow attempt || bugtraq,12594
+3459 || P2P Manolito Search Query || url,openlito.sourceforge.net || url,www.blubster.com
+3460 || FTP REST with numeric argument || bugtraq,7825
+3461 || SMTP Content-Type overflow attempt || bugtraq,7419 || cve,2003-0113 || url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx
+3462 || SMTP Content-Encoding overflow attempt || bugtraq,7419 || cve,2003-0113 || url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx
+3463 || WEB-CGI awstats access || bugtraq,12572
+3464 || WEB-CGI awstats.pl command execution attempt || bugtraq,12572
+3465 || WEB-CGI RiSearch show.pl proxy attempt || bugtraq,10812
+3466 || WEB-MISC Authorization Basic overflow attempt || bugtraq,8375 || cve,2003-0727
+3467 || WEB-MISC CISCO VoIP Portinformation access || bugtraq,4798 || cve,2002-0882
+3468 || WEB-CGI math_sum.mscgi access || bugtraq,10831 || nessus,14182
+3469 || WEB-CGI Ipswitch WhatsUp Gold dos attempt || bugtraq,11110 || cve,2004-0799 || url,www.idefense.com/application/poi/display?id=142&type=vulnerabilities || url,www.ipswitch.com/Support/WhatsUp/patch-upgrades.html || url,www.secunia.com/advisories/12578/
+3470 || WEB-CLIENT RealPlayer VIDORV30 header length buffer overflow || bugtraq,11309 || url,www.eeye.com/html/research/advisories/AD20041001.html
+3471 || WEB-CLIENT iTunes playlist URL overflow attempt || bugtraq,12238 || cve,2005-0043
+3472 || EXPLOIT ARCserve discovery service overflow || bugtraq,12491 || can,2005-0260
+3473 || WEB-CLIENT RealPlayer SMIL file overflow attempt || bugtraq,12698 || cve,2005-0455
+3474 || EXPLOIT ARCserve backup TCP slot info msg client name overflow || bugtraq,12563
+3475 || EXPLOIT ARCserve backup TCP slot info msg client domain overflow || bugtraq,12563
+3476 || EXPLOIT ARCserve backup TCP product info msg 0x9b client domain overflow || bugtraq,12563
+3477 || EXPLOIT ARCserve backup TCP product info msg 0x9b client name overflow || bugtraq,12563
+3478 || EXPLOIT ARCserve backup TCP product info msg 0x9c client domain overflow || bugtraq,12563
+3479 || EXPLOIT ARCserve backup TCP product info msg 0x9c client name overflow || bugtraq,12563
+3480 || EXPLOIT ARCserve backup UDP slot info msg client name overflow || bugtraq,12563
+3481 || EXPLOIT ARCserve backup UDP slot info msg client domain overflow || bugtraq,12563
+3482 || EXPLOIT ARCserve backup UDP product info msg 0x9b client name overflow || bugtraq,12563
+3483 || EXPLOIT ARCserve backup UDP product info msg 0x9b client domain overflow || bugtraq,12563
+3484 || EXPLOIT ARCserve backup UDP product info msg 0x9c client name overflow || bugtraq,12563
+3485 || EXPLOIT ARCserve backup UDP product info msg 0x9c client domain overflow || bugtraq,12563
+3486 || WEB-MISC SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+3487 || IMAP SSLv2 Client_Hello request
+3488 || IMAP SSLv2 Client_Hello with pad request
+3489 || IMAP TLSv1 Client_Hello request
+3490 || IMAP TLSv1 Client_Hello via SSLv2 handshake request
+3491 || IMAP SSLv2 Server_Hello request
+3492 || IMAP TLSv1 Server_Hello request
+3493 || SMTP SSLv2 Client_Hello request
+3494 || SMTP SSLv2 Client_Hello with pad request
+3495 || SMTP TLSv1 Client_Hello request
+3496 || SMTP TLSv1 Client_Hello via SSLv2 handshake request
+3497 || SMTP SSLv2 Server_Hello request
+3498 || SMTP TLSv1 Server_Hello request
+3499 || POP3 SSLv2 Client_Hello request
+3500 || POP3 SSLv2 Client_Hello with pad request
+3501 || POP3 TLSv1 Client_Hello request
+3502 || POP3 TLSv1 Client_Hello via SSLv2 handshake request
+3503 || POP3 SSLv2 Server_Hello request
+3504 || POP3 TLSv1 Server_Hello request
+3505 || POP3 SSLv2 Client_Hello request
+3506 || POP3 SSLv2 Client_Hello with pad request
+3507 || POP3 TLSv1 Client_Hello request
+3508 || POP3 TLSv1 Client_Hello via SSLv2 handshake request
+3509 || POP3 SSLv2 Server_Hello request
+3510 || POP3 TLSv1 Server_Hello request
+3511 || SMTP PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+3512 || ORACLE utl_file.fcopy directory traversal attempt || bugtraq,12749
+3513 || ORACLE utl_file.fopen_nchar directory traversal attempt || bugtraq,12749
+3514 || ORACLE utl_file.fopen directory traversal attempt || bugtraq,12749
+3515 || ORACLE utl_file.fremove directory traversal attempt || bugtraq,12749
+3516 || ORACLE utl_file.frename directory traversal attempt || bugtraq,12749
+3517 || EXPLOIT Computer Associates license PUTOLF overflow attempt || bugtraq,12705 || cve,2005-0581
+3518 || WEB-MISC MySQL MaxDB WebSQL wppassword buffer overflow || bugtraq,12265
+3519 || WEB-MISC MySQL MaxDB WebSQL wppassword buffer overflow default port || bugtraq,12265
+3520 || EXPLOIT Computer Associates license GCR NETWORK overflow attempt || bugtraq,12705 || cve,2005-0581
+3521 || EXPLOIT Computer Associates license GCR CHECKSUMS overflow attempt || bugtraq,12705 || cve,2005-0581
+3522 || EXPLOIT Computer Associates license GETCONFIG server overflow attempt || bugtraq,12705 || cve,2005-0581
+3523 || FTP SITE INDEX format string attempt
+3524 || EXPLOIT Computer Associates license invalid GCR CHECKSUMS attempt || bugtraq,12705 || cve,2005-0581
+3525 || EXPLOIT Computer Associates license invalid GCR NETWORK attempt || bugtraq,12705 || cve,2005-0581
+3526 || ORACLE XDB FTP UNLOCK overflow attempt || bugtraq,8375 || cve,2003-0727
+3527 || EXPLOIT Solaris LPD overflow attempt || bugtraq,3274
+3528 || MYSQL CREATE FUNCTION attempt || bugtraq,12781 || cve,2005-0709
+3529 || EXPLOIT Computer Associates license GETCONFIG client overflow attempt || bugtraq,12705 || cve,2005-0581
+3530 || EXPLOIT ARCserve backup UDP msg 0x99 client name overflow || bugtraq,12563
+3531 || EXPLOIT ARCserve backup UDP msg 0x99 client domain overflow || bugtraq,12563
+3532 || FTP ORACLE password buffer overflow attempt || bugtraq,8375
+3533 || TELNET client LINEMODE SLC overflow attempt || bugtraq,12918 || cve,2005-0469
+3534 || WEB-CLIENT Mozilla GIF heap overflow || bugtraq,12881 || cve,2005-0399
+3535 || WEB-CLIENT GIF transfer
+3536 || WEB-CLIENT Mozilla GIF multipacket heap overflow || bugtraq,12881 || cve,2005-0399
+3537 || TELNET client ENV OPT escape overflow attempt || bugtraq,12918 || cve,2005-0469
+3538 || EXPLOIT RADIUS registration MSID overflow attempt || bugtraq,12759 || cve,2005-0699
+3539 || EXPLOIT RADIUS MSID overflow attempt || bugtraq,12759 || cve,2005-0699
+3540 || EXPLOIT RADIUS registration vendor ATTR_TYPE_STR overflow attempt || bugtraq,12759 || cve,2005-0699
+3541 || EXPLOIT RADIUS ATTR_TYPE_STR overflow attempt || bugtraq,12759 || cve,2005-0699
+3542 || MS-SQL SA brute force login attempt || cve,2000-1209 || nessus,10673
+3543 || MS-SQL SA brute force login attempt TDS v7/8 || cve,2000-1209 || nessus,10673
+3544 || WEB-MISC TrackerCam ComGetLogFile.php3 directory traversal attempt || bugtraq,12592 || cve,2005-0481
+3545 || WEB-MISC TrackerCam ComGetLogFile.php3 log information disclosure || bugtraq,12592 || cve,2005-0481
+3546 || WEB-MISC TrackerCam User-Agent buffer overflow attempt || bugtraq,12592 || cve,2005-0481
+3547 || WEB-MISC TrackerCam overly long php parameter overflow attempt || bugtraq,12592 || cve,2005-0481
+3548 || WEB-MISC TrackerCam negative Content-Length attempt || bugtraq,12592 || cve,2005-0481
+3549 || WEB-CLIENT HTML DOM invalid element creation attempt || cve,2005-0553
+3550 || WEB-CLIENT HTML http scheme hostname overflow attempt || cve,2005-0553
+3551 || WEB-CLIENT .hta download attempt
+3552 || WEB-CLIENT OLE32 MSHTA masquerade attempt || cve,2005-0063
+3553 || WEB-CLIENT HTML DOM null element insertion attempt || cve,2005-0553
+3554 || NETBIOS DCERPC-DIRECT mqqm bind attempt
+3555 || NETBIOS DCERPC-DIRECT mqqm little endian bind attempt
+3556 || NETBIOS DCERPC mqqm bind attempt
+3557 || NETBIOS DCERPC mqqm little endian bind attempt
+3558 || NETBIOS SMB mqqm WriteAndX andx bind attempt
+3559 || NETBIOS SMB mqqm WriteAndX bind attempt
+3560 || NETBIOS SMB mqqm WriteAndX little endian andx bind attempt
+3561 || NETBIOS SMB mqqm WriteAndX little endian bind attempt
+3562 || NETBIOS SMB mqqm WriteAndX unicode andx bind attempt
+3563 || NETBIOS SMB mqqm WriteAndX unicode bind attempt
+3564 || NETBIOS SMB mqqm WriteAndX unicode little endian andx bind attempt
+3565 || NETBIOS SMB mqqm WriteAndX unicode little endian bind attempt
+3566 || NETBIOS SMB mqqm andx bind attempt
+3567 || NETBIOS SMB mqqm bind attempt
+3568 || NETBIOS SMB mqqm little endian andx bind attempt
+3569 || NETBIOS SMB mqqm little endian bind attempt
+3570 || NETBIOS SMB mqqm unicode andx bind attempt
+3571 || NETBIOS SMB mqqm unicode bind attempt
+3572 || NETBIOS SMB mqqm unicode little endian andx bind attempt
+3573 || NETBIOS SMB mqqm unicode little endian bind attempt
+3574 || NETBIOS SMB-DS mqqm WriteAndX andx bind attempt
+3575 || NETBIOS SMB-DS mqqm WriteAndX bind attempt
+3576 || NETBIOS SMB-DS mqqm WriteAndX little endian andx bind attempt
+3577 || NETBIOS SMB-DS mqqm WriteAndX little endian bind attempt
+3578 || NETBIOS SMB-DS mqqm WriteAndX unicode andx bind attempt
+3579 || NETBIOS SMB-DS mqqm WriteAndX unicode bind attempt
+3580 || NETBIOS SMB-DS mqqm WriteAndX unicode little endian andx bind attempt
+3581 || NETBIOS SMB-DS mqqm WriteAndX unicode little endian bind attempt
+3582 || NETBIOS SMB-DS mqqm andx bind attempt
+3583 || NETBIOS SMB-DS mqqm bind attempt
+3584 || NETBIOS SMB-DS mqqm little endian andx bind attempt
+3585 || NETBIOS SMB-DS mqqm little endian bind attempt
+3586 || NETBIOS SMB-DS mqqm unicode andx bind attempt
+3587 || NETBIOS SMB-DS mqqm unicode bind attempt
+3588 || NETBIOS SMB-DS mqqm unicode little endian andx bind attempt
+3589 || NETBIOS SMB-DS mqqm unicode little endian bind attempt
+3590 || NETBIOS DCERPC-DIRECT mqqm QMDeleteObject little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3591 || NETBIOS DCERPC-DIRECT mqqm QMDeleteObject overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3592 || NETBIOS DCERPC mqqm QMDeleteObject little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3593 || NETBIOS DCERPC mqqm QMDeleteObject overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3594 || NETBIOS SMB mqqm QMDeleteObject WriteAndX andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3595 || NETBIOS SMB mqqm QMDeleteObject WriteAndX little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3596 || NETBIOS SMB mqqm QMDeleteObject WriteAndX little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3597 || NETBIOS SMB mqqm QMDeleteObject WriteAndX overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3598 || NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3599 || NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3600 || NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3601 || NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3602 || NETBIOS SMB mqqm QMDeleteObject andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3603 || NETBIOS SMB mqqm QMDeleteObject little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3604 || NETBIOS SMB mqqm QMDeleteObject little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3605 || NETBIOS SMB mqqm QMDeleteObject overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3606 || NETBIOS SMB mqqm QMDeleteObject unicode andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3607 || NETBIOS SMB mqqm QMDeleteObject unicode little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3608 || NETBIOS SMB mqqm QMDeleteObject unicode little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3609 || NETBIOS SMB mqqm QMDeleteObject unicode overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3610 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3611 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3612 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3613 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3614 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3615 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3616 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3617 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3618 || NETBIOS SMB-DS mqqm QMDeleteObject andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3619 || NETBIOS SMB-DS mqqm QMDeleteObject little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3620 || NETBIOS SMB-DS mqqm QMDeleteObject little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3621 || NETBIOS SMB-DS mqqm QMDeleteObject overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3622 || NETBIOS SMB-DS mqqm QMDeleteObject unicode andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3623 || NETBIOS SMB-DS mqqm QMDeleteObject unicode little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3624 || NETBIOS SMB-DS mqqm QMDeleteObject unicode little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3625 || NETBIOS SMB-DS mqqm QMDeleteObject unicode overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
+3626 || ICMP PATH MTU denial of service || cve,2004-1060
+3627 || POLICY X-LINK2STATE CHUNK attempt || url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx
+3628 || POLICY IDA Pro startup license check attempt
+3629 || WEB-MISC sambar /search/results.stm access || bugtraq,7975
+3630 || FTP ORACLE TEST command buffer overflow attempt || bugtraq,8375
+3631 || FTP ORACLE user name buffer overflow attempt || bugtraq,8375
+3632 || WEB-CLIENT Mozilla bitmap width integer overflow attempt || bugtraq,11171 || cve,2004-0904 || url,bugzilla.mozilla.org/show_bug.cgi?id=255067
+3633 || WEB-CLIENT bitmap transfer
+3634 || WEB-CLIENT Mozilla bitmap width integer overflow multipacket attempt || bugtraq,11171 || cve,2004-0904 || url,bugzilla.mozilla.org/show_bug.cgi?id=255067
+3635 || BACKDOOR Amanda 2.0 connection established
+3636 || BACKDOOR Crazzy Net 5.0 connection established
+3637 || EXPLOIT Computer Associates license PUTOLF directory traversal attempt || bugtraq,12705 || cve,2005-0581
+3638 || WEB-CGI SoftCart.exe CGI buffer overflow attempt || bugtraq,10926
+3639 || NETBIOS SMB Trans andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html
+3640 || NETBIOS SMB Trans data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html
+3641 || NETBIOS SMB Trans unicode data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html
+3642 || NETBIOS SMB Trans unicode andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html
+3643 || NETBIOS SMB-DS Trans andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html
+3644 || NETBIOS SMB-DS Trans data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html
+3645 || NETBIOS SMB-DS Trans unicode data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html
+3646 || NETBIOS SMB-DS Trans unicode andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html
+3647 || NETBIOS-DG SMB Trans andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html
+3648 || NETBIOS-DG SMB Trans data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html
+3649 || NETBIOS-DG SMB Trans unicode data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html
+3650 || NETBIOS-DG SMB Trans unicode andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html
+3651 || EXPLOIT CVS rsh annotate revision overflow attempt || bugtraq,13217 || cve,2005-0753 || url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=141 || url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=142
+3652 || EXPLOIT CVS pserver annotate revision overflow attempt || bugtraq,13217 || cve,2005-0753 || url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=141 || url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=142
+3653 || SMTP SAML overflow attempt || bugtraq,11238
+3654 || SMTP SOML overflow attempt || bugtraq,11238
+3655 || SMTP SEND overflow attempt || bugtraq,11238
+3656 || SMTP MAIL overflow attempt || bugtraq,11238
+3657 || ORACLE ctxsys.driload attempt || bugtraq,11099 || cve,2004-0637
+3658 || EXPLOIT ARCserve backup universal agent option 1000 little endian buffer overflow attempt || bugtraq,13102 || cve,2005-1018
+3659 || EXPLOIT ARCserve backup universal agent option 1000 buffer overflow attempt || bugtraq,13102 || cve,2005-1018
+3660 || EXPLOIT ARCserve backup universal agent option 00 little endian buffer overflow attempt || bugtraq,13102 || cve,2005-1018
+3661 || EXPLOIT ARCserve backup universal agent option 00 buffer overflow attempt || bugtraq,13102 || cve,2005-1018
+3662 || EXPLOIT ARCserve backup universal agent option 03 little endian buffer overflow attempt || bugtraq,13102 || cve,2005-1018
+3663 || EXPLOIT ARCserve backup universal agent option 03 buffer overflow attempt || bugtraq,13102 || cve,2005-1018
+3664 || EXPLOIT PPTP echo request buffer overflow attempt || bugtaq,7316 || cve,2003-0213
+3665 || MYSQL server greeting || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt
+3666 || MYSQL server greeting finished || bugtraq,10655 || www.nextgenss.com/advisories/mysql-authbypass.txt,
+3667 || MYSQL protocol 41 client authentication bypass attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt
+3668 || MYSQL client authentication bypass attempt || bugtraq,10655 || www.nextgenss.com/advisories/mysql-authbypass.txt,
+3669 || MYSQL protocol 41 secure client overflow attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt
+3670 || MYSQL secure client overflow attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt
+3671 || MYSQL protocol 41 client overflow attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt
+3672 || MYSQL client overflow attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt
+3673 || MISC Microsoft SMS remote control client DoS overly long length attempt || bugtraq,10726 || cve,2004-0728
+3674 || WEB-CGI db4web_c directory traversal attempt || bugtraq,5723 || cve,2002-1483 || nessus,11182
+3675 || MISC IBM DB2 DTS empty format string dos attempt || bugtraq,11400 || url,www-1.ibm.com/support/docview.wss?uid=swg1IY61781
+3676 || WEB-MISC newsscript.pl admin attempt || bugtraq,12761
+3677 || EXPLOIT SIP UDP CSeq overflow attempt || url,www.ethereal.com/news/item_20050504_01.html
+3678 || EXPLOIT SIP TCP CSeq overflow attempt || url,www.ethereal.com/news/item_20050504_01.html
+3679 || WEB-CLIENT Firefox IFRAME src javascript code execution || bugtraq,13544 || cve,2005-1476
+3680 || P2P AOL Instant Messenger Message Send
+3681 || P2P AOL Instant Messenger Message Receive
+3682 || SMTP spoofed MIME-Type auto-execution attempt || bugtraq,2524 || cve,2001-0154 || url,www.microsoft.com/technet/security/bulletin/MS01-020.mspx
+3683 || WEB-CLIENT spoofed MIME-Type auto-execution attempt || bugtraq,2524 || cve,2001-0154 || url,www.microsoft.com/technet/security/bulletin/MS01-020.mspx
+3684 || WEB-CLIENT Bitmap Transfer
+3685 || WEB-CLIENT bitmap BitmapOffset multipacket integer overflow attempt || bugtraq,9663 || cve,2004-0566
+3686 || WEB-CLIENT Internet Explorer Content Advisor attempted overflow || bugtraq,13117 || cve,2005-0555
+3687 || TELNET client ENV OPT USERVAR information disclosure || cve,2005-1205 || url,www.microsoft.com/technet/Security/bulletin/ms05-033.mspx
+3688 || TELNET client ENV OPT VAR information disclosure || cve,2005-1205 || url,www.microsoft.com/technet/Security/bulletin/ms05-033.mspx
+3689 || WEB-CLIENT Internet Explorer tRNS overflow attempt || bugtraq,13941 || cve,2005-1211 || url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx
+3690 || WEB-CGI Nucleus CMS action.php itemid SQL injection || bugtraq,10798 || nessus,14194
+3691 || CHAT Yahoo Messenger Message
+3692 || CHAT Yahoo Messenger File Transfer Initiation Request
+3693 || WEB-MISC IBM WebSphere j_security_check overflow attempt || bugtraq,13853
+3694 || WEB-MISC Squid content length cache poisoning attempt || bugtraq,12412 || cve,2005-0174
+3695 || EXPLOIT Veritas Backup Agent password overflow attempt || cve,2005-0773
+3696 || EXPLOIT Veritas Backup Agent DoS attempt || bugtraq,14201 || cve,2005-0772
+3697 || NETBIOS DCERPC DIRECT veritas alter context attempt
+3698 || NETBIOS DCERPC DIRECT veritas bind attempt
+3699 || NETBIOS DCERPC DIRECT veritas little endian alter context attempt
+3700 || NETBIOS DCERPC DIRECT veritas little endian bind attempt
+3701 || NETBIOS DCERPC NCACN-IP-TCP veritas alter context attempt
+3702 || NETBIOS DCERPC NCACN-IP-TCP veritas bind attempt
+3703 || NETBIOS DCERPC NCACN-IP-TCP veritas little endian alter context attempt
+3704 || NETBIOS DCERPC NCACN-IP-TCP veritas little endian bind attempt
+3705 || NETBIOS SMB veritas WriteAndX alter context attempt
+3706 || NETBIOS SMB veritas WriteAndX andx alter context attempt
+3707 || NETBIOS SMB veritas WriteAndX andx bind attempt
+3708 || NETBIOS SMB veritas WriteAndX bind attempt
+3709 || NETBIOS SMB veritas WriteAndX little endian alter context attempt
+3710 || NETBIOS SMB veritas WriteAndX little endian andx alter context attempt
+3711 || NETBIOS SMB veritas WriteAndX little endian andx bind attempt
+3712 || NETBIOS SMB veritas WriteAndX little endian bind attempt
+3713 || NETBIOS SMB veritas WriteAndX unicode alter context attempt
+3714 || NETBIOS SMB veritas WriteAndX unicode andx alter context attempt
+3715 || NETBIOS SMB veritas WriteAndX unicode andx bind attempt
+3716 || NETBIOS SMB veritas WriteAndX unicode bind attempt
+3717 || NETBIOS SMB veritas WriteAndX unicode little endian alter context attempt
+3718 || NETBIOS SMB veritas WriteAndX unicode little endian andx alter context attempt
+3719 || NETBIOS SMB veritas WriteAndX unicode little endian andx bind attempt
+3720 || NETBIOS SMB veritas WriteAndX unicode little endian bind attempt
+3721 || NETBIOS SMB veritas alter context attempt
+3722 || NETBIOS SMB veritas andx alter context attempt
+3723 || NETBIOS SMB veritas andx bind attempt
+3724 || NETBIOS SMB veritas bind attempt
+3725 || NETBIOS SMB veritas little endian alter context attempt
+3726 || NETBIOS SMB veritas little endian andx alter context attempt
+3727 || NETBIOS SMB veritas little endian andx bind attempt
+3728 || NETBIOS SMB veritas little endian bind attempt
+3729 || NETBIOS SMB veritas unicode alter context attempt
+3730 || NETBIOS SMB veritas unicode andx alter context attempt
+3731 || NETBIOS SMB veritas unicode andx bind attempt
+3732 || NETBIOS SMB veritas unicode bind attempt
+3733 || NETBIOS SMB veritas unicode little endian alter context attempt
+3734 || NETBIOS SMB veritas unicode little endian andx alter context attempt
+3735 || NETBIOS SMB veritas unicode little endian andx bind attempt
+3736 || NETBIOS SMB veritas unicode little endian bind attempt
+3737 || NETBIOS SMB-DS veritas WriteAndX alter context attempt
+3738 || NETBIOS SMB-DS veritas WriteAndX andx alter context attempt
+3739 || NETBIOS SMB-DS veritas WriteAndX andx bind attempt
+3740 || NETBIOS SMB-DS veritas WriteAndX bind attempt
+3741 || NETBIOS SMB-DS veritas WriteAndX little endian alter context attempt
+3742 || NETBIOS SMB-DS veritas WriteAndX little endian andx alter context attempt
+3743 || NETBIOS SMB-DS veritas WriteAndX little endian andx bind attempt
+3744 || NETBIOS SMB-DS veritas WriteAndX little endian bind attempt
+3745 || NETBIOS SMB-DS veritas WriteAndX unicode alter context attempt
+3746 || NETBIOS SMB-DS veritas WriteAndX unicode andx alter context attempt
+3747 || NETBIOS SMB-DS veritas WriteAndX unicode andx bind attempt
+3748 || NETBIOS SMB-DS veritas WriteAndX unicode bind attempt
+3749 || NETBIOS SMB-DS veritas WriteAndX unicode little endian alter context attempt
+3750 || NETBIOS SMB-DS veritas WriteAndX unicode little endian andx alter context attempt
+3751 || NETBIOS SMB-DS veritas WriteAndX unicode little endian andx bind attempt
+3752 || NETBIOS SMB-DS veritas WriteAndX unicode little endian bind attempt
+3753 || NETBIOS SMB-DS veritas alter context attempt
+3754 || NETBIOS SMB-DS veritas andx alter context attempt
+3755 || NETBIOS SMB-DS veritas andx bind attempt
+3756 || NETBIOS SMB-DS veritas bind attempt
+3757 || NETBIOS SMB-DS veritas little endian alter context attempt
+3758 || NETBIOS SMB-DS veritas little endian andx alter context attempt
+3759 || NETBIOS SMB-DS veritas little endian andx bind attempt
+3760 || NETBIOS SMB-DS veritas little endian bind attempt
+3761 || NETBIOS SMB-DS veritas unicode alter context attempt
+3762 || NETBIOS SMB-DS veritas unicode andx alter context attempt
+3763 || NETBIOS SMB-DS veritas unicode andx bind attempt
+3764 || NETBIOS SMB-DS veritas unicode bind attempt
+3765 || NETBIOS SMB-DS veritas unicode little endian alter context attempt
+3766 || NETBIOS SMB-DS veritas unicode little endian andx alter context attempt
+3767 || NETBIOS SMB-DS veritas unicode little endian andx bind attempt
+3768 || NETBIOS SMB-DS veritas unicode little endian bind attempt
+3769 || NETBIOS DCERPC NCACN-HTTP veritas alter context attempt
+3770 || NETBIOS DCERPC NCACN-HTTP veritas bind attempt
+3771 || NETBIOS DCERPC NCACN-HTTP veritas little endian alter context attempt
+3772 || NETBIOS DCERPC NCACN-HTTP veritas little endian bind attempt
+3773 || NETBIOS DCERPC DIRECT-UDP veritas alter context attempt
+3774 || NETBIOS DCERPC DIRECT-UDP veritas bind attempt
+3775 || NETBIOS DCERPC DIRECT-UDP veritas little endian alter context attempt
+3776 || NETBIOS DCERPC DIRECT-UDP veritas little endian bind attempt
+3777 || NETBIOS DCERPC NCADG-IP-UDP veritas alter context attempt
+3778 || NETBIOS DCERPC NCADG-IP-UDP veritas bind attempt
+3779 || NETBIOS DCERPC NCADG-IP-UDP veritas little endian alter context attempt
+3780 || NETBIOS DCERPC NCADG-IP-UDP veritas little endian bind attempt
+3781 || NETBIOS-DG SMB veritas WriteAndX alter context attempt
+3782 || NETBIOS-DG SMB veritas WriteAndX andx alter context attempt
+3783 || NETBIOS-DG SMB veritas WriteAndX andx bind attempt
+3784 || NETBIOS-DG SMB veritas WriteAndX bind attempt
+3785 || NETBIOS-DG SMB veritas WriteAndX little endian alter context attempt
+3786 || NETBIOS-DG SMB veritas WriteAndX little endian andx alter context attempt
+3787 || NETBIOS-DG SMB veritas WriteAndX little endian andx bind attempt
+3788 || NETBIOS-DG SMB veritas WriteAndX little endian bind attempt
+3789 || NETBIOS-DG SMB veritas WriteAndX unicode alter context attempt
+3790 || NETBIOS-DG SMB veritas WriteAndX unicode andx alter context attempt
+3791 || NETBIOS-DG SMB veritas WriteAndX unicode andx bind attempt
+3792 || NETBIOS-DG SMB veritas WriteAndX unicode bind attempt
+3793 || NETBIOS-DG SMB veritas WriteAndX unicode little endian alter context attempt
+3794 || NETBIOS-DG SMB veritas WriteAndX unicode little endian andx alter context attempt
+3795 || NETBIOS-DG SMB veritas WriteAndX unicode little endian andx bind attempt
+3796 || NETBIOS-DG SMB veritas WriteAndX unicode little endian bind attempt
+3797 || NETBIOS-DG SMB veritas alter context attempt
+3798 || NETBIOS-DG SMB veritas andx alter context attempt
+3799 || NETBIOS-DG SMB veritas andx bind attempt
+3800 || NETBIOS-DG SMB veritas bind attempt
+3801 || NETBIOS-DG SMB veritas little endian alter context attempt
+3802 || NETBIOS-DG SMB veritas little endian andx alter context attempt
+3803 || NETBIOS-DG SMB veritas little endian andx bind attempt
+3804 || NETBIOS-DG SMB veritas little endian bind attempt
+3805 || NETBIOS-DG SMB veritas unicode alter context attempt
+3806 || NETBIOS-DG SMB veritas unicode andx alter context attempt
+3807 || NETBIOS-DG SMB veritas unicode andx bind attempt
+3808 || NETBIOS-DG SMB veritas unicode bind attempt
+3809 || NETBIOS-DG SMB veritas unicode little endian alter context attempt
+3810 || NETBIOS-DG SMB veritas unicode little endian andx alter context attempt
+3811 || NETBIOS-DG SMB veritas unicode little endian andx bind attempt
+3812 || NETBIOS-DG SMB veritas unicode little endian bind attempt
+3813 || WEB-CGI awstats.pl configdir command execution attempt || bugtraq,12298 || cve,2005-0116
+3814 || WEB-CLIENT IE javaprxy.dll COM access || bugtraq,14087 || cve,2005-2087
+3815 || SMTP eXchange POP3 mail server overflow attempt || bugtraq,10180
+3816 || WEB-MISC BadBlue ext.dll buffer overflow attempt || bugtraq,7387
+3817 || TFTP GET transfer mode overflow attempt || bugtraq,13821 || cve,2005-1812
+3818 || TFTP PUT transfer mode overflow attempt || bugtraq,13821 || cve,2005-1812
+3819 || WEB-CLIENT multipacket CHM file transfer start || bugtraq,13953 || cve,2005-1208 || nessus,18482
+3820 || WEB-CLIENT multipacket CHM file transfer attempt || bugtraq,13953 || cve,2005-1208 || nessus,18482
+3821 || WEB-CLIENT CHM file transfer attempt || bugtraq,13953 || cve,2005-1208 || nessus,18482
+3822 || WEB-MISC Real Player realtext long URI request
+3823 || WEB-MISC Real Player realtext file bad version buffer overflow attempt || bugtraq,14048 || cve,2005-1766
+3824 || SMTP AUTH user overflow attempt || bugtraq,13772
+3825 || POLICY AOL Instant Messenger Message Send
+3826 || POLICY AOL Instant Messenger Message Receive
+3827 || WEB-PHP xmlrpc.php post attempt || bugtraq,14088 || cve,2005-1921
--- /dev/null
+++ b/rules/dns.rules
@@ -0,0 +1,54 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: dns.rules,v 1.38.2.3.2.3 2005/05/31 17:13:02 mwatchinski Exp $
+#----------
+# DNS RULES
+#----------
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:255; rev:13;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:1948; rev:6;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:1435; rev:7;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:256; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:257; rev:9;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:1616; rev:7;)
+
+
+
+alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response PTR with TTL of 1 min. and no authority"; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; classtype:bad-unknown; sid:253; rev:4;)
+alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response with TTL of 1 min. and no authority"; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 01 00 01 00 00 00|<|00 04|"; classtype:bad-unknown; sid:254; rev:4;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:258; rev:6;)
+
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01|    |02|a"; reference:arachnids,482; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-admin; sid:303; rev:11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; content:"|80 00 07 00 00 00 00 00 01|?|00 01 02|"; reference:bugtraq,2303; reference:cve,2001-0010; classtype:attempted-admin; sid:314; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:259; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow ADMROCKS"; flow:to_server,established; content:"ADMROCKS"; reference:bugtraq,788; reference:cve,1999-0833; reference:url,www.cert.org/advisories/CA-1999-14.html; classtype:attempted-admin; sid:260; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:261; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0|?1|DB B3 FF|1|C9 CD 80|1|C0|"; classtype:attempted-admin; sid:262; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0 02 CD 80 85 C0|uL|EB|L^|B0|"; classtype:attempted-admin; sid:264; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt ADMv2"; flow:to_server,established; content:"|89 F7 29 C7 89 F3 89 F9 89 F2 AC|<|FE|"; classtype:attempted-admin; sid:265; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 FreeBSD overflow attempt"; flow:to_server,established; content:"|EB|n^|C6 06 9A|1|C9 89|N|01 C6|F|05|"; classtype:attempted-admin; sid:266; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92 02| |0F D0 23 BF F8|"; classtype:attempted-admin; sid:267; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS TCP inverse query"; flow:to_server,established; byte_test:1,<,16,2; byte_test:1,&,8,2; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-recon; sid:2922; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS UDP inverse query"; byte_test:1,<,16,2; byte_test:1,&,8,2; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-recon; sid:2921; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3153; rev:2;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS UDP inverse query overflow"; byte_test:1,<,16,2; byte_test:1,&,8,2; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3154; rev:2;)
--- /dev/null
+++ b/rules/community-icmp.rules
@@ -0,0 +1,8 @@
+# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# These rules are licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# $Id: community-icmp.rules,v 1.4 2006/06/01 15:51:28 akirk Exp $
+
+#Rule submitted by rmkml
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY ICMP Linux DoS sctp Exploit"; icode:2; itype:3; content:"|28 00 00 50 00 00 00 00 F9 57 1F 30 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:nessus,19777; classtype:attempted-user; sid:100000164; rev:2;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY ICMP undefined code"; icode:>18; classtype:misc-activity; sid:100000197; rev:1;)
--- /dev/null
+++ b/rules/community-oracle.rules
@@ -0,0 +1,6 @@
+# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# These rules are licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# $Id: community-oracle.rules,v 1.2 2005/10/13 14:16:06 akirk Exp $
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3339 (msg:"COMMUNITY ORACLE TNS Listener shutdown via iSQLPlus attempt"; flow:to_server,established; content:"isqlplus"; nocase; content:"COMMAND"; nocase; distance:0; content:"STOP"; nocase; distance:0; content:"LISTENER"; nocase; distance:0; pcre:"/isqlplus\x2F[^\r\n]*COMMAND\s*\x3D\s*STOP[^\r\n\x26]*LISTENER/si"; reference:bugtraq,15032; reference:url,www.red-database-security.com/advisory/oracle_isqlplus_shutdown.html; classtype:attempted-user; sid:100000166; rev:1;)
--- /dev/null
+++ b/rules/community-game.rules
@@ -0,0 +1,10 @@
+# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# These rules are licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# $Id: community-game.rules,v 1.8 2005/11/10 14:15:43 akirk Exp $
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 2305 (msg:"COMMUNITY GAME Halocon Denial of Service Empty UDP Packet"; dsize:0; classtype:attempted-dos; reference:bugtraq,12281; sid:100000102; rev:1;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 7649 (msg:"COMMUNITY GAME Breed Game Server Denial of Service Empty UDP Packet"; dsize:0; classtype:attempted-dos; reference:bugtraq,12262; sid:100000103; rev:1;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 27777 (msg:"COMMUNITY GAME Amp II 3D Game Server Denial of Service Empty UDP Packet"; dsize:0; classtype:attempted-dos; reference:bugtraq,12192; sid:100000104; rev:1;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 29000 (msg:"COMMUNITY GAME FlatFrag game dos exploit"; fragbits:D; id:1; content:"|61 61 61|"; dsize:99; reference:bugtraq,15287; reference:cve,2005-3492; classtype:attempted-dos; sid:100000181; rev:1;)
+alert udp $EXTERNAL_NET any <> $HOME_NET 7000 (msg:"COMMUNITY GAME Battle Carry attempt"; dsize:>8192; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; reference:cve,2005-3493; reference:bugtraq,15282; classtype:attempted-dos; sid:100000182; rev:1;)
--- /dev/null
+++ b/rules/oracle.rules
@@ -0,0 +1,375 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: oracle.rules,v 1.17.2.3.2.4 2005/05/31 17:13:03 mwatchinski Exp $
+#----------
+# ORACLE RULES
+#----------
+#
+# These signatures detect unusual and potentially malicious oracle traffic.
+# These signatures are based from signatures written by Hank Leininger
+# <hlein@progressive-comp.com> for Enterasys's Dragon IDS that he released
+# publicly.
+#
+# These signatures are not enabled by default as they may generate false
+# positive alarms on networks that do oracle development.  If you use an
+# Oracle based web application, you should set the destination port to
+# 80 to catch attackers attempting to exploit your web application.
+#
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE EXECUTE_SYSTEM attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:system-call-detect; sid:1673; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE connect_data remote version detection attempt"; flow:to_server,established; content:"connect_data|28|command=version|29|"; nocase; classtype:protocol-command-decode; sid:1674; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE misparsed login response"; flow:from_server,established; content:"description=|28|"; nocase; content:!"connect_data=|28|sid="; nocase; content:!"address=|28|protocol=tcp"; nocase; classtype:suspicious-login; sid:1675; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select union attempt"; flow:to_server,established; content:"select "; nocase; content:" union "; nocase; classtype:protocol-command-decode; sid:1676; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select like '%' attempt"; flow:to_server,established; content:" where "; nocase; content:" like '%'"; nocase; classtype:protocol-command-decode; sid:1677; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select like '%' attempt backslash escaped"; flow:to_server,established; content:" where "; nocase; content:" like |22|%|22|"; nocase; classtype:protocol-command-decode; sid:1678; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE describe attempt"; flow:to_server,established; content:"describe "; nocase; classtype:protocol-command-decode; sid:1679; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_constraints access"; flow:to_server,established; content:"all_constraints"; nocase; classtype:protocol-command-decode; sid:1680; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_views access"; flow:to_server,established; content:"all_views"; nocase; classtype:protocol-command-decode; sid:1681; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_source access"; flow:to_server,established; content:"all_source"; nocase; classtype:protocol-command-decode; sid:1682; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tables access"; flow:to_server,established; content:"all_tables"; nocase; classtype:protocol-command-decode; sid:1683; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tab_columns access"; flow:to_server,established; content:"all_tab_columns"; nocase; classtype:protocol-command-decode; sid:1684; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tab_privs access"; flow:to_server,established; content:"all_tab_privs"; nocase; classtype:protocol-command-decode; sid:1685; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dba_tablespace access"; flow:to_server,established; content:"dba_tablespace"; nocase; classtype:protocol-command-decode; sid:1686; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dba_tables access"; flow:to_server,established; content:"dba_tables"; nocase; classtype:protocol-command-decode; sid:1687; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE user_tablespace access"; flow:to_server,established; content:"user_tablespace"; nocase; classtype:protocol-command-decode; sid:1688; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.all_users access"; flow:to_server,established; content:"sys.all_users"; nocase; classtype:protocol-command-decode; sid:1689; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE grant attempt"; flow:to_server,established; content:"grant "; nocase; content:" to "; nocase; classtype:protocol-command-decode; sid:1690; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE ALTER USER attempt"; flow:to_server,established; content:"alter user"; nocase; content:" identified by "; nocase; classtype:protocol-command-decode; sid:1691; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop table attempt"; flow:to_server,established; content:"drop table"; nocase; classtype:protocol-command-decode; sid:1692; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create table attempt"; flow:to_server,established; content:"create table"; nocase; classtype:protocol-command-decode; sid:1693; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter table attempt"; flow:to_server,established; content:"alter table"; nocase; classtype:protocol-command-decode; sid:1694; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE truncate table attempt"; flow:to_server,established; content:"truncate table"; nocase; classtype:protocol-command-decode; sid:1695; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create database attempt"; flow:to_server,established; content:"create database"; nocase; classtype:protocol-command-decode; sid:1696; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter database attempt"; flow:to_server,established; content:"alter database"; nocase; classtype:protocol-command-decode; sid:1697; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_replication_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*package_prefix[\r\n\s]*=>[\r\n\s]*\2|package_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*procedure_prefix[\r\n\s]*=>[\r\n\s]*\2|procedure_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck93.html; classtype:attempted-user; sid:2576; rev:6;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2599; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE add_grouped_column ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22 ]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2600; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2601; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_master_repgroup ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck87.html; classtype:attempted-user; sid:2602; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*fname[\r\n\s]*=>[\r\n\s]*\2|fname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2603; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create_mview_repgroup ordered fname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){4}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2604; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.compare_old_values"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2605; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2606; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE comment_on_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2607; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"sysdbms_repcat_rgt.check_ddl_text"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2608; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2609; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE cancel_statistics ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2610; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE LINK metadata buffer overflow attempt"; flow:to_server,established; content:"CREATE"; nocase; content:"DATABASE"; nocase; content:"LINK"; nocase; pcre:"/USING\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:bugtraq,7453; reference:cve,2003-0222; reference:url,archives.neohapsis.com/archives/bugtraq/2003-04/0360.html; classtype:attempted-user; sid:2611; rev:3;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2612; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE revoke_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2613; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE time_zone buffer overflow attempt"; flow:to_server,established; content:"TIME_ZONE"; nocase; pcre:"/TIME_ZONE\s*=\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi"; reference:bugtraq,9587; reference:url,www.nextgenss.com/advisories/ora_time_zone.txt; classtype:attempted-user; sid:2614; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2615; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE grant_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2616; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat.alter_mview_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2617; rev:2;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter_mview_propagation ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2618; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2619; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2620; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.register_flavor_change"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2621; rev:2;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_utl.drop_an_object"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2622; rev:2;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2623; rev:2;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2624; rev:2;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE unregister_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2625; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.send_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_old_values"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2626; rev:2;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2627; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE repcat_import_check ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/\((\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2628; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_admin.register_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2629; rev:2;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE register_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2630; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2631; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE refresh_mview_repgroup ordered gowner buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,(\s*(true|false)\s*,\s*){3}((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2632; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.rectify"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2633; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE rectifier_diff ordered sname1 buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2634; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2635; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE snapshot.end_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2636; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2637; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2638; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2639; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_mview_repgroup ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2640; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2641; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_site_instantiate ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"drop_site_instantiation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck629.html; classtype:attempted-user; sid:2642; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.ensure_not_published"; nocase; pcre:"/\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck96.html; classtype:attempted-user; sid:2643; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE from_tz buffer overflow attempt"; flow:to_server,established; content:"FROM_TZ"; nocase; pcre:"/\(\s*TIMESTAMP\s*(\s*(\x27[^\x27]+'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.nextgenss.com/advisories/ora_from_tz.txt; classtype:attempted-user; sid:2644; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_offline"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2645; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE instantiate_offline ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_offline"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck630.html; classtype:attempted-user; sid:2646; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2647; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE instantiate_online ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_online"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck631.html; classtype:attempted-user; sid:2648; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE service_name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|service_name="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck52.html; classtype:attempted-user; sid:2649; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE user name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|user="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user; sid:2650; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE NUMTODSINTERVAL/NUMTOYMINTERVAL buffer overflow attempt"; flow:to_server,established; content:"NUMTO"; nocase; content:"INTERVAL"; distance:2; nocase; pcre:"/NUMTO(DS|YM)INTERVAL\s*\(\s*\d+\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi"; reference:bugtraq,9587; reference:url,www.nextgenss.com/advisories/ora_numtodsinterval.txt; reference:url,www.nextgenss.com/advisories/ora_numtoyminterval.txt; classtype:attempted-user; sid:2651; rev:2;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2652; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE og.begin_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2653; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE TO_CHAR buffer overflow attempt"; flow:to_server,established; content:"TO_CHAR"; nocase; pcre:"/TO_CHAR\s*\(\s*SYSTIMESTAMP\s*,\s*(\x27[^\x27]{256}|\x22[^\x22]{256})/smi"; classtype:attempted-user; sid:2699; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2676; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_repcat.enable_propagation_to_dblink"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*dblink[\r\n\s]*=>[\r\n\s]*\2|dblink\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2690; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.differences"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2686; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE mdsys.md2.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.sdo_code_size"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2683; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_get_nrp"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2694; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2674; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2677; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_utl.is_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.is_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*CANON_GNAME[\r\n\s]*=>[\r\n\s]*\2|CANON_GNAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2696; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_internal_repcat.disable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.disable_receiver_trace"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2689; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE mdsys.md2.validate_geom buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.validate_geom"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{128,}\x27|\x22[^\x22]{128,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,})|\(\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,}))/si"; classtype:attempted-user; sid:2682; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_internal_sys.parallel_push_recovery"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*destination[\r\n\s]*=>[\r\n\s]*\2|destination\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2691; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE ctx_output.start_log buffer overflow attempt"; flow:to_server,established; content:"ctx_output.start_log"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2678; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE mdsys.sdo_admin.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.sdo_admin.sdo_code_size"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2681; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aq_import_internal.aq_table_defn_update"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*qt_name[\r\n\s]*=>[\r\n\s]*\2|qt_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2695; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_internal_repcat.enable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.enable_receiver_trace"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2688; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm_sys.verify_queue_types"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2692; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter file buffer overflow attempt"; flow:to_server,established; content:"alter"; nocase; pcre:"/ALTER\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2697; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_offline"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2675; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE ctxsys.driddlr.subindexpopulate buffer overflow attempt"; flow:to_server,established; content:"ctxsys.driddlr.subindexpopulate"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\d+\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2680; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_system.ksdwrt buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_system.ksdwrt"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*tst[\r\n\s]*=>[\r\n\s]*\2|tst\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*\d+\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2679; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_internal_repcat.validate buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.validate"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2687; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_rq.add_column buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_rq.add_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*SCHEMA_NAME[\r\n\s]*=>[\r\n\s]*\2|SCHEMA_NAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2685; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_no_queue"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2693; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.ltutil.pushdeferredtxns buffer overflow attempt"; flow:to_server,established; content:"sys.ltutil.pushdeferredtxns"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*repgrpname[\r\n\s]*=>[\r\n\s]*\2|repgrpname\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2684; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create file buffer overflow attempt"; flow:to_server,established; content:"create"; nocase; pcre:"/CREATE\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2698; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE numtoyminterval buffer overflow attempt"; flow:to_server,established; content:"numtoyminterval"; nocase; pcre:"/numtoyminterval\s*\(\s*\d+\s*,\s*(\x27[^\x27]{32}|\x22[^\x22]{32})/smi"; classtype:attempted-user; sid:2700; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2915; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2754; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2864; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2907; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2710; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2845; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.abort_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2719; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2727; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.suspend_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2808; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2910; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2745; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2736; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2723; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_replication_trigger buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_trigger"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2853; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.register_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2796; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.add_object_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2814; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_master_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2733; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2882; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2765; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_columns_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2820; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2774; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.do_deferred_repcat_admin"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2763; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.drop_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2833; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.end_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2712; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2876; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2847; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2865; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2782; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.alter_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2827; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2758; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_master_log"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2792; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2893; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.resume_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2801; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2886; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_snapshot.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.begin_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2715; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2791; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.begin_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2815; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2751; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_untrusted.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2919; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2911; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2769; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2806; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2860; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1073,}\x27|\x22[^\x22]{1073,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,})|\(\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2857; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.rename_shadow_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2837; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2787; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.set_local_flavor"; nocase; pcre:"/(\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2824; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2739; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.generate_snapshot_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2909; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2730; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2867; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2871; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2777; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.rename_shadow_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2800; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2825; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2897; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2846; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.remove_master_databases buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.remove_master_databases"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2855; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2890; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2728; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.specify_new_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.specify_new_masters"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2807; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.resume_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2838; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2883; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repsites"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2753; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2841; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2775; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2863; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl4.drop_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2848; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2764; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2797; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2744; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2762; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.end_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_flavor_change"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2711; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2735; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_snapshot_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2854; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2888; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2908; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.abort_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2813; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2724; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2734; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_mview_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_mview_repsites"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gowner|gname)[\r\n\s]*=>[\r\n\s]*\2|(gowner|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2750; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_columns_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2818; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2912; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2877; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2828; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2783; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.cancel_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2879; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2757; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2887; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2903; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_package"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2786; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_grouped_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2768; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2742; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2872; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2778; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.set_columns buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_columns"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2805; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.suspend_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2839; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2916; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2793; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2894; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2858; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_column_group_to_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2720; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2898; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_for_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2812; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2830; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2725; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_columns_to_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2721; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2831; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.rectify"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){8}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2718; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2843; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2889; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2767; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2776; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.register_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.register_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2901; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.execute_ddl buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.execute_ddl"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2785; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2870; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2859; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.drop_an_object"; nocase; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2849; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2795; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.register_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2798; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2874; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.switch_mview_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_mview_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2856; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2752; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2761; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2780; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2842; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.purge_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2900; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2866; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2905; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_column_group_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2817; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2891; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2917; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.send_and_compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_and_compare_old_values"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2804; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2731; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2738; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_object_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2770; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2851; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.purge_master_log"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2835; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2869; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.generate_replication_package"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2834; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.obsolete_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2821; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.resume_subset_of_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.resume_subset_of_masters"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2714; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2741; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2772; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2794; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_flavor_change"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2708; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.obsolete_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2789; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2850; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2779; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2873; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2878; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2748; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2862; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2884; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.differences"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){10}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2717; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2756; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2904; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_for_local_flavor"; nocase; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2826; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2709; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2913; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2895; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2784; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2746; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2749; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2743; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.relocate_masterdef"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2799; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2868; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2811; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2899; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_object_to_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2722; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2829; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2902; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2844; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2726; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.do_deferred_repcat_admin"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2832; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.validate_for_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2918; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(refresh_template_name|user_name)[\r\n\s]*=>[\r\n\s]*\2|(refresh_template_name|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2803; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2875; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2810; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2781; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.define_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2760; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2881; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2713; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2880; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2740; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.make_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.make_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2788; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2773; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.publish_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2790; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_column_group_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2819; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2771; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2759; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2840; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2892; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2737; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.publish_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2822; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.set_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2914; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2906; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2732; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_mview_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_mview_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2852; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.relocate_masterdef"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2836; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.drop_object_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2816; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.check_ddl_text"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(object_type|user_name)[\r\n\s]*=>[\r\n\s]*\2|(object_type|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2802; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.purge_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2823; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2896; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.unregister_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2809; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_columns_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2766; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.begin_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2747; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2755; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2729; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2861; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2885; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2716; rev:1;)
--- /dev/null
+++ b/rules/x11.rules
@@ -0,0 +1,24 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: x11.rules,v 1.19.2.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $
+#----------
+# X11 RULES
+#----------
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie detected"; flow:established; content:"MIT-MAGIC-COOKIE-1"; reference:arachnids,396; classtype:attempted-user; sid:1225; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flow:established; content:"l|00 0B 00 00 00 00 00 00 00 00 00|"; reference:arachnids,395; classtype:unknown; sid:1226; rev:4;)
--- /dev/null
+++ b/rules/community-sql-injection.rules
@@ -0,0 +1,15 @@
+# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# These rules are licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# $Id: community-sql-injection.rules,v 1.10 2006/10/19 20:19:34 akirk Exp $
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION Microsoft BizTalk Server 2002 rawdocdata.asp"; flow:to_server,established; uricontent:"/rawdocdata.asp?"; nocase; pcre:"/rawdocdata.asp\x3F[^\r\n]*exec/Ui"; classtype:web-application-attack; reference:bugtraq,7470; reference:cve,2003-0118; reference:url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx; sid:100000106; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION Microsoft BizTalk Server 2002 RawCustomSearchField.asp"; flow:to_server,established; uricontent:"/rawdocdata.asp?"; nocase; pcre:"/RawCustomSearchField.asp\x3F[^\r\n]*exec/Ui"; classtype:web-application-attack; reference:bugtraq,7470; reference:cve,2003-0118; reference:url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx; sid:100000107; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION OpenBB board.php"; flow:to_server,established; uricontent:"/board.php"; pcre:"/board.php\x3F\w+\x3D[0-9]+\s/Ui"; classtype:web-application-attack; reference:bugtraq,7404; sid:100000108; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION OpenBB member.php"; flow:to_server,established; uricontent:"/member.php"; pcre:"/member.php\x3F\w+\x3D[0-9]+\s/Ui"; classtype:web-application-attack; reference:bugtraq,7404; sid:100000109; rev:1;)
+#Rules submitted by rmkml
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION WIZZ ForumTopicDetails Sql Injection attempt"; flow:to_server,established; uricontent:"/ForumTopicDetails.php"; nocase; uricontent:"TopicID|3D|"; nocase; uricontent:"union"; nocase; uricontent:"select"; nocase; uricontent:"from"; nocase; uricontent:"ForumUser"; nocase; uricontent:"where"; nocase; reference:bugtraq,15410; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20846; classtype:web-application-attack; sid:100000192; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION WIZZ ForumAuthDetails Sql Injection attempt"; flow:to_server,established; uricontent:"/ForumAuthDetails.php"; nocase; uricontent:"AuthID|3D|"; nocase; uricontent:"union"; nocase; uricontent:"select"; nocase; uricontent:"from"; nocase; uricontent:"ForumUser"; nocase; uricontent:"where"; nocase; reference:bugtraq,15410; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20845; classtype:web-application-attack; sid:100000193; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION WIZZ ForumReply Sql Injection attempt"; flow:to_server,established;  uricontent:"/ForumReply.php"; nocase; uricontent:"TopicID|3D|"; nocase; uricontent:"union"; nocase; uricontent:"select"; nocase; uricontent:"from"; nocase; uricontent:"ForumUser"; nocase; uricontent:"where"; nocase; reference:bugtraq,15410; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20847; classtype:web-application-attack; sid:100000194; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION BXCP Sql Injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"where="; nocase; uricontent:"union"; nocase; uricontent:"select"; nocase; pcre:"/\x2b\w*\x54\w*/"; reference:bugtraq,18765; reference:url,www.milw0rm.com/exploits/1975; classtype:web-application-attack; sid:100000690; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION Diesel Joke Script Sql Injection attempt"; flow:to_server,established; uricontent:"/category.php"; nocase; uricontent:"id="; uricontent:"union"; nocase; uricontent:"select"; nocase; uricontent:"admin"; nocase; reference:bugtraq,18760; classtype:web-application-attack; sid:100000691; rev:2;)
--- /dev/null
+++ b/rules/tftp.rules
@@ -0,0 +1,39 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: tftp.rules,v 1.19.2.1.2.2 2005/07/22 19:19:54 mwatchinski Exp $
+#-----------
+# TFTP RULES
+#-----------
+#
+# These signatures are based on TFTP traffic.  These include malicious files
+# that are distributed via TFTP.
+#
+# The last two signatures refer to generic GET and PUT via TFTP, which is
+# generally frowned upon on most networks, but may be used in some enviornments
+
+alert udp any any -> any 69 (msg:"TFTP GET filename overflow attempt"; content:"|00 01|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,5328; reference:cve,2002-0813; classtype:attempted-admin; sid:1941; rev:9;)
+alert udp any any -> any 69 (msg:"TFTP PUT filename overflow attempt"; content:"|00 02|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,7819; reference:bugtraq,8505; reference:cve,2003-0380; classtype:attempted-admin; sid:2337; rev:8;)
+alert udp any any -> any 69 (msg:"TFTP GET Admin.dll"; content:"|00 01|"; depth:2; content:"admin.dll"; offset:2; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:1289; rev:4;)
+alert udp any any -> any 69 (msg:"TFTP GET nc.exe"; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2; nocase; classtype:successful-admin; sid:1441; rev:4;)
+alert udp any any -> any 69 (msg:"TFTP GET shadow"; content:"|00 01|"; depth:2; content:"shadow"; offset:2; nocase; classtype:successful-admin; sid:1442; rev:4;)
+alert udp any any -> any 69 (msg:"TFTP GET passwd"; content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; classtype:successful-admin; sid:1443; rev:4;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP parent directory"; content:".."; offset:2; reference:arachnids,137; reference:cve,1999-0183; reference:cve,2002-1209; classtype:bad-unknown; sid:519; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP root directory"; content:"|00 01|/"; depth:3; reference:arachnids,138; reference:cve,1999-0183; classtype:bad-unknown; sid:520; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Put"; content:"|00 02|"; depth:2; reference:arachnids,148; reference:cve,1999-0183; classtype:bad-unknown; sid:518; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Get"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:1444; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP NULL command attempt"; content:"|00 00|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2339; rev:2;)
--- /dev/null
+++ b/rules/policy.rules
@@ -0,0 +1,55 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: policy.rules,v 1.38.2.2.2.3 2005/07/22 19:19:54 mwatchinski Exp $
+#-------------
+# POLICY RULES
+#-------------
+#
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous login attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s+(anonymous|ftp)/smi"; classtype:misc-activity; sid:553; rev:7;)
+
+alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"POLICY WinGate telnet server response"; flow:from_server,established; content:"WinGate>"; reference:arachnids,366; reference:cve,1999-0657; classtype:misc-activity; sid:555; rev:8;)
+
+
+# we have started to see multiple versions of this beyond 003.003, so we have
+# expanded this signature to take that into account.
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; classtype:misc-activity; sid:560; rev:6;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"POLICY PCAnywhere server response"; content:"ST"; depth:2; reference:arachnids,239; classtype:misc-activity; sid:566; rev:4;)
+alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"POLICY SMTP relaying denied"; flow:established,from_server; content:"550 5.7.1"; depth:70; reference:arachnids,249; reference:url,mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:567; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"POLICY HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; reference:arachnids,302; reference:bugtraq,2245; classtype:misc-activity; sid:568; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 (msg:"POLICY HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; reference:arachnids,302; reference:bugtraq,2245; classtype:misc-activity; sid:510; rev:8;)
+alert ip 66.151.158.177 any -> $HOME_NET any (msg:"POLICY poll.gotomypc.com access"; reference:url,www.gotomypc.com/help2.tmpl; classtype:misc-activity; sid:1429; rev:3;)
+
+# NOTES: This signature would be better off using uricontent, and having the
+# http decoder looking at 5800 and 5802, but that is on by default
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"POLICY vncviewer Java applet download attempt"; flow:to_server,established; content:"/vncviewer.jar"; reference:nessus,10758; classtype:misc-activity; sid:1846; rev:4;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP file_id.diz access possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"file_id.diz"; distance:1; nocase; classtype:suspicious-filename-detect; sid:1445; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'STOR 1MB' possible warez site"; flow:to_server,established; content:"STOR"; nocase; content:"1MB"; distance:1; nocase; classtype:misc-activity; sid:543; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'RETR 1MB' possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"1MB"; distance:1; nocase; classtype:misc-activity; sid:544; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'CWD  ' possible warez site"; flow:to_server,established; content:"CWD  "; depth:5; nocase; classtype:misc-activity; sid:546; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD  ' possible warez site"; flow:to_Server,established; content:"MKD  "; depth:5; nocase; classtype:misc-activity; sid:547; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD .' possible warez site"; flow:to_server,established; content:"MKD ."; depth:5; nocase; classtype:misc-activity; sid:548; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'CWD / ' possible warez site"; flow:to_server,established; content:"CWD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:545; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD / ' possible warez site"; flow:to_server,established; content:"MKD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:554; rev:6;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"POLICY PPTP Start Control Request attempt"; flow:to_server,established,no_stream; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; classtype:attempted-admin; sid:2044; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"POLICY xtacacs login attempt"; content:"|80 01|"; depth:2; content:"|00|"; distance:4; classtype:misc-activity; sid:2040; rev:3;)
+alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"POLICY xtacacs accepted login response"; content:"|80 02|"; depth:2; content:"|01|"; distance:4; classtype:misc-activity; sid:2042; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"POLICY IPSec PGPNet connection attempt"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00|P|01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 10|"; classtype:protocol-command-decode; sid:1771; rev:6;)
--- /dev/null
+++ b/rules/mysql.rules
@@ -0,0 +1,31 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: mysql.rules,v 1.10.2.2.2.3 2005/05/31 17:13:02 mwatchinski Exp $
+#----------
+# MYSQL RULES
+#----------
+#
+# These signatures detect unusual and potentially malicious mysql traffic.
+#
+# These signatures are not enabled by default as they may generate false
+# positive alarms on networks that do mysql development.
+#
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; classtype:protocol-command-decode; sid:1776; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL 4.0 root login attempt"; flow:to_server,established; content:"|01|"; within:1; distance:3; content:"root|00|"; within:5; distance:5; nocase; classtype:protocol-command-decode; sid:3456; rev:2;)
--- /dev/null
+++ b/rules/purge-non-gpl.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+# Purges non-GPL rules from a common set
+
+if [ -z "$1" ] ; then
+    echo "Usage: $0 directory_with_rules"
+fi
+
+if [ ! -d "$1" ] ; then
+    echo "ERROR: $1 is not a directory"
+    exit 1
+fi
+
+for file in $1/*rules; do
+    if [ -r "$file" ] ; then
+        name=`basename $file`
+        if [ ! -e "$name" ] ; then
+            cat $file |perl remove-non-gpl.pl >$name
+        else
+            echo "ERROR: Cowardly refusing to overwrite $name"
+        fi
+    fi
+done
+
--- /dev/null
+++ b/rules/bad-traffic.rules
@@ -0,0 +1,41 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: bad-traffic.rules,v 1.31.2.3.2.1 2005/05/16 22:17:51 mwatchinski Exp $
+#------------------
+# BAD TRAFFIC RULES
+#------------------
+# These signatures are representitive of traffic that should never be seen on
+# any network.  None of these signatures include datagram content checking
+# and are extremely quick signatures
+#
+
+alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:8;)
+alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC udp port 0 traffic"; reference:bugtraq,576; reference:cve,1999-0675; reference:nessus,10074; classtype:misc-activity; sid:525; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC data in TCP SYN packet"; flow:stateless; dsize:>6; flags:S,12; reference:url,www.cert.org/incident_notes/IN-99-07.html; classtype:misc-activity; sid:526; rev:11;)
+alert ip any any <> 127.0.0.0/8 any (msg:"BAD-TRAFFIC loopback traffic"; reference:url,rr.sans.org/firewall/egress.php; classtype:bad-unknown; sid:528; rev:5;)
+alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:8;)
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC ip reserved bit set"; fragbits:R; classtype:misc-activity; sid:523; rev:5;)
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:1321; rev:8;)
+# linux happens.  Blah
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC bad frag bits"; fragbits:MD; classtype:misc-activity; sid:1322; rev:7;)
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC Unassigned/Reserved IP protocol"; ip_proto:>134; reference:url,www.iana.org/assignments/protocol-numbers; classtype:non-standard-protocol; sid:1627; rev:3;)
+alert tcp any any -> [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any (msg:"BAD-TRAFFIC syn to multicast address"; flow:stateless; flags:S+; classtype:bad-unknown; sid:1431; rev:9;)
+alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 53 SWIPE"; ip_proto:53; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2186; rev:3;)
+alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 55 IP Mobility"; ip_proto:55; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2187; rev:3;)
+alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 77 Sun ND"; ip_proto:77; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2188; rev:3;)
+alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 103 PIM"; ip_proto:103; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2189; rev:3;)
--- /dev/null
+++ b/rules/generators
@@ -0,0 +1,39 @@
+# Master Registry of Snort Generator Ids
+#
+#
+# This file is used to maintain unique generator ids for files even if
+# the default snort configuration doesn't include some patch that is
+# required for a specific preprocessor to work
+#
+#
+#
+# Maintainer: Chris Green <cmg@sourcefire.com>
+#
+# Contact cmg@sourcefire.com for an assignment
+
+rules_subsystem		   1   # Snort Rules Engine
+tag_subsystem		   2   # Tagging Subsystem
+portscan                   100 # Portscan1
+minfrag                    101 # Minfrag [ removed ]
+http_decode                102 # HTTP decode 1/2
+defrag                     103 # First defragmenter [ removed ]
+spade                      104 # SPADE [ not included anymore ]
+bo                         105 # Back Orifice
+rpc_decode                 106 # RPC Preprocessor
+stream2                    107 # 2nd stream preprocessor [removed]
+stream3                    108 # 3rd stream preprocessor (AVL nightmare) [ removed ]
+telnet_neg                 109 # telnet option decoder
+unidecode                  110 # unicode decoder
+stream4                    111 # Stream4 preprocessor
+arpspoof                   112 # Arp Spoof detector
+frag2                      113 # 2nd fragment preprocessor
+fnord                      114 # NOP detector [ removed ]
+asn1                       115 # ASN.1 Validator [ removed ]
+decode                     116 # Snort Internal Decoder
+scan2                      117 # portscan2
+conversation               118 # conversation
+reserved                   119 # TBA
+reserved                   120 # TBA
+snmp                       121 # Andrew Baker's newer SNMP decoder
+sfportscan		   122 # Dan Roelkers portscan
+frag3			   123 # Marty Roesch's ip frag reassembler
--- /dev/null
+++ b/rules/web-attacks.rules
@@ -0,0 +1,74 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: web-attacks.rules,v 1.18.2.2.2.1 2005/05/16 22:17:52 mwatchinski Exp $
+# ----------------
+# WEB ATTACKS
+# ----------------
+# These signatures are generic signatures that will catch common commands
+# used to exploit form variable vulnerabilities.  These signatures should
+# not false very often.
+#
+# Please email example PCAP log dumps to snort-sigs@lists.sourceforge.net
+# if you find one of these signatures to be too false possitive.
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ps command attempt"; flow:to_server,established; uricontent:"/bin/ps"; nocase; classtype:web-application-attack; sid:1328; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ps command attempt"; flow:to_server,established; uricontent:"ps%20"; nocase; classtype:web-application-attack; sid:1329; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS wget command attempt"; flow:to_server,established; content:"wget%20"; nocase; classtype:web-application-attack; reference:bugtraq,10361; sid:1330; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS uname -a command attempt"; flow:to_server,established; content:"uname%20-a"; nocase; classtype:web-application-attack; sid:1331; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/id command attempt"; flow:to_server,established; content:"/usr/bin/id"; nocase; classtype:web-application-attack; sid:1332; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS id command attempt"; flow:to_server,established; content:"|3B|id"; nocase; classtype:web-application-attack; sid:1333; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS echo command attempt"; flow:to_server,established; content:"/bin/echo"; nocase; classtype:web-application-attack; sid:1334; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS kill command attempt"; flow:to_server,established; content:"/bin/kill"; nocase; classtype:web-application-attack; sid:1335; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chmod command attempt"; flow:to_server,established; content:"/bin/chmod"; nocase; classtype:web-application-attack; sid:1336; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chgrp command attempt"; flow:to_server,established; content:"/chgrp"; nocase; classtype:web-application-attack; sid:1337; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chown command attempt"; flow:to_server,established; content:"/chown"; nocase; classtype:web-application-attack; sid:1338; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chsh command attempt"; flow:to_server,established; content:"/usr/bin/chsh"; nocase; classtype:web-application-attack; sid:1339; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS tftp command attempt"; flow:to_server,established; content:"tftp%20"; nocase; classtype:web-application-attack; sid:1340; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/gcc command attempt"; flow:to_server,established; content:"/usr/bin/gcc"; nocase; classtype:web-application-attack; sid:1341; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS gcc command attempt"; flow:to_server,established; content:"gcc%20-o"; nocase; classtype:web-application-attack; sid:1342; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/cc command attempt"; flow:to_server,established; content:"/usr/bin/cc"; nocase; classtype:web-application-attack; sid:1343; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS cc command attempt"; flow:to_server,established; content:"cc%20"; nocase; classtype:web-application-attack; sid:1344; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/cpp command attempt"; flow:to_server,established; content:"/usr/bin/cpp"; nocase; classtype:web-application-attack; sid:1345; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS cpp command attempt"; flow:to_server,established; content:"cpp%20"; nocase; classtype:web-application-attack; sid:1346; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/g++ command attempt"; flow:to_server,established; content:"/usr/bin/g++"; nocase; classtype:web-application-attack; sid:1347; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS g++ command attempt"; flow:to_server,established; content:"g++%20"; nocase; classtype:web-application-attack; sid:1348; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/python access attempt"; flow:to_server,established; content:"bin/python"; nocase; classtype:web-application-attack; sid:1349; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS python access attempt"; flow:to_server,established; content:"python%20"; nocase; classtype:web-application-attack; sid:1350; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/tclsh execution attempt"; flow:to_server,established; content:"bin/tclsh"; nocase; classtype:web-application-attack; sid:1351; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS tclsh execution attempt"; flow:to_server,established; content:"tclsh8%20"; nocase; classtype:web-application-attack; sid:1352; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/nasm command attempt"; flow:to_server,established; content:"bin/nasm"; nocase; classtype:web-application-attack; sid:1353; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nasm command attempt"; flow:to_server,established; content:"nasm%20"; nocase; classtype:web-application-attack; sid:1354; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/perl execution attempt"; flow:to_server,established; content:"/usr/bin/perl"; nocase; classtype:web-application-attack; sid:1355; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS perl execution attempt"; flow:to_server,established; content:"perl%20"; nocase; classtype:web-application-attack; sid:1356; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nt admin addition attempt"; flow:to_server,established; content:"net localgroup administrators /add"; nocase; classtype:web-application-attack; sid:1357; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS traceroute command attempt"; flow:to_server,established; content:"traceroute%20"; nocase; classtype:web-application-attack; sid:1358; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ping command attempt"; flow:to_server,established; content:"/bin/ping"; nocase; classtype:web-application-attack; sid:1359; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS netcat command attempt"; flow:to_server,established; content:"nc%20"; nocase; classtype:web-application-attack; sid:1360; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nmap command attempt"; flow:to_server,established; content:"nmap%20"; nocase; classtype:web-application-attack; sid:1361; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS xterm command attempt"; flow:to_server,established; content:"/usr/X11R6/bin/xterm"; nocase; classtype:web-application-attack; sid:1362; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS X application to remote host attempt"; flow:to_server,established; content:"%20-display%20"; nocase; classtype:web-application-attack; sid:1363; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS lsof command attempt"; flow:to_server,established; content:"lsof%20"; nocase; classtype:web-application-attack; sid:1364; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS rm command attempt"; flow:to_server,established; content:"rm%20"; nocase; classtype:web-application-attack; sid:1365; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS mail command attempt"; flow:to_server,established; content:"/bin/mail"; nocase; classtype:web-application-attack; sid:1366; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS mail command attempt"; flow:to_server,established; content:"mail%20"; nocase; classtype:web-application-attack; sid:1367; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ls| command attempt"; flow:to_server,established; uricontent:"/bin/ls|7C|"; nocase; classtype:web-application-attack; sid:1368; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ls command attempt"; flow:to_server,established; uricontent:"/bin/ls"; nocase; classtype:web-application-attack; sid:1369; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/inetd.conf access"; flow:to_server,established; content:"/etc/inetd.conf"; nocase; classtype:web-application-activity; sid:1370; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/motd access"; flow:to_server,established; content:"/etc/motd"; nocase; classtype:web-application-activity; sid:1371; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/shadow access"; flow:to_server,established; content:"/etc/shadow"; nocase; classtype:web-application-activity; sid:1372; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS conf/httpd.conf attempt"; flow:to_server,established; content:"conf/httpd.conf"; nocase; classtype:web-application-activity; sid:1373; rev:6;)
--- /dev/null
+++ b/rules/pop3.rules
@@ -0,0 +1,58 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: pop3.rules,v 1.22.2.4.2.3 2005/06/29 15:35:04 mwatchinski Exp $
+#--------------
+# POP3 RULES
+#--------------
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE negative argument attempt"; flow:to_server,established; content:"DELE"; nocase; pcre:"/^DELE\s+-\d/smi"; reference:bugtraq,6053; reference:bugtraq,7445; reference:cve,2002-1539; classtype:misc-attack; sid:2121; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 UIDL negative argument attempt"; flow:to_server,established; content:"UIDL"; nocase; pcre:"/^UIDL\s+-\d/smi"; reference:bugtraq,6053; reference:cve,2002-1539; reference:nessus,11570; classtype:misc-attack; sid:2122; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; isdataat:50,relative; pcre:"/^USER\s[^\n]{50,}/smi"; reference:bugtraq,11256; reference:bugtraq,789; reference:cve,1999-0494; reference:nessus,10311; classtype:attempted-admin; sid:1866; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 CAPA overflow attempt"; flow:to_server,established; content:"CAPA"; nocase; isdataat:10,relative; pcre:"/^CAPA\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2108; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 TOP overflow attempt"; flow:to_server,established; content:"TOP"; nocase; isdataat:10,relative; pcre:"/^TOP\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2109; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:10,relative; pcre:"/^STAT\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2110; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:10,relative; pcre:"/^DELE\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2111; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 RSET overflow attempt"; flow:to_server,established; content:"RSET"; nocase; isdataat:10,relative; pcre:"/^RSET\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2112; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 AUTH overflow attempt"; flow:to_server,established; content:"AUTH"; nocase; isdataat:50,relative; pcre:"/^AUTH\s[^\n]{50}/smi"; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:1936; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:10,relative; pcre:"/^LIST\s[^\n]{10}/smi"; reference:bugtraq,948; reference:cve,2000-0096; reference:nessus,10197; classtype:attempted-admin; sid:1937; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 XTND overflow attempt"; flow:to_server,established; content:"XTND"; nocase; isdataat:50,relative; pcre:"/^XTND\s[^\n]{50}/smi"; classtype:attempted-admin; sid:1938; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; isdataat:50,relative; pcre:"/^PASS\s[^\n]{50}/smi"; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s[^\n]{256}/smi"; reference:bugtraq,1652; reference:cve,2000-0840; reference:cve,2000-0841; reference:nessus,10559; classtype:attempted-admin; sid:1635; rev:13;)
+
+# bsd-qpopper.c
+# overflow in the reading of a line in qpopper
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89 F9|"; reference:bugtraq,133; reference:cve,1999-0006; reference:nessus,10196; classtype:attempted-admin; sid:286; rev:11;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1"; classtype:attempted-admin; sid:287; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 Linux overflow"; flow:to_server,established; content:"|D8|@|CD 80 E8 D9 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:288; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 SCO overflow"; flow:to_server,established; content:"V|0E|1|C0 B0 3B 8D|~|12 89 F9 89 F9|"; reference:bugtraq,156; reference:cve,1999-0006; classtype:attempted-admin; sid:289; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT qpopper overflow"; flow:to_server,established; content:"|E8 D9 FF FF FF|/bin/sh"; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:290; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s+[^\n]*?%/smi"; reference:bugtraq,10976; reference:bugtraq,7667; reference:cve,2003-0391; reference:nessus,11742; classtype:attempted-admin; sid:2250; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 login brute force attempt"; flow:to_server,established; content:"USER"; nocase; threshold:type threshold, track by_dst, count 30, seconds 30; classtype:suspicious-login; sid:2274; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP USER overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s+USER\s[^\n]{256}/smi"; reference:bugtraq,9794; classtype:attempted-admin; sid:2409; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2501; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2502; rev:10;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2518; rev:13;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2535; rev:6;)
+alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"POP3 SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2536; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2537; rev:6;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s+[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2666; rev:1;)
--- /dev/null
+++ b/rules/web-misc.rules
@@ -0,0 +1,443 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: web-misc.rules,v 1.118.2.8.2.6 2005/07/22 19:19:54 mwatchinski Exp $
+#---------------
+# WEB-MISC RULES
+#---------------
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv2 Client_Hello with pad Challenge Length overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; byte_test:2,<,768,4; flowbits:set,sslv2.client_hello.request; byte_test:2,>,32,10; classtype:attempted-admin; sid:2657; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv2 Client_Hello Challenge Length overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; byte_test:2,<,768,3; flowbits:set,sslv2.client_hello.request; byte_test:2,>,32,9; classtype:attempted-admin; sid:2656; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cross site scripting attempt"; flow:to_server,established; content:"<SCRIPT>"; nocase; classtype:web-application-attack; sid:1497; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cross site scripting HTML Image tag set to javascript attempt"; flow:to_server,established; content:"img src=javascript"; nocase; reference:bugtraq,4858; reference:cve,2002-0902; classtype:web-application-attack; sid:1667; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco IOS HTTP configuration attempt"; flow:to_server,established; uricontent:"/level/"; uricontent:"/exec/"; reference:bugtraq,2936; reference:cve,2001-0537; classtype:web-application-attack; sid:1250; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise DOS"; flow:to_server,established; content:"REVLOG / "; depth:9; reference:bugtraq,2294; reference:cve,2001-0251; classtype:web-application-attack; sid:1047; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise directory listing attempt"; flow:to_server,established; content:"INDEX "; depth:6; reference:bugtraq,2285; reference:cve,2001-0250; classtype:web-application-attack; sid:1048; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC iPlanet GETPROPERTIES attempt"; flow:to_server,established; content:"GETPROPERTIES"; depth:13; reference:bugtraq,2732; reference:cve,2001-0746; classtype:web-application-attack; sid:1050; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat view source attempt"; flow:to_server,established; uricontent:"%252ejsp"; reference:bugtraq,2527; reference:cve,2001-0590; classtype:web-application-attack; sid:1056; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ftp attempt"; flow:to_server,established; content:"ftp.exe"; nocase; classtype:web-application-activity; sid:1057; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_enumdsn attempt"; flow:to_server,established; content:"xp_enumdsn"; nocase; classtype:web-application-attack; sid:1058; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_filelist attempt"; flow:to_server,established; content:"xp_filelist"; nocase; classtype:web-application-attack; sid:1059; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_availablemedia attempt"; flow:to_server,established; content:"xp_availablemedia"; nocase; classtype:web-application-attack; sid:1060; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_cmdshell attempt"; flow:to_server,established; content:"xp_cmdshell"; nocase; classtype:web-application-attack; sid:1061; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC nc.exe attempt"; flow:to_server,established; content:"nc.exe"; nocase; classtype:web-application-activity; sid:1062; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC wsh attempt"; flow:to_server,established; content:"wsh.exe"; nocase; classtype:web-application-activity; sid:1064; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC rcmd attempt"; flow:to_server,established; uricontent:"rcmd.exe"; nocase; classtype:web-application-activity; sid:1065; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC telnet attempt"; flow:to_server,established; content:"telnet.exe"; nocase; classtype:web-application-activity; sid:1066; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC net attempt"; flow:to_server,established; content:"net.exe"; nocase; classtype:web-application-activity; sid:1067; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC tftp attempt"; flow:to_server,established; content:"tftp.exe"; nocase; classtype:web-application-activity; sid:1068; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_regread attempt"; flow:to_server,established; content:"xp_regread"; nocase; classtype:web-application-activity; sid:1069; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_regwrite attempt"; flow:to_server,established; content:"xp_regwrite"; nocase; classtype:web-application-activity; sid:1977; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_regdeletekey attempt"; flow:to_server,established; content:"xp_regdeletekey"; nocase; classtype:web-application-activity; sid:1978; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WebDAV search access"; flow:to_server,established; content:"SEARCH "; depth:8; nocase; reference:arachnids,474; reference:bugtraq,1756; reference:cve,2000-0951; classtype:web-application-activity; sid:1070; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .htpasswd access"; flow:to_server,established; content:".htpasswd"; nocase; classtype:web-application-attack; sid:1071; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Lotus Domino directory traversal"; flow:to_server,established; uricontent:".nsf/"; uricontent:"../"; nocase; reference:bugtraq,2173; reference:cve,2001-0009; reference:nessus,12248; classtype:web-application-attack; sid:1072; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webhits.exe access"; flow:to_server,established; uricontent:"/scripts/samples/search/webhits.exe"; nocase; reference:bugtraq,950; reference:cve,2000-0097; classtype:web-application-activity; sid:1073; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC queryhit.htm access"; flow:to_server,established; uricontent:"/samples/search/queryhit.htm"; nocase; reference:nessus,10370; classtype:web-application-activity; sid:1077; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC counter.exe access"; flow:to_server,established; uricontent:"/counter.exe"; nocase; reference:bugtraq,267; reference:cve,1999-1030; classtype:web-application-activity; sid:1078; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WebDAV propfind access"; flow:to_server,established; content:"propfind"; nocase; pcre:"/<a\x3a\s*propfind.*?xmlns\x3a\s*a=[\x21\x22]?DAV[\x21\x22]?>/iR"; reference:bugtraq,1656; reference:cve,2000-0869; classtype:web-application-activity; sid:1079; rev:13;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC unify eWave ServletExec upload"; flow:to_server,established; uricontent:"/servlet/com.unify.servletexec.UploadServlet"; nocase; reference:bugtraq,1868; reference:bugtraq,1876; reference:cve,2000-1024; reference:cve,2000-1025; reference:nessus,10570; classtype:web-application-attack; sid:1080; rev:15;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Servers suite DOS"; flow:to_server,established; uricontent:"/dsgw/bin/search?context="; nocase; reference:bugtraq,1868; reference:cve,2000-1025; classtype:web-application-attack; sid:1081; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC amazon 1-click cookie theft"; flow:to_server,established; content:"ref%3Cscript%20language%3D%22Javascript"; nocase; reference:bugtraq,1194; reference:cve,2000-0439; classtype:web-application-attack; sid:1082; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC unify eWave ServletExec DOS"; flow:to_server,established; uricontent:"/servlet/ServletExec"; reference:bugtraq,1868; reference:cve,2000-1025; classtype:web-application-activity; sid:1083; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Allaire JRUN DOS attempt"; flow:to_server,established; uricontent:"servlet/......."; nocase; reference:bugtraq,2337; reference:cve,2000-1049; classtype:web-application-attack; sid:1084; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ICQ Webfront HTTP DOS"; flow:to_server,established; uricontent:"??????????"; reference:bugtraq,1463; reference:cve,2000-1078; classtype:web-application-attack; sid:1091; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Talentsoft Web+ Source Code view access"; flow:to_server,established; uricontent:"/webplus.exe?script=test.wml"; reference:bugtraq,1722; reference:url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html; classtype:web-application-attack; sid:1095; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Talentsoft Web+ internal IP Address access"; flow:to_server,established; uricontent:"/webplus.exe?about"; reference:bugtraq,1720; reference:url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html; classtype:web-application-activity; sid:1096; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SmartWin CyberOffice Shopping Cart access"; flow:to_server,established; uricontent:"_private/shopping_cart.mdb"; reference:bugtraq,1734; reference:cve,2000-0925; classtype:web-application-attack; sid:1098; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cybercop scan"; flow:to_server,established; uricontent:"/cybercop"; nocase; reference:arachnids,374; classtype:web-application-activity; sid:1099; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC L3retriever HTTP Probe"; flow:to_server,established; content:"User-Agent|3A| Java1.2.1|0D 0A|"; reference:arachnids,310; classtype:web-application-activity; sid:1100; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Webtrends HTTP probe"; flow:to_server,established; content:"User-Agent|3A| Webtrends Security Analyzer|0D 0A|"; reference:arachnids,309; classtype:web-application-activity; sid:1101; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC nessus 1.X 404 probe"; flow:to_server,established; uricontent:"/nessus_is_probing_you_"; depth:32; reference:arachnids,301; classtype:web-application-attack; sid:1102; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC nessus 2.x 404 probe"; flow:to_server,established; uricontent:"/NessusTest"; nocase; reference:nessus,10386; classtype:attempted-recon; sid:2585; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape admin passwd"; flow:to_server,established; uricontent:"/admin-serv/config/admpw"; nocase; reference:bugtraq,1579; reference:nessus,10468; classtype:web-application-attack; sid:1103; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC BigBrother access"; flow:to_server,established; uricontent:"/bb-hostsvc.sh?HOSTSVC"; nocase; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:attempted-recon; sid:1105; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ftp.pl attempt"; flow:to_server,established; uricontent:"/ftp.pl?dir=../.."; nocase; reference:bugtraq,1471; reference:cve,2000-0674; reference:nessus,10467; classtype:web-application-attack; sid:1612; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ftp.pl access"; flow:to_server,established; uricontent:"/ftp.pl"; nocase; reference:bugtraq,1471; reference:cve,2000-0674; reference:nessus,10467; classtype:web-application-activity; sid:1107; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat server snoop access"; flow:to_server,established; uricontent:"/jsp/snp/"; uricontent:".snp"; reference:bugtraq,1532; reference:cve,2000-0760; classtype:attempted-recon; sid:1108; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ROXEN directory list attempt"; flow:to_server,established; uricontent:"/%00"; reference:bugtraq,1510; reference:cve,2000-0671; classtype:attempted-recon; sid:1109; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache source.asp file access"; flow:to_server,established; uricontent:"/site/eg/source.asp"; nocase; reference:bugtraq,1457; reference:cve,2000-0628; reference:nessus,10480; classtype:attempted-recon; sid:1110; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat server exploit access"; flow:to_server,established; uricontent:"/contextAdmin/contextAdmin.html"; nocase; reference:bugtraq,1548; reference:cve,2000-0672; reference:nessus,10477; classtype:attempted-recon; sid:1111; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC http directory traversal"; flow:to_server,established; content:"..|5C|"; reference:arachnids,298; classtype:attempted-recon; sid:1112; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ICQ webserver DOS"; flow:to_server,established; uricontent:".html/......"; nocase; reference:cve,1999-0474; reference:url,www.securiteam.com/exploits/2ZUQ1QAQOG.html; classtype:attempted-dos; sid:1115; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Lotus DelDoc attempt"; flow:to_server,established; uricontent:"?DeleteDocument"; nocase; classtype:attempted-recon; sid:1116; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Lotus EditDoc attempt"; flow:to_server,established; uricontent:"?EditDocument"; nocase; reference:url,www.securiteam.com/exploits/5NP080A1RE.html; classtype:attempted-recon; sid:1117; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ls%20-l"; flow:to_server,established; content:"ls%20-l"; nocase; classtype:attempted-recon; sid:1118; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mlog.phtml access"; flow:to_server,established; uricontent:"/mlog.phtml"; nocase; reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346; classtype:attempted-recon; sid:1119; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mylog.phtml access"; flow:to_server,established; uricontent:"/mylog.phtml"; nocase; reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346; classtype:attempted-recon; sid:1120; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /etc/passwd"; flow:to_server,established; content:"/etc/passwd"; nocase; classtype:attempted-recon; sid:1122; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ?PageServices access"; flow:to_server,established; uricontent:"?PageServices"; nocase; reference:bugtraq,1063; reference:bugtraq,7621; reference:cve,1999-0269; classtype:attempted-recon; sid:1123; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Ecommerce check.txt access"; flow:to_server,established; uricontent:"/config/check.txt"; nocase; classtype:attempted-recon; sid:1124; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webcart access"; flow:to_server,established; uricontent:"/webcart/"; nocase; reference:cve,1999-0610; reference:nessus,10298; classtype:attempted-recon; sid:1125; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC AuthChangeUrl access"; flow:to_server,established; uricontent:"_AuthChangeUrl?"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:attempted-recon; sid:1126; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC convert.bas access"; flow:to_server,established; uricontent:"/scripts/convert.bas"; nocase; reference:bugtraq,2025; reference:cve,1999-0175; classtype:attempted-recon; sid:1127; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cpshost.dll access"; flow:to_server,established; uricontent:"/scripts/cpshost.dll"; nocase; reference:bugtraq,1811; reference:bugtraq,4002; reference:cve,1999-0360; classtype:attempted-recon; sid:1128; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .htaccess access"; flow:to_server,established; uricontent:".htaccess"; nocase; classtype:attempted-recon; sid:1129; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .wwwacl access"; flow:to_server,established; uricontent:".wwwacl"; nocase; classtype:attempted-recon; sid:1130; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .wwwacl access"; flow:to_server,established; uricontent:".www_acl"; nocase; classtype:attempted-recon; sid:1131; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cd.."; flow:to_server,established; content:"cd.."; nocase; classtype:attempted-recon; sid:1136; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC guestbook.pl access"; flow:to_server,established; uricontent:"/guestbook.pl"; nocase; reference:arachnids,228; reference:bugtraq,776; reference:cve,1999-0237; reference:cve,1999-1053; reference:nessus,10099; classtype:attempted-recon; sid:1140; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC handler attempt"; flow:to_server,established; uricontent:"/handler"; uricontent:"|7C|"; nocase; reference:arachnids,235; reference:bugtraq,380; reference:cve,1999-0148; reference:nessus,10100; classtype:web-application-attack; sid:1613; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC handler access"; flow:to_server,established; uricontent:"/handler"; nocase; reference:arachnids,235; reference:bugtraq,380; reference:cve,1999-0148; reference:nessus,10100; classtype:web-application-activity; sid:1141; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /.... access"; flow:to_server,established; content:"/...."; classtype:attempted-recon; sid:1142; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ///cgi-bin access"; flow:to_server,established; uricontent:"///cgi-bin"; nocase; reference:nessus,11032; classtype:attempted-recon; sid:1143; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /cgi-bin/// access"; flow:to_server,established; uricontent:"/cgi-bin///"; nocase; reference:nessus,11032; classtype:attempted-recon; sid:1144; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /~root access"; flow:to_server,established; uricontent:"/~root"; nocase; classtype:attempted-recon; sid:1145; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /~ftp access"; flow:to_server,established; uricontent:"/~ftp"; nocase; classtype:attempted-recon; sid:1662; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Ecommerce import.txt access"; flow:to_server,established; uricontent:"/config/import.txt"; nocase; classtype:attempted-recon; sid:1146; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cat%20 access"; flow:to_server,established; content:"cat%20"; nocase; reference:bugtraq,374; reference:cve,1999-0039; classtype:attempted-recon; sid:1147; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Ecommerce import.txt access"; flow:to_server,established; uricontent:"/orders/import.txt"; nocase; classtype:attempted-recon; sid:1148; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino catalog.nsf access"; flow:to_server,established; uricontent:"/catalog.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1150; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino domcfg.nsf access"; flow:to_server,established; uricontent:"/domcfg.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1151; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino domlog.nsf access"; flow:to_server,established; uricontent:"/domlog.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1152; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino log.nsf access"; flow:to_server,established; uricontent:"/log.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1153; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino names.nsf access"; flow:to_server,established; uricontent:"/names.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1154; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino mab.nsf access"; flow:to_server,established; uricontent:"/mab.nsf"; nocase; reference:bugtraq,4022; reference:nessus,10953; classtype:attempted-recon; sid:1575; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino cersvr.nsf access"; flow:to_server,established; uricontent:"/cersvr.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1576; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino setup.nsf access"; flow:to_server,established; uricontent:"/setup.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1577; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino statrep.nsf access"; flow:to_server,established; uricontent:"/statrep.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1578; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino webadmin.nsf access"; flow:to_server,established; uricontent:"/webadmin.nsf"; nocase; reference:bugtraq,9900; reference:bugtraq,9901; reference:nessus,10629; classtype:attempted-recon; sid:1579; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino events4.nsf access"; flow:to_server,established; uricontent:"/events4.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1580; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino ntsync4.nsf access"; flow:to_server,established; uricontent:"/ntsync4.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1581; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino collect4.nsf access"; flow:to_server,established; uricontent:"/collect4.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1582; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino mailw46.nsf access"; flow:to_server,established; uricontent:"/mailw46.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1583; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino bookmark.nsf access"; flow:to_server,established; uricontent:"/bookmark.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1584; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino agentrunner.nsf access"; flow:to_server,established; uricontent:"/agentrunner.nsf"; nocase; reference:nessus,10629; classtype:attempted-recon; sid:1585; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino mail.box access"; flow:to_server,established; uricontent:"/mail.box"; nocase; reference:bugtraq,881; reference:nessus,10629; classtype:attempted-recon; sid:1586; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Ecommerce checks.txt access"; flow:to_server,established; uricontent:"/orders/checks.txt"; nocase; reference:bugtraq,2281; classtype:attempted-recon; sid:1155; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache directory disclosure attempt"; flow:to_server,established; content:"////////"; reference:bugtraq,2503; classtype:attempted-dos; sid:1156; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape PublishingXpert access"; flow:to_server,established; uricontent:"/PSUser/PSCOErrPage.htm"; nocase; reference:cve,2000-1196; reference:nessus,10364; classtype:web-application-activity; sid:1157; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC windmail.exe access"; flow:to_server,established; uricontent:"/windmail.exe"; nocase; reference:arachnids,465; reference:bugtraq,1073; reference:cve,2000-0242; reference:nessus,10365; classtype:attempted-recon; sid:1158; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webplus access"; flow:to_server,established; uricontent:"/webplus?script"; nocase; reference:bugtraq,1174; reference:bugtraq,1720; reference:bugtraq,1722; reference:bugtraq,1725; reference:cve,2000-1005; classtype:attempted-recon; sid:1159; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape dir index wp"; flow:to_server,established; uricontent:"?wp-"; nocase; reference:arachnids,270; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1160; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cart 32 AdminPwd access"; flow:to_server,established; uricontent:"/c32web.exe/ChangeAdminPassword"; nocase; reference:bugtraq,1153; reference:cve,2000-0429; classtype:attempted-recon; sid:1162; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC shopping cart access"; flow:to_server,established; uricontent:"/quikstore.cfg"; nocase; reference:bugtraq,1983; reference:bugtraq,2049; reference:cve,1999-0607; reference:cve,2000-1188; classtype:attempted-recon; sid:1164; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Novell Groupwise gwweb.exe attempt"; flow:to_server,established; uricontent:"/GWWEB.EXE?HELP="; nocase; reference:bugtraq,879; reference:cve,1999-1005; reference:cve,1999-1006; reference:nessus,10877; classtype:attempted-recon; sid:1614; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Novell Groupwise gwweb.exe access"; flow:to_server,established; content:"/GWWEB.EXE"; nocase; reference:bugtraq,879; reference:cve,1999-1005; reference:cve,1999-1006; reference:nessus,10877; classtype:attempted-recon; sid:1165; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ws_ftp.ini access"; flow:to_server,established; uricontent:"/ws_ftp.ini"; nocase; reference:bugtraq,547; reference:cve,1999-1078; classtype:attempted-recon; sid:1166; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC rpm_query access"; flow:to_server,established; uricontent:"/rpm_query"; nocase; reference:bugtraq,1036; reference:cve,2000-0192; reference:nessus,10340; classtype:attempted-recon; sid:1167; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mall log order access"; flow:to_server,established; uricontent:"/mall_log_files/order.log"; nocase; reference:bugtraq,2266; reference:cve,1999-0606; classtype:attempted-recon; sid:1168; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC architext_query.pl access"; flow:to_server,established; uricontent:"/ews/architext_query.pl"; nocase; reference:bugtraq,2248; reference:cve,1999-0279; reference:nessus,10064; reference:url,www2.fedcirc.gov/alerts/advisories/1998/txt/fedcirc.98.03.txt; classtype:attempted-recon; sid:1173; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC wwwboard.pl access"; flow:to_server,established; uricontent:"/wwwboard.pl"; nocase; reference:bugtraq,1795; reference:bugtraq,649; reference:cve,1999-0930; reference:cve,1999-0954; classtype:attempted-recon; sid:1175; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-verify-link"; nocase; reference:bugtraq,1063; classtype:attempted-recon; sid:1177; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC get32.exe access"; flow:to_server,established; uricontent:"/get32.exe"; nocase; reference:arachnids,258; reference:bugtraq,1485; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10011; classtype:attempted-recon; sid:1180; rev:13;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Annex Terminal DOS attempt"; flow:to_server,established; uricontent:"/ping?query="; reference:arachnids,260; reference:cve,1999-1070; reference:nessus,10017; classtype:attempted-dos; sid:1181; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cgitest.exe attempt"; flow:to_server,established; uricontent:"/cgitest.exe|0D 0A|user"; nocase; reference:arachnids,265; reference:bugtraq,1313; reference:bugtraq,3885; reference:cve,2000-0521; reference:cve,2002-0128; reference:nessus,10040; reference:nessus,10623; classtype:web-application-attack; sid:1182; rev:17;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cgitest.exe access"; flow:to_server,established; uricontent:"/cgitest.exe"; nocase; reference:arachnids,265; reference:bugtraq,1313; reference:bugtraq,3885; reference:cve,2000-0521; reference:cve,2002-0128; reference:nessus,10040; reference:nessus,10623; reference:nessus,11131; classtype:web-application-activity; sid:1587; rev:13;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-cs-dump"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; reference:nessus,10352; classtype:attempted-recon; sid:1183; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-ver-info"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1184; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-ver-diff"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1186; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SalesLogix Eviewer web command attempt"; flow:to_server,established; uricontent:"/slxweb.dll/admin?command="; nocase; reference:bugtraq,1078; reference:bugtraq,1089; reference:cve,2000-0278; reference:cve,2000-0289; classtype:web-application-attack; sid:1187; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SalesLogix Eviewer access"; flow:to_server,established; uricontent:"/slxweb.dll"; nocase; reference:bugtraq,1078; reference:bugtraq,1089; reference:cve,2000-0278; reference:cve,2000-0289; classtype:web-application-activity; sid:1588; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-start-ver"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1188; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-stop-ver"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1189; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-uncheckout"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1190; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-html-rend"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1191; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Trend Micro OfficeScan attempt"; flow:to_server,established; uricontent:"/officescan/cgi/jdkRqNotify.exe?"; nocase; uricontent:"domain="; nocase; uricontent:"event="; nocase; reference:bugtraq,1057; classtype:attempted-recon; sid:1381; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Trend Micro OfficeScan access"; flow:to_server,established; uricontent:"/officescan/cgi/jdkRqNotify.exe"; nocase; reference:bugtraq,1057; classtype:attempted-recon; sid:1192; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC oracle web arbitrary command execution attempt"; flow:to_server,established; uricontent:"/ows-bin/"; nocase; uricontent:"?&"; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-attack; sid:1193; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC oracle web application server access"; flow:to_server,established; uricontent:"/ows-bin/"; nocase; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-activity; sid:1880; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-usr-prop"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:web-application-attack; sid:1198; rev:8;)
+
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC search.vts access"; flow:to_server,established; uricontent:"/search.vts"; reference:bugtraq,162; classtype:attempted-recon; sid:1202; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC htgrep attempt"; flow:to_server,established; uricontent:"/htgrep"; content:"hdr=/"; reference:cve,2000-0832; classtype:web-application-attack; sid:1615; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC htgrep access"; flow:to_server,established; uricontent:"/htgrep"; reference:cve,2000-0832; classtype:web-application-activity; sid:1207; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .nsconfig access"; flow:to_server,established; uricontent:"/.nsconfig"; reference:url,www.osvdb.org/5709; classtype:attempted-recon; sid:1209; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Admin_files access"; flow:to_server,established; uricontent:"/admin_files"; nocase; classtype:attempted-recon; sid:1212; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC backup access"; flow:to_server,established; uricontent:"/backup"; nocase; classtype:attempted-recon; sid:1213; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC intranet access"; flow:to_server,established; uricontent:"/intranet/"; nocase; reference:nessus,11626; classtype:attempted-recon; sid:1214; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC filemail access"; flow:to_server,established; uricontent:"/filemail"; nocase; reference:cve,1999-1154; reference:cve,1999-1155; reference:url,www.securityfocus.com/archive/1/11175; classtype:attempted-recon; sid:1216; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC plusmail access"; flow:to_server,established; uricontent:"/plusmail"; nocase; reference:bugtraq,2653; reference:cve,2000-0074; reference:nessus,10181; classtype:attempted-recon; sid:1217; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC adminlogin access"; flow:to_server,established; uricontent:"/adminlogin"; nocase; reference:bugtraq,1164; reference:bugtraq,1175; reference:nessus,11748; classtype:attempted-recon; sid:1218; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ultraboard access"; flow:to_server,established; uricontent:"/ultraboard"; nocase; reference:bugtraq,1164; reference:bugtraq,1175; reference:nessus,11748; classtype:attempted-recon; sid:1220; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC musicat empower attempt"; flow:to_server,established; uricontent:"/empower?DB="; nocase; reference:bugtraq,2374; reference:cve,2001-0224; reference:nessus,10609; classtype:web-application-attack; sid:1589; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC musicat empower access"; flow:to_server,established; uricontent:"/empower"; nocase; reference:bugtraq,2374; reference:cve,2001-0224; reference:nessus,10609; classtype:web-application-activity; sid:1221; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ROADS search.pl attempt"; flow:to_server,established; uricontent:"/ROADS/cgi-bin/search.pl"; content:"form="; nocase; reference:bugtraq,2371; reference:cve,2001-0215; reference:nessus,10627; classtype:attempted-recon; sid:1224; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VirusWall FtpSave access"; flow:to_server,established; uricontent:"/FtpSave.dll"; nocase; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1230; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VirusWall FtpSaveCSP access"; flow:to_server,established; uricontent:"/FtpSaveCSP.dll"; nocase; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1234; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VirusWall FtpSaveCVP access"; flow:to_server,established; uricontent:"/FtpSaveCVP.dll"; nocase; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1235; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC weblogic/tomcat .jsp view source attempt"; flow:to_server,established; uricontent:".jsp"; nocase; pcre:!"/^\w+\s+[^\n\s\?]*\.jsp/smi"; reference:bugtraq,2527; classtype:web-application-attack; sid:1054; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SWEditServlet directory traversal attempt"; flow:to_server,established; uricontent:"/SWEditServlet"; content:"template=../../../"; reference:bugtraq,2868; reference:cve,2001-0555; classtype:attempted-user; sid:1241; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SWEditServlet access"; flow:to_server,established; uricontent:"/SWEditServlet"; reference:bugtraq,2868; classtype:attempted-recon; sid:1259; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC whisker HEAD/./"; flow:to_server,established; content:"HEAD/./"; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1139; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC HP OpenView Manager DOS"; flow:to_server,established; uricontent:"/OvCgi/OpenView5.exe?Context=Snmp&Action=Snmp&Host=&Oid="; nocase; reference:bugtraq,2845; reference:cve,2001-0552; classtype:misc-activity; sid:1258; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC long basic authorization string"; flow:to_server,established; content:"Authorization|3A|"; pcre:"/^Authorization\x3a\s*Basic\s[^\n]{512}/smi"; reference:bugtraq,3230; reference:cve,2001-1067; classtype:attempted-dos; sid:1260; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC sml3com access"; flow:to_server,established; uricontent:"/graphics/sml3com"; reference:bugtraq,2721; reference:cve,2001-0740; classtype:web-application-activity; sid:1291; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC carbo.dll access"; flow:to_server,established; uricontent:"/carbo.dll"; content:"icatcommand="; nocase; reference:bugtraq,2126; reference:cve,1999-1069; classtype:attempted-recon; sid:1001; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC console.exe access"; flow:to_server,established; uricontent:"/cgi-bin/console.exe"; nocase; reference:bugtraq,3375; reference:cve,2001-1252; classtype:attempted-recon; sid:1302; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cs.exe access"; flow:to_server,established; uricontent:"/cgi-bin/cs.exe"; nocase; reference:bugtraq,3375; reference:cve,2001-1252; classtype:attempted-recon; sid:1303; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC http directory traversal"; flow:to_server,established; content:"../"; reference:arachnids,297; classtype:attempted-recon; sid:1113; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC sadmind worm access"; flow:to_server,established; content:"GET x HTTP/1.0"; depth:15; reference:url,www.cert.org/advisories/CA-2001-11.html; classtype:attempted-recon; sid:1375; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC jrun directory browse attempt"; flow:to_server,established; uricontent:"/?.jsp"; reference:bugtraq,3592; classtype:web-application-attack; sid:1376; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mod-plsql administration access"; flow:to_server,established; uricontent:"/admin_/"; reference:bugtraq,3726; reference:bugtraq,3727; reference:cve,2001-1216; reference:cve,2001-1217; reference:nessus,10849; classtype:web-application-activity; sid:1385; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC viewcode.jse access"; flow:to_server,established; uricontent:"/viewcode.jse"; reference:bugtraq,3715; classtype:web-application-activity; sid:1389; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Phorecast remote code execution attempt"; flow:to_server,established; content:"includedir="; reference:bugtraq,3388; reference:cve,2001-1049; classtype:web-application-attack; sid:1391; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC viewcode access"; flow:to_server,established; uricontent:"/viewcode"; reference:cve,1999-0737; reference:nessus,10576; reference:nessus,12048; classtype:web-application-attack; sid:1403; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC showcode access"; flow:to_server,established; uricontent:"/showcode"; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,10007; classtype:web-application-attack; sid:1404; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .history access"; flow:to_server,established; uricontent:"/.history"; classtype:web-application-attack; sid:1433; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .bash_history access"; flow:to_server,established; uricontent:"/.bash_history"; reference:bugtraq,337; reference:cve,1999-0408; classtype:web-application-attack; sid:1434; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /~nobody access"; flow:to_server,established; uricontent:"/~nobody"; reference:nessus,10484; classtype:web-application-attack; sid:1489; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC RBS ISP /newuser  directory traversal attempt"; flow:to_server,established; uricontent:"/newuser?Image=../.."; reference:bugtraq,1704; reference:cve,2000-1036; reference:nessus,10521; classtype:web-application-attack; sid:1492; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC RBS ISP /newuser access"; flow:to_server,established; uricontent:"/newuser"; reference:bugtraq,1704; reference:cve,2000-1036; reference:nessus,10521; classtype:web-application-activity; sid:1493; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC *%0a.pl access"; flow:to_server,established; uricontent:"/*|0A|.pl"; nocase; reference:nessus,11007; reference:url,www.securityfocus.com/archive/1/149482; classtype:web-application-attack; sid:1663; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mkplog.exe access"; flow:to_server,established; uricontent:"/mkplog.exe"; nocase; classtype:web-application-activity; sid:1664; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC PCCS mysql database admin tool access"; flow:to_server,established; content:"pccsmysqladm/incs/dbconnect.inc"; depth:36; nocase; reference:arachnids,300; reference:bugtraq,1557; reference:cve,2000-0707; reference:nessus,10783; classtype:web-application-attack; sid:509; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .DS_Store access"; flow:to_server,established; uricontent:"/.DS_Store"; reference:url,www.macintouch.com/mosxreaderreports46.html; classtype:web-application-activity; sid:1769; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .FBCIndex access"; flow:to_server,established; uricontent:"/.FBCIndex"; reference:url,www.securiteam.com/securitynews/5LP0O005FS.html; classtype:web-application-activity; sid:1770; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ExAir access"; flow:to_server,established; uricontent:"/exair/search/"; reference:bugtraq,193; reference:cve,1999-0449; reference:nessus,10002; reference:nessus,10003; reference:nessus,10004; classtype:web-application-activity; sid:1500; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache ?M=D directory list attempt"; flow:to_server,established; uricontent:"/?M=D"; reference:bugtraq,3009; reference:cve,2001-0731; classtype:web-application-activity; sid:1519; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC server-info access"; flow:to_server,established; uricontent:"/server-info"; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1520; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC server-status access"; flow:to_server,established; uricontent:"/server-status"; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1521; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ans.pl attempt"; flow:to_server,established; uricontent:"/ans.pl?p=../../"; reference:bugtraq,4147; reference:bugtraq,4149; reference:cve,2002-0306; reference:cve,2002-0307; reference:nessus,10875; classtype:web-application-attack; sid:1522; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ans.pl access"; flow:to_server,established; uricontent:"/ans.pl"; reference:bugtraq,4147; reference:bugtraq,4149; reference:cve,2002-0306; reference:cve,2002-0307; reference:nessus,10875; classtype:web-application-activity; sid:1523; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC AxisStorpoint CD attempt"; flow:to_server,established; uricontent:"/cd/../config/html/cnf_gi.htm"; reference:bugtraq,1025; reference:cve,2000-0191; reference:nessus,10023; classtype:web-application-attack; sid:1524; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Axis Storpoint CD access"; flow:to_server,established; uricontent:"/config/html/cnf_gi.htm"; reference:bugtraq,1025; reference:cve,2000-0191; reference:nessus,10023; classtype:web-application-activity; sid:1525; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC basilix sendmail.inc access"; flow:to_server,established; uricontent:"/inc/sendmail.inc"; reference:bugtraq,2198; reference:cve,2001-1044; reference:nessus,10601; classtype:web-application-activity; sid:1526; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC basilix mysql.class access"; flow:to_server,established; uricontent:"/class/mysql.class"; reference:bugtraq,2198; reference:cve,2001-1044; reference:nessus,10601; classtype:web-application-activity; sid:1527; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC BBoard access"; flow:to_server,established; uricontent:"/servlet/sunexamples.BBoardServlet"; reference:bugtraq,1459; reference:cve,2000-0629; reference:nessus,10507; classtype:web-application-activity; sid:1528; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco Catalyst command execution attempt"; flow:to_server,established; uricontent:"/exec/show/config/cr"; nocase; reference:bugtraq,1846; reference:cve,2000-0945; reference:nessus,10545; classtype:web-application-activity; sid:1544; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco /%% DOS attempt"; flow:to_server,established; uricontent:"/%%"; reference:bugtraq,1154; reference:cve,2000-0380; classtype:web-application-attack; sid:1546; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /CVS/Entries access"; flow:to_server,established; uricontent:"/CVS/Entries"; reference:nessus,10922; reference:nessus,11032; classtype:web-application-activity; sid:1551; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cvsweb version access"; flow:to_server,established; uricontent:"/cvsweb/version"; reference:cve,2000-0670; classtype:web-application-activity; sid:1552; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /doc/packages access"; flow:to_server,established; uricontent:"/doc/packages"; nocase; reference:bugtraq,1707; reference:cve,2000-1016; reference:nessus,10518; reference:nessus,11032; classtype:web-application-activity; sid:1559; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /doc/ access"; flow:to_server,established; uricontent:"/doc/"; nocase; reference:bugtraq,318; reference:cve,1999-0678; classtype:web-application-activity; sid:1560; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC login.htm attempt"; flow:to_server,established; uricontent:"/login.htm?password="; nocase; reference:bugtraq,665; reference:cve,1999-1533; classtype:web-application-activity; sid:1563; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC login.htm access"; flow:to_server,established; uricontent:"/login.htm"; nocase; reference:bugtraq,665; reference:cve,1999-1533; classtype:web-application-activity; sid:1564; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC DELETE attempt"; flow:to_server,established; content:"DELETE "; depth:7; nocase; reference:nessus,10498; classtype:web-application-activity; sid:1603; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /home/ftp access"; flow:to_server,established; uricontent:"/home/ftp"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1670; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /home/www access"; flow:to_server,established; uricontent:"/home/www"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1671; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC global.inc access"; flow:to_server,established; uricontent:"/global.inc"; nocase; reference:bugtraq,4612; reference:cve,2002-0614; classtype:web-application-attack; sid:1738; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SecureSite authentication bypass attempt"; flow:to_server,established; content:"secure_site, ok"; nocase; reference:bugtraq,4621; classtype:web-application-attack; sid:1744; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC b2 arbitrary command execution attempt"; flow:to_server,established; uricontent:"/b2/b2-include/"; content:"b2inc"; content:"http|3A|//"; reference:bugtraq,4673; reference:cve,2002-0734; reference:cve,2002-1466; reference:nessus,11667; classtype:web-application-attack; sid:1757; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC search.dll directory listing attempt"; flow:to_server,established; uricontent:"/search.dll"; content:"query=%00"; reference:bugtraq,1684; reference:cve,2000-0835; reference:nessus,10514; classtype:web-application-attack; sid:1766; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC search.dll access"; flow:to_server,established; uricontent:"/search.dll"; reference:bugtraq,1684; reference:cve,2000-0835; reference:nessus,10514; classtype:web-application-activity; sid:1767; rev:6;)
+
+
+# The following signatures are for non-standard ports.  When ports lists work,
+# then these will be converted to use HTTP_PORTS & HTTP_SERVERS
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8181 (msg:"WEB-MISC PIX firewall manager directory traversal attempt"; flow:to_server,established; content:"/../../"; reference:bugtraq,691; reference:cve,1999-0158; reference:nessus,10819; classtype:web-application-attack; sid:1498; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 4080 (msg:"WEB-MISC iChat directory traversal attempt"; flow:to_server,established; content:"/../../"; reference:cve,1999-0897; classtype:web-application-activity; sid:1604; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-MISC Delegate whois overflow attempt"; flow:to_server,established; content:"whois|3A|//"; nocase; reference:cve,2000-0165; classtype:web-application-activity; sid:1558; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"WEB-MISC nstelemetry.adp access"; flow:to_server,established; content:"/nstelemetry.adp"; reference:nessus,10753; classtype:web-application-activity; sid:1518; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"WEB-MISC Netscape Unixware overflow"; flow:to_server,established; content:"|EB|_|9A FF FF FF FF 07 FF C3|^1|C0 89|F|9D|"; reference:arachnids,180; reference:bugtraq,908; reference:cve,1999-0744; classtype:attempted-recon; sid:1132; rev:8;)
+
+# uricontent would be nice, but we can't be sure we are running http decoding
+# on 2301.  oh for rna integration...
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"WEB-MISC Compaq Insight directory traversal"; flow:to_server,established; content:"../"; reference:arachnids,244; reference:bugtraq,282; reference:cve,1999-0771; classtype:web-application-attack; sid:1199; rev:11;)
+
+
+# when we get real ports list, we will merge these sigs.  so for now, keep the
+# message the same.
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VirusWall catinfo access"; flow:to_server,established; uricontent:"/catinfo"; nocase; reference:bugtraq,2579; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10650; classtype:attempted-recon; sid:1231; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1812 (msg:"WEB-MISC VirusWall catinfo access"; flow:to_server,established; content:"/catinfo"; nocase; reference:bugtraq,2579; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10650; classtype:attempted-recon; sid:1232; rev:8;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Apache Chunked-Encoding worm attempt"; flow:to_server,established; content:"CCCCCCC|3A| AAAAAAAAAAAAAAAAAAA"; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; classtype:web-application-attack; sid:1809; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Chunked-Encoding transfer attempt"; flow:to_server,established; content:"Transfer-Encoding|3A|"; nocase; content:"chunked"; distance:0; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; classtype:web-application-attack; sid:1807; rev:10;)
+
+
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC CISCO VoIP DOS ATTEMPT"; flow:to_server,established; uricontent:"/StreamingStatistics"; reference:bugtraq,4794; reference:cve,2002-0882; reference:nessus,11013; classtype:misc-attack; sid:1814; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC IBM Net.Commerce orderdspc.d2w access"; flow:established,to_server; uricontent:"/ncommerce3/ExecMacro/orderdspc.d2w"; reference:bugtraq,2350; reference:cve,2001-0319; reference:nessus,11020; classtype:web-application-activity; sid:1820; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WEB-INF access"; flow:established,to_server; uricontent:"/WEB-INF"; nocase; reference:bugtraq,1830; reference:bugtraq,5119; reference:cve,2000-1050; reference:cve,2001-0179; reference:nessus,11037; classtype:web-application-activity; sid:1826; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat servlet mapping cross site scripting attempt"; flow:established,to_server; uricontent:"/servlet/"; uricontent:"/org.apache."; reference:bugtraq,5193; reference:cve,2002-0682; reference:nessus,11041; classtype:web-application-attack; sid:1827; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC iPlanet Search directory traversal attempt"; flow:established,to_server; uricontent:"/search"; content:"NS-query-pat="; content:"../../"; reference:bugtraq,5191; reference:cve,2002-1042; reference:nessus,11043; classtype:web-application-attack; sid:1828; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat TroubleShooter servlet access"; flow:established,to_server; uricontent:"/examples/servlet/TroubleShooter"; reference:bugtraq,4575; reference:nessus,11046; classtype:web-application-activity; sid:1829; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat SnoopServlet servlet access"; flow:established,to_server; uricontent:"/examples/servlet/SnoopServlet"; reference:bugtraq,4575; reference:nessus,11046; classtype:web-application-activity; sid:1830; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC jigsaw dos attempt"; flow:established,to_server; uricontent:"/servlet/con"; reference:nessus,11047; classtype:web-application-attack; sid:1831; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Macromedia SiteSpring cross site scripting attempt"; flow:established,to_server; uricontent:"/error/500error.jsp"; nocase; uricontent:"et="; uricontent:"<script"; nocase; reference:bugtraq,5249; reference:cve,2002-1027; classtype:web-application-attack; sid:1835; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mailman cross site scripting attempt"; flow:established,to_server; uricontent:"/mailman/"; nocase; uricontent:"?"; uricontent:"info="; uricontent:"<script"; nocase; reference:bugtraq,5298; reference:cve,2002-0855; classtype:web-application-attack; sid:1839; rev:4;)
+
+
+
+# NOTES: this signature looks for access to common webalizer output directories.
+# Webalizer is a http server log reporting program.  By allowing anyone on the
+# internet to view the web access logs, attackers can gain information about
+# your customers that probably should not be made public.  webalizer had cross
+# site scripting bugs prior to version 2.01-09.
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webalizer access"; flow:established,to_server; uricontent:"/webalizer/"; nocase; reference:bugtraq,3473; reference:cve,2001-0835; reference:nessus,10816; classtype:web-application-activity; sid:1847; rev:9;)
+
+
+# NOTES: this signature looks for someone accessing the directory webcart-lite.
+# webcart-lite allows users to access world readable plain text customer
+# information databases.  To correct this issue, users should make the
+# data directories and databases not world readable, move the files outside of
+# WEBROOT if possible, and verify that a compromise of customer information has
+# not occured.
+# SIMILAR RULES: sid:1125
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webcart-lite access"; flow:to_server,established; uricontent:"/webcart-lite/"; nocase; reference:cve,1999-0610; reference:nessus,10298; classtype:web-application-activity; sid:1848; rev:5;)
+
+
+# NOTES: this signature looks for someone accessing the web application
+# "webfind.exe".  This application has a buffer overflow in the keywords
+# argument.  An attacker can use this vulnerability to execute arbitrary
+# code on the web server.
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webfind.exe access"; flow:to_server,established; uricontent:"/webfind.exe"; nocase; reference:bugtraq,1487; reference:cve,2000-0622; reference:nessus,10475; classtype:web-application-activity; sid:1849; rev:7;)
+
+# NOTES: this signature looks for someone accessing the file "active.log" via
+# a web server.  By allowing anyone on the internet to view the web access
+# logs, attackers can gain information about your customers that probably
+# should not be made public.
+#
+# This logfile is made available from the WebActive webserver.  This webserver
+# is no longer maintained and should be replaced with an actively maintained
+# webserver.  If converting to another webserver is not possible, remove read
+# access to this file.
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC active.log access"; flow:to_server,established; uricontent:"/active.log"; nocase; reference:bugtraq,1497; reference:cve,2000-0642; reference:nessus,10470; classtype:web-application-activity; sid:1851; rev:6;)
+
+
+
+# NOTES: this signature looks for someone accessing the file "robots.txt" via
+# web server.  This file is used to make web spider agents (including search
+# engines) more efficient.  robots.txt is often used to inform a web spider
+# which directories that the spider should ignore because the content may be
+# dynamic or restricted.  An attacker can use this information to gain insite
+# into directories that may have been deemed sensitive.
+#
+# Verify that the robots.txt does not include any sensitive information.
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robots.txt access"; flow:to_server,established; uricontent:"/robots.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; sid:1852; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robot.txt access"; flow:to_server,established; uricontent:"/robot.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; sid:1857; rev:3;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8181 (msg:"WEB-MISC CISCO PIX Firewall Manager directory traversal attempt"; flow:to_server,established; content:"/pixfir~1/how_to_login.html"; reference:bugtraq,691; reference:cve,1999-0158; reference:nessus,10819; classtype:misc-attack; sid:1858; rev:5;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"WEB-MISC Sun JavaServer default password login attempt"; flow:to_server,established; content:"/servlet/admin"; content:"ae9f86d6beaa3f9ecb9a5b7e072a4138"; reference:cve,1999-0508; reference:nessus,10995; classtype:default-login-attempt; sid:1859; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-MISC Linksys router default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; pcre:"/^Authorization\x3a\s*Basic\s+OmFkbWlu/smi"; reference:nessus,10999; classtype:default-login-attempt; sid:1860; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-MISC Linksys router default username and password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; pcre:"/^Authorization\x3a\s*Basic\s+YWRtaW46YWRtaW4/smi"; reference:nessus,10999; classtype:default-login-attempt; sid:1861; rev:9;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC NetGear router default password login attempt admin/password"; flow:to_server,established; content:"Authorization|3A|"; nocase; pcre:"/^Authorization\x3a\s*Basic\s+YWRtaW46cGFzc3dvcmQ/smi"; reference:nessus,11737; classtype:default-login-attempt; sid:2230; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle XSQLConfig.xml access"; flow:to_server,established; uricontent:"/XSQLConfig.xml"; reference:bugtraq,4290; reference:cve,2002-0568; reference:nessus,10855; classtype:web-application-activity; sid:1871; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle Dynamic Monitoring Services dms access"; flow:to_server,established; uricontent:"/dms0"; reference:nessus,10848; classtype:web-application-activity; sid:1872; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC globals.jsa access"; flow:to_server,established; uricontent:"/globals.jsa"; reference:bugtraq,4034; reference:cve,2002-0562; reference:nessus,10850; classtype:web-application-activity; sid:1873; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle Java Process Manager access"; flow:to_server,established; uricontent:"/oprocmgr-status"; reference:nessus,10851; classtype:web-application-activity; sid:1874; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC bad HTTP/1.1 request, Potentially worm attack"; flow:to_server,established; content:"GET / HTTP/1.1|0D 0A 0D 0A|"; depth:18; reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html; classtype:web-application-activity; sid:1881; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC whisker HEAD with large datagram"; flow:to_server,established,no_stream; dsize:>512; content:"HEAD"; depth:4; nocase; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1171; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC whisker space splice attack"; flow:to_server,established; dsize:1; content:" "; reference:arachnids,296; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1104; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC whisker tab splice attack"; flow:to_server,established; dsize:<5; content:"|09|"; reference:arachnids,415; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1087; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache chunked encoding memory corruption exploit attempt"; flow:established,to_server; content:"|C0|PR|89 E1|PQRP|B8 3B 00 00 00 CD 80|"; reference:bugtraq,5033; reference:cve,2002-0392; classtype:web-application-activity; sid:1808; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /Carello/add.exe access"; flow:to_server,established; uricontent:"/Carello/add.exe"; nocase; reference:bugtraq,1245; reference:cve,2000-0396; reference:nessus,11776; classtype:web-application-activity; sid:1943; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /ecscripts/ecware.exe access"; flow:to_server,established; uricontent:"/ecscripts/ecware.exe"; nocase; reference:bugtraq,6066; classtype:web-application-activity; sid:1944; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ion-p access"; flow:to_server,established; uricontent:"/ion-p"; nocase; reference:bugtraq,6091; reference:cve,2002-1559; classtype:web-application-activity; sid:1969; rev:3;)
+
+# uricontent would be nice, but we can't be sure we are running http decoding
+# on 8888.  oh for rna integration...
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"WEB-MISC SiteScope Service access"; flow:to_server,established; content:"/SiteScope/cgi/go.exe/SiteScope"; reference:nessus,10778; classtype:web-application-activity; sid:1499; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"WEB-MISC answerbook2 admin attempt"; flow:to_server,established; content:"/cgi-bin/admin/admin"; reference:bugtraq,5383; reference:cve,2000-0696; classtype:web-application-activity; sid:1946; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"WEB-MISC answerbook2 arbitrary command execution attempt"; flow:to_server,established; content:"/ab2/"; content:"|3B|"; distance:1; reference:bugtraq,1556; reference:cve,2000-0697; classtype:web-application-attack; sid:1947; rev:9;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC perl post attempt"; flow:to_server,established; content:"POST"; depth:4; uricontent:"/perl/"; reference:bugtraq,5520; reference:cve,2002-1436; reference:nessus,11158; classtype:web-application-attack; sid:1979; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC TRACE attempt"; flow:to_server,established; content:"TRACE"; depth:5; reference:bugtraq,9561; reference:nessus,11213; reference:url,www.whitehatsec.com/press_releases/WH-PR-20030120.pdf; classtype:web-application-attack; sid:2056; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC helpout.exe access"; flow:to_server,established; uricontent:"/helpout.exe"; reference:bugtraq,6002; reference:cve,2002-1169; reference:nessus,11162; classtype:web-application-activity; sid:2057; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC MsmMask.exe attempt"; flow:to_server,established; uricontent:"/MsmMask.exe"; content:"mask="; reference:nessus,11163; classtype:web-application-attack; sid:2058; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC MsmMask.exe access"; flow:to_server,established; uricontent:"/MsmMask.exe"; reference:nessus,11163; classtype:web-application-activity; sid:2059; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC DB4Web access"; flow:to_server,established; uricontent:"/DB4Web/"; reference:nessus,11180; classtype:web-application-activity; sid:2060; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Tomcat null byte directory listing attempt"; flow:to_server,established; uricontent:"|00|.jsp"; reference:bugtraq,2518; reference:bugtraq,6721; reference:cve,2003-0042; classtype:web-application-attack; sid:2061; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC iPlanet .perf access"; flow:to_server,established; uricontent:"/.perf"; reference:nessus,11220; classtype:web-application-activity; sid:2062; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Demarc SQL injection attempt"; flow:to_server,established; uricontent:"/dm/demarc"; content:"s_key="; content:"'"; distance:0; content:"'"; distance:1; content:"'"; distance:0; reference:bugtraq,4520; reference:cve,2002-0539; classtype:web-application-activity; sid:2063; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .csp script source download attempt"; flow:to_server,established; uricontent:".csp"; content:".csp"; content:"."; within:1; reference:bugtraq,6841; classtype:web-application-attack; sid:2064; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .csp script source download attempt"; flow:to_server,established; uricontent:".csp."; classtype:web-application-attack; sid:2065; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .pl script source download attempt"; flow:to_server,established; uricontent:".pl"; content:".pl"; content:"."; within:1; reference:bugtraq,6841; classtype:web-application-attack; sid:2066; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .exe script source download attempt"; flow:to_server,established; uricontent:".exe"; content:".exe"; content:"."; within:1; reference:bugtraq,6841; classtype:web-application-attack; sid:2067; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC BitKeeper arbitrary command attempt"; flow:to_server,established; uricontent:"/diffs/"; content:"'"; content:"|3B|"; distance:0; content:"'"; distance:1; reference:bugtraq,6588; classtype:web-application-attack; sid:2068; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC chip.ini access"; flow:to_server,established; uricontent:"/chip.ini"; reference:bugtraq,2755; reference:bugtraq,2775; reference:cve,2001-0749; reference:cve,2001-0771; classtype:web-application-activity; sid:2069; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC post32.exe arbitrary command attempt"; flow:to_server,established; uricontent:"/post32.exe|7C|"; reference:bugtraq,1485; classtype:web-application-attack; sid:2070; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC post32.exe access"; flow:to_server,established; uricontent:"/post32.exe"; reference:bugtraq,1485; classtype:web-application-activity; sid:2071; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC lyris.pl access"; flow:to_server,established; uricontent:"/lyris.pl"; reference:bugtraq,1584; reference:cve,2000-0758; classtype:web-application-activity; sid:2072; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC globals.pl access"; flow:to_server,established; uricontent:"/globals.pl"; reference:bugtraq,2671; reference:cve,2001-0330; classtype:web-application-activity; sid:2073; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC philboard.mdb access"; flow:to_server,established; uricontent:"/philboard.mdb"; reference:nessus,11682; classtype:web-application-activity; sid:2135; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC philboard_admin.asp authentication bypass attempt"; flow:to_server,established; uricontent:"/philboard_admin.asp"; content:"Cookie"; nocase; content:"philboard_admin=True"; distance:0; reference:bugtraq,7739; reference:nessus,11675; classtype:web-application-attack; sid:2136; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC philboard_admin.asp access"; flow:to_server,established; uricontent:"/philboard_admin.asp"; reference:bugtraq,7739; reference:nessus,11675; classtype:web-application-activity; sid:2137; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC logicworks.ini access"; flow:to_server,established; uricontent:"/logicworks.ini"; reference:bugtraq,6996; reference:nessus,11639; classtype:web-application-activity; sid:2138; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC /*.shtml access"; flow:to_server,established; uricontent:"/*.shtml"; reference:bugtraq,1517; reference:cve,2000-0683; reference:nessus,11604; classtype:web-application-activity; sid:2139; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC mod_gzip_status access"; flow:to_server,established; uricontent:"/mod_gzip_status"; reference:nessus,11685; classtype:web-application-activity; sid:2156; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC register.dll access"; flow:to_server,established; uricontent:"/register.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2231; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ContentFilter.dll access"; flow:to_server,established; uricontent:"/ContentFilter.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2232; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SFNofitication.dll access"; flow:to_server,established; uricontent:"/SFNofitication.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2233; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC TOP10.dll access"; flow:to_server,established; uricontent:"/TOP10.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2234; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SpamExcp.dll access"; flow:to_server,established; uricontent:"/SpamExcp.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2235; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC spamrule.dll access"; flow:to_server,established; uricontent:"/spamrule.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2236; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cgiWebupdate.exe access"; flow:to_server,established; uricontent:"/cgiWebupdate.exe"; nocase; reference:bugtraq,3216; reference:cve,2001-1150; reference:nessus,11722; classtype:web-application-activity; sid:2237; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WebLogic ConsoleHelp view source attempt"; flow:to_server,established; uricontent:"/ConsoleHelp/"; nocase; uricontent:".jsp"; nocase; reference:bugtraq,1518; reference:cve,2000-0682; reference:nessus,11724; classtype:web-application-attack; sid:2238; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC redirect.exe access"; flow:to_server,established; uricontent:"/redirect.exe"; nocase; reference:bugtraq,1256; reference:cve,2000-0401; classtype:web-application-activity; sid:2239; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC changepw.exe access"; flow:to_server,established; uricontent:"/changepw.exe"; nocase; reference:bugtraq,1256; reference:cve,2000-0401; classtype:web-application-activity; sid:2240; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cwmail.exe access"; flow:to_server,established; uricontent:"/cwmail.exe"; nocase; reference:bugtraq,4093; reference:cve,2002-0273; reference:nessus,11727; classtype:web-application-activity; sid:2241; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ddicgi.exe access"; flow:to_server,established; uricontent:"/ddicgi.exe"; nocase; reference:bugtraq,1657; reference:cve,2000-0826; reference:nessus,11728; classtype:web-application-activity; sid:2242; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ndcgi.exe access"; flow:to_server,established; uricontent:"/ndcgi.exe"; nocase; reference:bugtraq,3583; reference:cve,2001-0922; reference:nessus,11730; classtype:web-application-activity; sid:2243; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VsSetCookie.exe access"; flow:to_server,established; uricontent:"/VsSetCookie.exe"; nocase; reference:bugtraq,3784; reference:cve,2002-0236; reference:nessus,11731; classtype:web-application-activity; sid:2244; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Webnews.exe access"; flow:to_server,established; uricontent:"/Webnews.exe"; nocase; reference:bugtraq,4124; reference:cve,2002-0290; reference:nessus,11732; classtype:web-application-activity; sid:2245; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webadmin.dll access"; flow:to_server,established; uricontent:"/webadmin.dll"; nocase; reference:bugtraq,7438; reference:bugtraq,7439; reference:bugtraq,8024; reference:cve,2003-0471; reference:nessus,11771; classtype:web-application-activity; sid:2246; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC oracle portal demo access"; flow:to_server,established; uricontent:"/pls/portal/PORTAL_DEMO"; nocase; reference:nessus,11918; classtype:web-application-activity; sid:2276; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC PeopleSoft PeopleBooks psdoccgi access"; flow:to_server,established; uricontent:"/psdoccgi"; nocase; reference:bugtraq,9037; reference:bugtraq,9038; reference:cve,2003-0626; reference:cve,2003-0627; classtype:web-application-activity; sid:2277; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC client negative Content-Length attempt"; flow:to_server,established; content:"Content-Length|3A|"; nocase; pcre:"/^Content-Length\x3a\s*-\d+/smi"; reference:bugtraq,9098; reference:bugtraq,9476; reference:bugtraq,9576; reference:cve,2004-0095; classtype:misc-attack; sid:2278; rev:8;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-MISC server negative Content-Length attempt"; flow:from_server,established; content:"Content-Length|3A|"; nocase; pcre:"/^Content-Length\x3a\s*-\d+/smi"; reference:cve,2004-0492; reference:url,www.guninski.com/modproxy1.html; classtype:attempted-admin; sid:2580; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC bsml.pl access"; flow:to_server,established; uricontent:"/bsml.pl"; nocase; reference:bugtraq,9311; reference:nessus,11973; classtype:web-application-activity; sid:2327; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ISAPISkeleton.dll access"; flow:to_server,established; uricontent:"/ISAPISkeleton.dll"; nocase; reference:bugtraq,9516; classtype:web-application-activity; sid:2369; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC BugPort config.conf file access"; flow:to_server,established; uricontent:"/config.conf"; nocase; reference:bugtraq,9542; classtype:attempted-recon; sid:2370; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Sample_showcode.html access"; flow:to_server,established; uricontent:"/Sample_showcode.html"; nocase; content:"fname"; reference:bugtraq,9555; classtype:web-application-activity; sid:2371; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC schema overflow attempt"; flow:to_server,established; uricontent:"|3A|//"; pcre:"/^[^\/]{14,}?\x3a\/\//U"; reference:bugtraq,9581; reference:cve,2004-0039; reference:nessus,12084; classtype:attempted-admin; sid:2381; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"WEB-MISC Compaq web-based management agent denial of service attempt"; flow:to_server,established; content:"<!"; depth:75; content:">"; within:50; reference:bugtraq,8014; classtype:web-application-attack; sid:2394; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC InteractiveQuery.jsp access"; flow:to_server,established; uricontent:"/InteractiveQuery.jsp"; nocase; reference:bugtraq,8938; reference:cve,2003-0624; classtype:web-application-activity; sid:2395; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC edittag.pl access"; flow:to_server,established; uricontent:"/edittag.pl"; nocase; reference:bugtraq,6675; classtype:web-application-activity; sid:2400; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC util.pl access"; flow:to_server,established; uricontent:"/util.pl"; nocase; reference:bugtraq,9748; classtype:web-application-activity; sid:2407; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Invision Power Board search.pl access"; flow:to_server,established; uricontent:"/search.pl"; content:"st="; nocase; reference:bugtraq,9766; classtype:web-application-activity; sid:2408; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 554 (msg:"WEB-MISC Real Server DESCRIBE buffer overflow attempt"; flow:to_server,established; content:"DESCRIBE"; nocase; content:"../"; distance:1; pcre:"/^DESCRIBE\s[^\n]{300}/smi"; reference:bugtraq,8476; reference:url,www.service.real.com/help/faq/security/rootexploit091103.html; classtype:web-application-attack; sid:2411; rev:5;)
+
+# YES, the contents are logically backwards as to how the contents are seen on
+# the wire.  snort picks up the first of the longest pattern.  login=0 happens
+# MUCH less than Cookie.  so we do this for speed.
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC NetObserve authentication bypass attempt"; flow:to_server,established; content:"login=0"; nocase; content:"Cookie|3A|"; nocase; pcre:"/^Cookie\x3a[^\n]*?login=0/smi"; reference:bugtraq,9319; classtype:web-application-attack; sid:2441; rev:3;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8000:8001 (msg:"WEB-MISC Quicktime User-Agent buffer overflow attempt"; flow:to_server,established; content:"User-Agent|3A|"; nocase; pcre:"/^User-Agent\x3a[^\n]{244,255}/smi"; reference:bugtraq,9735; reference:cve,2004-0169; classtype:web-application-attack; sid:2442; rev:6;)
+
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC source.jsp access"; flow:to_server,established; uricontent:"/source.jsp"; nocase; reference:nessus,12119; classtype:web-application-activity; sid:2484; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ServletManager access"; flow:to_server,established; uricontent:"/servlet/ServletManager"; nocase; reference:bugtraq,3697; reference:cve,2001-1195; reference:nessus,12122; classtype:web-application-activity; sid:2447; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC setinfo.hts access"; flow:to_server,established; uricontent:"/setinfo.hts"; nocase; reference:bugtraq,9973; reference:nessus,12120; classtype:web-application-activity; sid:2448; rev:2;)
+
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2505; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2520; rev:10;)
+alert tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any (msg:"WEB-MISC SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2521; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2522; rev:10;)
+
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2515; rev:13;)
+
+# one of these days, we will have port lists...
+alert tcp $EXTERNAL_NET any -> $HOME_NET 81 (msg:"WEB-MISC McAfee ePO file upload attempt"; flow:to_server,established; content:"/spipe/repl_file"; nocase; content:"Command=BEGIN"; nocase; reference:bugtraq,10200; reference:cve,2004-0038; classtype:attempted-admin; sid:2562; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cPanel resetpass access"; flow:to_server,established; uricontent:"/resetpass"; nocase; reference:bugtraq,9848; classtype:web-application-activity; sid:2569; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Invalid HTTP Version String"; flow:to_server,established; content:"HTTP/"; depth:300; nocase; isdataat:6,relative; content:!"|0A|"; within:5; reference:bugtraq,9809; reference:nessus,11593; classtype:non-standard-protocol; sid:2570; rev:7;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Crystal Reports crystalimagehandler.aspx access"; flow:to_server,established; uricontent:"/crystalimagehandler.aspx"; nocase; reference:cve,2004-0204; reference:url,www.microsoft.com/security/bulletins/200406_crystal.mspx; classtype:web-application-activity; sid:2581; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Crystal Reports crystalImageHandler.aspx directory traversal attempt"; flow:to_server,established; uricontent:"/crystalimagehandler.aspx"; nocase; content:"dynamicimage=../"; nocase; reference:bugtraq,10260; reference:cve,2004-0204; reference:nessus,12271; reference:url,www.microsoft.com/security/bulletins/200406_crystal.mspx; classtype:web-application-attack; sid:2582; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Samba SWAT Authorization overflow attempt"; flow:to_server,established; content:"Authorization|3A| Basic"; nocase; pcre:"/^Authorization\x3a Basic\s+=/smi"; reference:bugtraq,10780; classtype:web-application-attack; sid:2597; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 901 (msg:"WEB-MISC Samba SWAT Authorization port 901 overflow attempt"; flow:to_server,established; content:"Authorization|3A| Basic"; nocase; pcre:"/^Authorization\x3a Basic\s+=/smi"; reference:bugtraq,10780; classtype:web-application-attack; sid:2598; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv2 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2658; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC TLSv1 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2661; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv2 Client_Hello with pad request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; content:"|00 02|"; depth:2; offset:6; flowbits:set,sslv2.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2659; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC sresult.exe access"; flow:to_server,established; uricontent:"/sresult.exe"; nocase; reference:bugtraq,10837; reference:nessus,14186; classtype:web-application-activity; sid:2672; rev:1;)
+alert tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any (msg:"WEB-MISC SSLv2 Server_Hello request"; flow:from_server,established; flowbits:isset,sslv2.client_hello.request; content:"|04|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2660; rev:4;)
+alert tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any (msg:"WEB-MISC TLSv1 Server_Hello request"; flow:to_client,established; flowbits:isset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,tlsv1.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2662; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle iSQLPlus username overflow attempt"; flow:to_server,established; uricontent:"/isqlplus"; nocase; pcre:"/username=[^&\x3b\r\n]{255}/si"; reference:bugtraq,10871; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2702; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle iSQLPlus login.uix username overflow attempt"; flow:to_server,established; uricontent:"/login.uix"; nocase; pcre:"/username=[^&\x3b\r\n]{250}/smi"; reference:bugtraq,10871; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2703; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle 10g iSQLPlus login.unix connectID overflow attempt"; flow:to_server,established; uricontent:"/login.uix"; nocase; pcre:"/connectID=[^&\x3b\r\n]{255}/smi"; reference:bugtraq,10871; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2704; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle iSQLPlus sid overflow attempt"; flow:to_server,established; uricontent:"/isqlplus"; nocase; pcre:"/sid=[^&\x3b\r\n]{255}/si"; reference:bugtraq,10871; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2701; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .htgroup access"; flow:to_server,established; uricontent:".htgroup"; nocase; classtype:web-application-activity; sid:1374; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC TLS1 Client_Hello with pad via SSLv2 handshake request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tls1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; content:"|03 01|"; depth:2; offset:4; flowbits:set,tls1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3060; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC TLSv1 Client_Hello via SSLv2 handshake request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|03 01|"; depth:2; offset:3; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:3059; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC 3Com 3CRADSL72 ADSL 11g Wireless Router app_sta.stm access attempt"; flow:to_server,established; uricontent:"/app_sta.stm"; nocase; reference:bugtraq,11408; classtype:web-application-activity; sid:3086; rev:1;)
--- /dev/null
+++ b/rules/community-ftp.rules
@@ -0,0 +1,4 @@
+# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# These rules are licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# $Id: community-ftp.rules,v 1.6 2005/03/08 14:41:42 bmc Exp $
--- /dev/null
+++ b/rules/community-imap.rules
@@ -0,0 +1,15 @@
+# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# These rules are licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# $Id: community-imap.rules,v 1.7 2006/04/07 13:34:06 akirk Exp $
+
+alert tcp $EXTERNAL_NET any  -> $HOME_NET 143 (msg:"COMMUNITY IMAP GNU Mailutils request tag format string vulnerability"; flow:to_server,established; content:"|25|"; pcre:"/^\S*\x25\S*\s/sm"; reference:cve,CAN-2005-1523; reference:bugtraq,13764; classtype:attempted-admin; sid:100000135; rev:1;)
+#Rule submitted by rmkml
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"COMMUNITY IMAP GNU imapd search format string attempt"; flow:established,to_server; pcre:"/\sSEARCH.*\%/smi"; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19306; reference:cve,2005-2878; classtype:misc-attack; sid:100000136; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"COMMUNITY IMAP MDaemon authentication protocol decode"; flow:to_server,established; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[CRAM-MD5|LOGIN]/smi"; flowbits:set,community_imap.auth; flowbits:noalert; classtype:protocol-command-decode; sid:100000152; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"COMMUNITY IMAP MDaemon authentication multiple packet overflow attempt"; flow:to_server,established; flowbits:isset,community_imap.auth; isdataat:342; pcre:"/[^\x0A]{342,}/"; reference:bugtraq,14317; classtype:attempted-admin; sid:100000153; rev:3;)
+alert tcp $HOME_NET 143 -> $EXTERNAL_NET any (msg:"COMMUNITY IMAP MDaemon authentication okay protocol decode"; flow:to_client,established; content:"AUTHENTICATE"; nocase; pcre:"/\sOK\sAUTHENTICATE/smi"; flowbits:unset,community_imap.auth; flowbits:noalert; classtype:protocol-command-decode; sid:100000154; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"COMMUNITY IMAP MDaemon authentication overflow single packet attempt"; flow:to_server,established; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[CRAM-MD5|LOGIN][^\n]*\n[^\n]{342}/smi"; reference:bugtraq,14317; classtype:attempted-admin; sid:100000155; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"COMMUNITY IMAP Qualcomm WorldMail SELECT dot dot attempt"; flow:established,to_server; content:"SELECT"; content:"|2E 2E|"; nocase; pcre:"/^\d*\s*SELECT\s*\.\./smi"; reference:cve,2005-3189; reference:bugtraq,15488; classtype:misc-attack; sid:100000196; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"COMMUNITY IMAP GNU Mailutils imap4d hex attempt"; flow:established,to_server; content:"SEARCH TOPIC %"; reference:cve,2005-2878; reference:bugtraq,14794; reference:nessus,19605; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19306; classtype:misc-attack; sid:100000207; rev:2;)
--- /dev/null
+++ b/rules/community-virus.rules
@@ -0,0 +1,21 @@
+# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# These rules are licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# $Id: community-virus.rules,v 1.15 2006/10/19 20:20:29 akirk Exp $
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5554 (msg:"COMMUNITY VIRUS Dabber PORT overflow attempt port 5554"; flow:to_server,established,no_stream; content:"PORT"; nocase; isdataat:100,relative; pcre:"/^PORT\s[^\n]{100}/smi"; reference:MCAFEE,125300; classtype:attempted-admin; sid:100000110; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1023 (msg:"COMMUNITY VIRUS Dabber PORT overflow attempt port 1023"; flow:to_server,established,no_stream; content:"PORT"; nocase; isdataat:100,relative; pcre:"/^PORT\s[^\n]{100}/smi"; reference:MCAFEE,125300; classtype:attempted-admin; sid:100000111; rev:1;)
+alert tcp $HOME_NET any -> 207.172.16.155 80 (msg:"COMMUNITY VIRUS Possible BlackWorm or Nymex infected host"; flow:to_server,established; uricontent:"/cgi-bin/Count.cgi?df=765247"; reference:url,www.microsoft.com/security/encyclopedia/details.aspx?name=Win32%2fMywife.E%40mm; reference:url,cme.mitre.org/data/list.html#24; reference:url,isc.sans.org/blackworm; classtype:trojan-activity; sid:100000226; rev:2;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8 (msg:"COMMUNITY VIRUS Nugache connect"; flow:to_server,established; content:"|00 02|"; flowbits:set,nugache.connection; flowbits:noalert; classtype:trojan-activity; sid:100000282; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8 (msg:"COMMUNITY VIRUS Nugache data"; flow:to_server,established; flowbits:isset,nugache.connection; dsize:64; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html; classtype:trojan-activity; sid:100000283; rev:1;)
+
+# DNS Rules submitted by urleet@gmail.com
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"COMMUNITY VIRUS Ginwui.B command server dns query attempt - scfzf.xicp.net"; content:"|01 00|"; offset:2; depth:2; content:"|05|scfzf|04|xicp|03|net";threshold: type limit, track by_src, count 1, seconds 360; reference:url,vil.nai.com/vil/content/v_139545.htm; classtype:trojan-activity; sid:100000310; rev:2;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"COMMUNITY VIRUS Ginwui.B command server dns query attempt - localhosts.3322.org"; content:"|01 00|"; offset:2; depth:2; content:"|0A|localhosts|04|3322|03|org";threshold: type limit, track by_src, count 1, seconds 360; reference:url,vil.nai.com/vil/content/v_139545.htm; classtype:trojan-activity; sid:100000311; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY VIRUS Ginwui.B POST attempt"; flow:to_server,established; content:"POST|20 2F|"; nocase; depth:6; content:"Host|3a|"; nocase; content:"scfzf.xicp.net"; nocase; pcre:"/Host\x3A[^\n\r]+scfzf.xicp.net/smi"; content:"Content-Length|3a 20|0"; nocase; content:"Connection|3a| Keep-Alive"; nocase; threshold: type limit, track by_src, count 1, seconds 360; reference:url,vil.nai.com/vil/content/v_139545.htm; classtype:trojan-activity; sid:100000312; rev:3;)
+
+
+alert udp !$DNS_SERVERS any -> $EXTERNAL_NET 53 (msg:"COMMUNITY VIRUS OutBound Dremn Trojan Beacon"; content:"|00 00 01|"; offset:3; depth:3; content:"aaaaaaaaaaaaaaaaaaaaa"; within:50; pcre:"/((X|Y)m(A|B)(i)?...a{21})/"; reference:url,symantec.com/avcenter/venc/data/trojan.dremn.html; classtype:trojan-activity; sid:100000684; rev:1;)
+alert udp $EXTERNAL_NET 53 -> !$DNS_SERVERS any (msg: "COMMUNITY VIRUS Answering Dremn Trojan Server"; content:"|80 00 01|"; offset:3; depth:3; content:"aa"; within:50; pcre:"/((X|Y)m(A|B)(i)?...aa)/"; reference:url,symantec.com/avcenter/venc/data/ trojan.dremn.html; classtype:trojan-activity; sid:100000685; rev:1;)
+
--- /dev/null
+++ b/rules/community-policy.rules
@@ -0,0 +1,11 @@
+# Copyright 2006 Sourcefire, Inc. All Rights Reserved.
+# These rules are licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# $Id: community-policy.rules,v 1.5 2007/03/05 14:39:58 akirk Exp $
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY POLICY Ajax Remote Desktop Connection"; flow:from_server,established; content:"<title>"; content:"AJAX Remote Desktop Viewer"; distance:0; reference:url,www.peterdamen.com/ajaxrd/; classtype:policy-violation; sid:100000688; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY POLICY Weather Channel Desktop App Installer"; flow: established,to_server; uricontent:"/desktopfw"; nocase; uricontent:"/stubinstaller.txt?"; nocase; classtype:policy-violation; sid:100000893; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY POLICY Weather Channel Desktop App"; flow: established,to_server; uricontent:"/weather/local/"; nocase; content:"Host|3A|"; nocase; content:"desktopfw.weather.com"; nocase; distance:0; pcre:"/^Host\x3A\s+desktopfw\x2Eweather\x2Ecom/smi"; classtype:policy-violation; sid:100000894; rev:1;)
+# alert ip 169.254.0.0/16 any <> any any (msg:"COMMUNITY POLICY Link Local IP addresses traffic seen"; threshold:type limit, track by_src, count 1, seconds 60; classtype:bad-unknown;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY POLICY Google SafeSearch off"; flow:to_server,established; content:"/images?"; nocase; content:"&safe=off"; nocase; content:"&q="; nocase; classtype:policy-violation; sid:100000924; rev:1;)
--- /dev/null
+++ b/rules/finger.rules
@@ -0,0 +1,37 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: finger.rules,v 1.26.2.2.2.2 2005/05/31 17:13:02 mwatchinski Exp $
+#-------------
+# FINGER RULES
+#-------------
+#
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cmd_rootsh backdoor attempt"; flow:to_server,established; content:"cmd_rootsh"; reference:nessus,10070; reference:url,www.sans.org/y2k/TFN_toolkit.htm; reference:url,www.sans.org/y2k/fingerd.htm; classtype:attempted-admin; sid:320; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER account enumeration attempt"; flow:to_server,established; content:"a b c d e f"; nocase; reference:nessus,10788; classtype:attempted-recon; sid:321; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER search query"; flow:to_server,established; content:"search"; reference:arachnids,375; reference:cve,1999-0259; classtype:attempted-recon; sid:322; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER root query"; flow:to_server,established; content:"root"; reference:arachnids,376; classtype:attempted-recon; sid:323; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER null request"; flow:to_server,established; content:"|00|"; reference:arachnids,377; classtype:attempted-recon; sid:324; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER remote command execution attempt"; flow:to_server,established; content:"|3B|"; reference:arachnids,379; reference:bugtraq,974; reference:cve,1999-0150; classtype:attempted-user; sid:326; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER remote command pipe execution attempt"; flow:to_server,established; content:"|7C|"; reference:arachnids,380; reference:bugtraq,2220; reference:cve,1999-0152; classtype:attempted-user; sid:327; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER bomb attempt"; flow:to_server,established; content:"@@"; reference:arachnids,381; reference:cve,1999-0106; classtype:attempted-dos; sid:328; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER redirection attempt"; flow:to_server,established; content:"@"; reference:arachnids,251; reference:cve,1999-0105; reference:nessus,10073; classtype:attempted-recon; sid:330; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cybercop query"; flow:to_server,established; content:"|0A|     "; depth:10; reference:arachnids,132; reference:cve,1999-0612; classtype:attempted-recon; sid:331; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER 0 query"; flow:to_server,established; content:"0"; reference:arachnids,131; reference:arachnids,378; reference:cve,1999-0197; reference:nessus,10069; classtype:attempted-recon; sid:332; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER . query"; flow:to_server,established; content:"."; reference:arachnids,130; reference:cve,1999-0198; reference:nessus,10072; classtype:attempted-recon; sid:333; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER version query"; flow:to_server,established; content:"version"; classtype:attempted-recon; sid:1541; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER / execution attempt"; flow:to_server,established; content:"/"; pcre:"/^\x2f/smi"; reference:cve,1999-0612; reference:cve,2000-0915; classtype:attempted-recon; sid:3151; rev:3;)
--- /dev/null
+++ b/rules/community-web-cgi.rules
@@ -0,0 +1,22 @@
+# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# These rules are licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# $Id: community-web-cgi.rules,v 1.20 2006/09/19 13:46:50 akirk Exp $
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Readfile.tcl Access"; flow:to_server,established; uricontent:"/readfile.tcl?file="; nocase; classtype:web-application-attack; reference:bugtraq,7426; sid:100000112; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI HappyMall Command Execution member_html.cgi"; flow:to_server,established; uricontent:"/member_html.cgi?"; pcre:"/member_html.cgi\x3F[^\r\n]*\s*file\x3D(\x3B|\x7C)/Ui"; classtype:web-application-attack; reference:bugtraq,7530; reference:cve,2003-0243; sid:100000113; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI HappyMall Command Execution normal_html.cgi"; flow:to_server,established; uricontent:"/normal_html.cgi?"; pcre:"/normal_html.cgi\x3F[^\r\n]*\s*file\x3D(\x3B|\x7C)/Ui"; classtype:web-application-attack; reference:bugtraq,7530; reference:cve,2003-0243; sid:100000114; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI PHP-Nuke Web_Links Path Disclosure Null CID"; flow:to_server,established; uricontent:"modules.php?"; nocase; uricontent:"op=modload"; nocase; uricontent:"name=Web_Links"; nocase; uricontent:"file=index"; nocase; uricontent:"l_op=viewlink"; nocase; uricontent:!"cid="; classtype:web-application-attack; reference:bugtraq,7589; sid:100000115; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI PHP-Nuke Web_Links Path Disclosure Non-Numeric CID"; flow:to_server,established; uricontent:"modules.php?"; nocase; uricontent:"op=modload"; nocase; uricontent:"name=Web_Links"; nocase; uricontent:"file=index"; nocase; uricontent:"l_op=viewlink"; nocase; uricontent:"cid="; pcre:"/cid=[^0-9]+/Ui"; classtype:web-application-attack; reference:bugtraq,7589; sid:100000116; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI VBulliten Remote Command Execution Attempt"; flow:to_server,established; uricontent:"/forumdisplay.php?"; nocase; uricontent:"comma="; nocase; pcre:"/forumdisplay.php?[^\r\n]*comma=[^\r\n\x26]*system\x28.*\x29/Ui"; classtype:web-application-attack; reference:bugtraq,12542; sid:100000117; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Stadtaus.com PHP Form Mail Remote Script Include Attack formmail.inc.php"; flow:to_server,established; uricontent:"/formmail.inc.php"; nocase; uricontent:"script_root"; nocase; pcre:"/formmail.inc.php\x3F[^\r\n]*script_root\x3D\s*http/Ui"; reference:bugtraq,12735; classtype:web-application-attack; sid:100000127; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Stadtaus.com PHP Form Mail Remote Script Include Attack download_center_lite.inc.php"; flow:to_server,established; uricontent:"/download_center_lite.inc.php"; nocase; uricontent:"script_root"; nocase; pcre:"/download_center_lite.inc.php\x3F[^\r\n]*script_root\x3D\s*http/Ui"; reference:bugtraq,12735; classtype:web-application-attack; sid:100000128; rev:1;)
+#Rule submitted by Chas Tomlin
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Twiki shell command execution"; flow:to_server,established; uricontent:"/TwikiUsers?"; nocase; pcre:"/rev=\d*\s*\x7C/Ui"; classtype:web-application-activity; reference:bugtraq,14834; reference:cve,2005-2877; reference:url,twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev; sid:100000156; rev:2;)
+#Rule submitted by David Maciejak
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "COMMUNITY WEB-CGI ATutor password_reminder.php SQL injection attempt"; flow: to_server,established; uricontent:"/password_reminder.php?"; nocase; pcre:"/form_email=[^\r\n\x26]+UNION\s+SELECT/Ui"; reference:bugtraq,14831; classtype:web-application-attack; sid:100000157; rev:1;)
+
+#Rules submitted by Avinash Shenoi (Cenzic Inc. CIA Research Team)
+alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Roller Weblog XSS exploit"; flow:established,to_server; content:"POST"; nocase; depth:4; content:"method=post"; nocase; pcre:"/(name|email|url)=[^\r\n]*\x3Cscript\x3E/smi"; reference:bugtraq,20045; classtype:web-application-activity; sid:100000878; rev:2;)
+alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Roller Weblog XSS exploit"; flow:established,to_server; content:"POST"; nocase; depth:4; content:"method=preview"; nocase; content:"content="; nocase; distance:0; reference:bugtraq,20045; classtype:web-application-activity; sid:100000879; rev:2;)
+alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-CGI Roller Weblog XSS exploit"; flow:established,to_server; uricontent:"/sitesearch.do"; nocase; uricontent:"q="; nocase; uricontent:"<script>"; nocase; reference:bugtraq,20045; classtype:web-application-activity; sid:100000880; rev:2;)
--- /dev/null
+++ b/rules/rpc.rules
@@ -0,0 +1,234 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: rpc.rules,v 1.58.2.2.2.5 2005/06/29 15:35:04 mwatchinski Exp $
+#----------
+# RPC RULES
+#----------
+
+
+# portmap specific stuff.
+
+## bleck.  Not happy about this.  because of the non-rule ordering foo, I'm
+## checking the first byte in the version, which should always be 0.  When we
+## alert multiple times on a packet, I'll put these rules back to:
+##   content:"|0a 01 86 a0|"; offset:16; depth:4; content:"|00 00 00 05|";
+##    distance:4; within:4;
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A0 00|"; depth:5; offset:16; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2093; rev:5;)
+# this rule makes me not happy as well.  see above.
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt UDP"; content:"|00 01 86 A0 00|"; depth:5; offset:12; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2092; rev:5;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy attempt TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1922; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy attempt UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1923; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,428; classtype:rpc-portmap-decode; sid:1280; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,428; classtype:rpc-portmap-decode; sid:598; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1949; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1950; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UNSET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2014; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UNSET attempt UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2015; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing TCP 32771"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,429; classtype:rpc-portmap-decode; sid:599; rev:11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing UDP 32771"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:1281; rev:7;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cachefsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:1746; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cachefsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:1747; rev:11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rwalld request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1732; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rwalld request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1733; rev:9;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap admind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,18; classtype:rpc-portmap-decode; sid:575; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap admind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,18; classtype:rpc-portmap-decode; sid:1262; rev:9;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap amountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,19; classtype:rpc-portmap-decode; sid:576; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap amountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,19; classtype:rpc-portmap-decode; sid:1263; rev:11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap bootparam request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:577; rev:13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap bootparam request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:1264; rev:13;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nisd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,21; classtype:rpc-portmap-decode; sid:580; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nisd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,21; classtype:rpc-portmap-decode; sid:1267; rev:11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap pcnfsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,22; classtype:rpc-portmap-decode; sid:581; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,22; classtype:rpc-portmap-decode; sid:1268; rev:12;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rexd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,23; classtype:rpc-portmap-decode; sid:582; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rexd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,23; classtype:rpc-portmap-decode; sid:1269; rev:10;)
+
+
+# rusers
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rusers request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:584; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rusers request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:1271; rev:14;)
+# XXX - Need to find out if rusers exists on TCP and if so, implement one of
+# these for TCP...
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rusers query UDP"; content:"|00 01 86 A2|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:cve,1999-0626; classtype:attempted-recon; sid:612; rev:6;)
+
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap selection_svc request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,25; classtype:rpc-portmap-decode; sid:586; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap selection_svc request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,25; classtype:rpc-portmap-decode; sid:1273; rev:10;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap status request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,15; classtype:rpc-portmap-decode; sid:587; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap status request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,15; classtype:rpc-portmap-decode; sid:2016; rev:6;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:593; rev:18;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap snmpXdmi request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1279; rev:14;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:14;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt UDP"; content:"|00 01 87 99|"; depth:4; offset:12; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2045; rev:8;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap espd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2017; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap espd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:595; rev:16;)
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:misc-attack; sid:1890; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; flow:to_server, established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:misc-attack; sid:1891; rev:8;)
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap mountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,13; classtype:rpc-portmap-decode; sid:579; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap mountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,13; classtype:rpc-portmap-decode; sid:1266; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:574; rev:8;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP export request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,26; classtype:attempted-recon; sid:1924; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP exportall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:1925; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP exportall request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,26; classtype:attempted-recon; sid:1926; rev:6;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount path overflow attempt"; flow:to_server,established; content:"|00 01 86 A5 00|"; depth:5; offset:16; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2184; rev:7;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP mount path overflow attempt"; content:"|00 01 86 A5 00|"; depth:5; offset:12; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2185; rev:7;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:1951; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP mount request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:1952; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP dump request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2018; rev:4;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP dump request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2019; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2020; rev:4;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmount request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2021; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmountall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2022; rev:4;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmountall request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2023; rev:4;)
+
+
+# amd
+alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP amqproc_mount plog overflow attempt"; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1905; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP amqproc_mount plog overflow attempt"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1906; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP pid request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1953; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP pid request"; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1954; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP version request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1955; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP version request"; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1554; reference:cve,2000-0696; classtype:rpc-portmap-decode; sid:1956; rev:8;)
+
+# cmsd
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cmsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,17; classtype:rpc-portmap-decode; sid:578; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cmsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,17; classtype:rpc-portmap-decode; sid:1265; rev:9;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:1907; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:1908; rev:9;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5356; reference:cve,2002-0391; classtype:attempted-admin; sid:2094; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5356; reference:cve,2002-0391; classtype:attempted-admin; sid:2095; rev:6;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,524; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1909; rev:12;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD udp CMSD_INSERT buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1910; rev:10;)
+
+
+# sadmind
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap sadmind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,20; classtype:rpc-portmap-decode; sid:1272; rev:10;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap sadmind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,20; classtype:rpc-portmap-decode; sid:585; rev:7;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1911; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,0866; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1912; rev:9;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind UDP PING"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,866; classtype:attempted-admin; sid:1957; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind TCP PING"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,866; classtype:attempted-admin; sid:1958; rev:5;)
+
+
+# statd
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rstatd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,10; classtype:rpc-portmap-decode; sid:583; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rstatd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,10; classtype:rpc-portmap-decode; sid:1270; rev:11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD UDP stat mon_name format string exploit attempt"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1913; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD TCP stat mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1914; rev:10;)
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD UDP monitor mon_name format string exploit attempt"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1915; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD TCP monitor mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1916; rev:9;)
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypupdated request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,125; classtype:rpc-portmap-decode; sid:1277; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:591; rev:10;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypupdated arbitrary command attempt UDP"; content:"|00 01 86 BC|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:misc-attack; sid:2088; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypupdated arbitrary command attempt TCP"; flow:to_server,established; content:"|00 01 86 BC|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:misc-attack; sid:2089; rev:5;)
+
+# NFS
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap NFS request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1959; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap NFS request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1960; rev:7;)
+
+
+# rquota
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap RQUOTA request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1961; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap RQUOTA request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1962; rev:7;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt UDP"; content:"|00 01 86 AB|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:1963; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 AB|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:2024; rev:8;)
+
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:588; rev:17;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1274; rev:17;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk UDP overflow attempt"; content:"|00 01 86 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,122; reference:cve,1999-0003; classtype:misc-attack; sid:1964; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk TCP overflow attempt"; flow:to_server,established; content:"|00 01 86 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,122; reference:cve,1999-0003; classtype:misc-attack; sid:1965; rev:8;)
+
+# not sure what this rule is looking for, other than the procedure 15
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC DOS ttdbserv Solaris"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; depth:32; offset:16; reference:arachnids,241; reference:bugtraq,122; reference:cve,1999-0003; classtype:attempted-dos; sid:572; rev:9;)
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap yppasswd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,14; classtype:rpc-portmap-decode; sid:589; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap yppasswd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,14; classtype:rpc-portmap-decode; sid:1275; rev:10;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd old password overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2027; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd old password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2028; rev:6;)
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd username overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2025; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd username overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2026; rev:9;)
+
+
+
+# XXX - These need re-verified
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd new password overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2029; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd new password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2030; rev:7;)
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd user update UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2031; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd user update TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2032; rev:6;)
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:590; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:1276; rev:14;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypserv maplist request UDP"; content:"|00 01 86 A4|"; depth:4; offset:12; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2033; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypserv maplist request TCP"; flow:to_server,established; content:"|00 01 86 A4|"; depth:4; offset:16; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:Cve,CAN-2002-1232; reference:bugtraq,5914; reference:bugtraq,6016; classtype:rpc-portmap-decode; sid:2034; rev:7;)
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap network-status-monitor request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2035; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap network-status-monitor request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2036; rev:6;)
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC network-status-monitor mon-callback request UDP"; content:"|00 03 0D|p"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2037; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC network-status-monitor mon-callback request TCP"; flow:to_server,established; content:"|00 03 0D|p"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2038; rev:5;)
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nlockmgr request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1372; reference:cve,2000-0508; classtype:rpc-portmap-decode; sid:2079; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nlockmgr request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1372; reference:cve,2000-0508; classtype:rpc-portmap-decode; sid:2080; rev:6;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rpc.xfsmd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2081; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rpc.xfsmd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2082; rev:9;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rpc.xfsmd xfs_export attempt UDP"; content:"|00 05 F7|h"; depth:4; offset:12; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2083; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rpc.xfsmd xfs_export attempt TCP"; flow:to_server,established; content:"|00 05 F7|h"; depth:4; offset:16; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2084; rev:8;)
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap kcms_server request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2005; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap kcms_server request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2006; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 01 87|}"; depth:4; offset:16; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2007; rev:10;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind query with root credentials attempt TCP"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; classtype:misc-attack; sid:2255; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind query with root credentials attempt UDP"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; classtype:misc-attack; sid:2256; rev:3;)
--- /dev/null
+++ b/rules/imap.rules
@@ -0,0 +1,73 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: imap.rules,v 1.24.2.7.2.5 2005/06/15 23:02:33 mwatchinski Exp $
+#--------------
+# IMAP RULES
+#--------------
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login literal buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,6298; classtype:misc-attack; sid:1993; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/smi"; reference:bugtraq,13727; reference:bugtraq,502; reference:cve,1999-0005; reference:cve,1999-1557; reference:cve,2005-1255; reference:nessus,10123; reference:nessus,10125; classtype:attempted-user; sid:1842; rev:14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate literal overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[^\n]*?\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:2105; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; isdataat:100,relative; pcre:"/\sAUTHENTICATE\s[^\n]{100}/smi"; reference:bugtraq,12995; reference:bugtraq,130; reference:cve,1999-0005; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:1844; rev:11;)
+
+# auth is an imap2 function and only accepts literal usage
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP auth literal overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; pcre:"/({(?=\d+}[^\n]*?\sAUTH)|AUTH\s[^\n]*?{(?=\d+}))/smi"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0005; classtype:misc-attack; sid:1930; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP auth overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; pcre:"/AUTH\s[^\n]{100}/smi"; reference:bugtraq,8861; classtype:misc-attack; sid:2330; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub literal overflow attempt"; flow:to_server,established; content:"LSUB"; nocase; pcre:"/\sLSUB\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1902; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub overflow attempt"; flow:to_server,established; content:"LSUB"; isdataat:100,relative; pcre:"/\sLSUB\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2106; rev:7;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list literal overflow attempt"; flow:established,to_server; content:"LIST"; nocase; pcre:"/\sLIST\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1845; rev:15;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list overflow attempt"; flow:established,to_server; content:"LIST"; nocase; isdataat:100,relative; pcre:"/\sLIST\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2118; rev:6;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP rename literal overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; pcre:"/\sRENAME\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2119; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP rename overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; isdataat:100,relative; pcre:"/\sRENAME\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1903; rev:8;)
+
+# FIND does not accept a literal command
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP find overflow attempt"; flow:established,to_server; content:"FIND"; nocase; isdataat:100,relative; pcre:"/\sFIND\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1904; rev:7;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:1755; rev:14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body.peek buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY.PEEK["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:2046; rev:6;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP create buffer overflow attempt"; flow:to_server,established; content:"CREATE"; isdataat:1024,relative; pcre:"/\sCREATE\s[^\n]{1024}/smi"; reference:bugtraq,7446; classtype:misc-attack; sid:2107; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP create literal buffer overflow attempt"; flow:to_server,established; content:"CREATE"; nocase; pcre:"/\sCREATE\s*\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,7446; classtype:misc-attack; sid:2120; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login brute force attempt"; flow:to_server,established; content:"LOGIN"; nocase; threshold:type threshold, track by_dst, count 30, seconds 30; classtype:suspicious-login; sid:2273; rev:2;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2497; rev:9;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2517; rev:13;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2529; rev:6;)
+alert tcp $HOME_NET 993 -> $EXTERNAL_NET any (msg:"IMAP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2530; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2531; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login literal format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s\w+\s\{\d+\}[\r]?\n[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2665; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2664; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP delete overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; isdataat:100,relative; pcre:"/\sDELETE\s[^\n]{100}/smi"; reference:bugtraq,11675; classtype:misc-attack; sid:3007; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP delete literal overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; pcre:"/\sDELETE\s[^\n]*?\{/smi"; byte_test:5,>,100,0,string,dec,relative; reference:bugtraq,11675; classtype:misc-attack; sid:3008; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP subscribe overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3074; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP unsubscribe overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sUNSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3076; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP unsubscribe literal overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; pcre:"/\sUNSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3075; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP append overflow attempt"; flow:established,to_server; content:"APPEND"; nocase; isdataat:100,relative; pcre:"/\sAPPEND\s[^\n]{256}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3066; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP copy literal overflow attempt"; flow:established,to_server; content:"COPY"; nocase; pcre:"/\sCOPY\s[^\n]*?\{/smi"; byte_test:5,>,1024,0,string,dec,relative; reference:bugtraq,1110; classtype:misc-attack; sid:3058; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP append literal overflow attempt"; flow:established,to_server; content:"APPEND"; nocase; pcre:"/\sAPPEND\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3065; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP status overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; isdataat:100,relative; pcre:"/\sSTATUS\s[^\n]{100}/smi"; reference:bugtraq,11775; reference:bugtraq,13727; reference:cve,2005-1256; classtype:misc-attack; sid:3072; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP fetch overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; isdataat:256,relative; pcre:"/\sFETCH\s[^\n]{256}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3070; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP examine literal overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; pcre:"/\sEXAMINE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3067; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP fetch literal overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; pcre:"/\sFETCH\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3069; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP subscribe literal overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; pcre:"/\sSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3073; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP status literal overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; pcre:"/\sSTATUS\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3071; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP examine overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; isdataat:100,relative; pcre:"/\sEXAMINE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3068; rev:1;)
--- /dev/null
+++ b/rules/community-dos.rules
@@ -0,0 +1,16 @@
+# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# These rules are licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# $Id: community-dos.rules,v 1.7 2007/02/22 20:44:35 akirk Exp $
+
+#Rule submitted by rmkml
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY DOS Tcpdump rsvp attack"; ip_proto:46; content:"|00 08 14 01 03 00 00 00|"; reference:cve,2005-1280; reference:cve,2005-1281; reference:bugtraq,13391; classtype:attempted-dos; sid:100000134; rev:1;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1069 (msg:"COMMUNITY DOS Ethereal slimp overflow attempt"; content:"|6C C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00 FF FF 00 00 01 00 00 00 56 57 F7|"; reference:cve,2005-3243; reference:url,www.ethereal.com/docs/release-notes/ethereal-0.10.13.html; classtype:attempted-dos; sid:100000175; rev:1;)
+alert tcp $EXTERNAL_NET any <> $HOME_NET 5005 (msg:"COMMUNITY DOS Trend Micro ServerProtect EarthAgent attempt"; flow:stateless; content:"|21 43 65 87|"; reference:cve,2005-1928; reference:url,www.idefense.com/application/poi/display?id=356&type=vulnerabilities; classtype:attempted-dos; sid:100000215; rev:2;)
+
+#Rules submitted by the Verisign MSS Operations Team
+alert tcp $EXTERNAL_NET any -> $HOME_NET 6667:7000 (msg:"COMMUNITY DOS EnergyMech parse_notice vulnerability - inbound"; flow:to_server,established; content:"NOTICE|20|"; content:!"|5c|"; within:11; reference:bugtraq,18664; classtype:attempted-dos; sid:100000686; rev:2;)
+alert tcp $HOME_NET 6667:7000 -> $EXTERNAL_NET any (msg:"COMMUNITY DOS EnergyMech parse_notice vulnerability - outbound"; flow:to_server,established; content:"NOTICE|20|"; content:!"|5c|"; within:11; reference:bugtraq,18664; classtype:attempted-dos; sid:100000687; rev:2;)
+
+#Rule submitted by Dan Protich
+alert udp $EXTERNAL_NET !53 <> $HOME_NET !53  (msg:"COMMUNITY DOS Single-Byte UDP Flood"; content:"0"; dsize:1; classtype:attempted-dos; threshold: type threshold, track by_dst, count 200, seconds 60; sid:100000923; rev:1;)
--- /dev/null
+++ b/rules/icmp.rules
@@ -0,0 +1,50 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: icmp.rules,v 1.25.2.1.2.2 2005/05/16 22:17:51 mwatchinski Exp $
+#-----------
+# ICMP RULES
+#-----------
+#
+# Description:
+# These rules are potentially bad ICMP traffic.  They include most of the
+# ICMP scanning tools and other "BAD" ICMP traffic (Such as redirect host)
+#
+# Other ICMP rules are included in icmp-info.rules
+
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158; classtype:attempted-recon; sid:465; rev:3;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; reference:arachnids,311; classtype:attempted-recon; sid:466; rev:4;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Nemesis v1.1 Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:arachnids,449; classtype:attempted-recon; sid:467; rev:3;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:3;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP icmpenum v1.1.1"; dsize:0; icmp_id:666 ; icmp_seq:0; id:666; itype:8; reference:arachnids,450; classtype:attempted-recon; sid:471; rev:3;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect host"; icode:1; itype:5; reference:arachnids,135; reference:cve,1999-0265; classtype:bad-unknown; sid:472; rev:4;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect net"; icode:0; itype:5; reference:arachnids,199; reference:cve,1999-0265; classtype:bad-unknown; sid:473; rev:4;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP superscan echo"; dsize:8; itype:8; content:"|00 00 00 00 00 00 00 00|"; classtype:attempted-recon; sid:474; rev:4;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:attempted-recon; sid:475; rev:3;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP webtrends scanner"; icode:0; itype:8; content:"|00 00 00 00|EEEEEEEEEEEE"; reference:arachnids,307; classtype:attempted-recon; sid:476; rev:4;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench"; icode:0; itype:4; classtype:bad-unknown; sid:477; rev:2;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Broadscan Smurf Scanner"; dsize:4; icmp_id:0; icmp_seq:0; itype:8; classtype:attempted-recon; sid:478; rev:3;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING speedera"; itype:8; content:"89|3A 3B|<=>?"; depth:100; classtype:misc-activity; sid:480; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP TJPingPro1.1Build 2 Windows"; itype:8; content:"TJPingPro by Jim"; depth:32; reference:arachnids,167; classtype:misc-activity; sid:481; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING WhatsupGold Windows"; itype:8; content:"WhatsUp - A Netw"; depth:32; reference:arachnids,168; classtype:misc-activity; sid:482; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING CyberKit 2.2 Windows"; itype:8; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; depth:32; reference:arachnids,154; classtype:misc-activity; sid:483; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sniffer Pro/NetXRay network scan"; itype:8; content:"Cinco Network, Inc."; depth:32; classtype:misc-activity; sid:484; rev:4;)
+alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication Administratively Prohibited"; icode:13; itype:3; classtype:misc-activity; sid:485; rev:4;)
+alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited"; icode:10; itype:3; classtype:misc-activity; sid:486; rev:4;)
+alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited"; icode:9; itype:3; classtype:misc-activity; sid:487; rev:4;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP digital island bandwidth query"; content:"mailto|3A|ops@digisle.com"; depth:22; classtype:misc-activity; sid:1813; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:4;)
--- /dev/null
+++ b/rules/other-ids.rules
@@ -0,0 +1,37 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: other-ids.rules,v 1.10.2.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $
+# ---------------
+# OTHER-IDS RULES
+# ---------------
+# These signatures look for uses of other IDSs.
+#
+# These signatures serve two purposes.
+#  1) If you are "IDS GUY" for a company, and someone else sets up an IDS
+#     without letting you know, thats bad.
+#  2) If you are "pen-tester", this is a good way to find out what IDS
+#     systems your target is using after you have gained access to their
+#     network.
+#
+
+
+alert tcp $HOME_NET 902 -> $EXTERNAL_NET any (msg:"OTHER-IDS ISS RealSecure 6 event collector connection attempt"; flow:from_server,established; content:"6ISS ECNRA Built-In Provider, Strong Encryption"; depth:70; offset:30; nocase; classtype:successful-recon-limited; sid:1760; rev:3;)
+alert tcp $HOME_NET 2998 -> $EXTERNAL_NET any (msg:"OTHER-IDS ISS RealSecure 6 daemon connection attempt"; flow:from_server,established; content:"6ISS ECNRA Built-In Provider, Strong Encryption"; depth:70; offset:30; nocase; classtype:successful-recon-limited; sid:1761; rev:3;)
+
+# To limit false positives, limit to the default port of 975
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OTHER-IDS SecureNetPro traffic"; flow:established; content:"|00|g|00 01 00 03|"; depth:6; classtype:bad-unknown; sid:1629; rev:6;)
--- /dev/null
+++ b/rules/scan.rules
@@ -0,0 +1,48 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: scan.rules,v 1.29.2.3.2.1 2005/05/16 22:17:52 mwatchinski Exp $
+#-----------
+# SCAN RULES
+#-----------
+# These signatures are representitive of network scanners.  These include
+# port scanning, ip mapping, and various application scanners.
+#
+# NOTE: This does NOT include web scanners such as whisker.  Those are
+# in web*
+#
+
+alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; reference:arachnids,439; classtype:attempted-recon; sid:613; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"SCAN ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; reference:arachnids,303; classtype:attempted-recon; sid:616; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN cybercop os probe"; flow:stateless; dsize:0; flags:SF12; reference:arachnids,146; classtype:attempted-recon; sid:619; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flow:stateless; flags:F,12; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN ipEye SYN scan"; flow:stateless; flags:S; seq:1958810375; reference:arachnids,236; classtype:attempted-recon; sid:622; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL"; flow:stateless; ack:0; flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:623; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN"; flow:stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS"; flow:stateless; flags:SRAFPU,12; reference:arachnids,144; classtype:attempted-recon; sid:625; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; flow:stateless; flags:SF; id:39426; reference:arachnids,441; classtype:attempted-recon; sid:630; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,149; classtype:attempted-recon; sid:626; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,150; classtype:attempted-recon; sid:627; rev:8;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (msg:"SCAN Amanda client version request"; content:"Amanda"; nocase; classtype:attempted-recon; sid:634; rev:2;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"SCAN XTACACS logout"; content:"|80 07 00 00 07 00 00 04 00 00 00 00 00|"; reference:arachnids,408; classtype:bad-unknown; sid:635; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"SCAN cybercop udp bomb"; content:"cybercop"; reference:arachnids,363; classtype:bad-unknown; sid:636; rev:1;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Webtrends Scanner UDP Probe"; content:"|0A|help|0A|quite|0A|"; reference:arachnids,308; classtype:attempted-recon; sid:637; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; nocase; classtype:network-scan; sid:1638; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SCAN UPnP service discover attempt"; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; classtype:network-scan; sid:1917; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SolarWinds IP scan attempt"; icode:0; itype:8; content:"SolarWinds.Net"; classtype:network-scan; sid:1918; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,145; classtype:attempted-recon; sid:1133; rev:12;)
--- /dev/null
+++ b/rules/virus.rules
@@ -0,0 +1,35 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: virus.rules,v 1.28.2.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $
+#------------
+# VIRUS RULES
+#------------
+#
+# We don't care about virus rules anymore.  BUT, you people won't stop asking
+# us for virus rules.  So... here ya go.
+#
+# There is now one rule that looks for any of the following attachment types:
+#
+#   ade, adp, asd, asf, asx, bat, chm, cli, cmd, com, cpp, diz, dll, dot, emf,
+#   eml, exe, hlp, hsq, hta, ini, js, jse, lnk, mda, mdb, mde, mdw, msi, msp,
+#   nws, ocx, pif, pl, pm, pot, pps, ppt, reg, rtf, scr, shs, swf, sys, vb,
+#   vbe, vbs, vcf, vxd, wmd, wmf, wms, wmz, wpd, wpm, wps, wpz, wsc, wsf, wsh,
+#   xlt, xlw
+#
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND bad file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[tw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:721; rev:8;)
--- /dev/null
+++ b/rules/local.rules
@@ -0,0 +1,6 @@
+# $Id: local.rules,v 1.11 2004/07/23 20:15:44 bmc Exp $
+# ----------------
+# LOCAL RULES
+# ----------------
+# This file intentionally does not come with signatures.  Put your local
+# additions here.
--- /dev/null
+++ b/rules/community-nntp.rules
@@ -0,0 +1,6 @@
+# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# These rules are licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# $Id: community-nntp.rules,v 1.3 2006/02/16 15:51:19 akirk Exp $
+
+alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"COMMUNITY NNTP Lynx overflow attempt"; flow:to_server,established; content:"Subject"; nocase; pcre:"/^Subject\x3a[^\r\n]{100,}/smi"; reference:cve,2005-3120; reference:bugtraq,15117; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20019; reference:nessus,20035; classtype:attempted-admin; sid:100000172; rev:2;)
--- /dev/null
+++ b/rules/community-bot.rules
@@ -0,0 +1,117 @@
+# Copyright 2006 Sourcefire, Inc. All Rights Reserved.
+# These rules are licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# $Id: community-bot.rules,v 1.5 2006/10/23 12:49:52 akirk Exp $
+
+
+# Some rules to look for botnets using popular bot software.
+# Contributed by David J. Bianco <david@vorant.com>
+#
+# A more detailed writeup can be found at:
+#
+#http://infosecpotpourri.blogspot.com/2006/03/detecting-common-botnets-with-snort.html
+#
+#
+# This rule merely looks for IRC traffic on any TCP port (by detecting
+# NICK change events, which occur at the beginning of the session) and
+# sets the is_proto_irc flowbit.  It does not actually generate any alerts
+# itself.
+alert tcp any any -> any any (msg:"COMMUNITY BOT IRC Traffic Detected By Nick Change"; flow: to_server,established; content:"NICK "; nocase; offset: 0; depth: 5; flowbits:set,community_is_proto_irc; flowbits: noalert; classtype:misc-activity; sid:100000240; rev:3;)
+
+# Using the aforementioned is_proto_irc flowbits, do some IRC checks.
+# This one looks for IRC servers running on the $HOME_NET
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY BOT Internal IRC server detected"; flow: to_server,established; flowbits:isset,community_is_proto_irc; classtype: policy-violation; sid:100000241; rev:2;)
+
+# These rules look for specific Agobot/PhatBot commands on an IRC session
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.about command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.about"; classtype: trojan-activity; sid:100000242; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.die command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.die"; classtype: trojan-activity; sid:100000243; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.dns command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.dns"; classtype: trojan-activity; sid:100000244; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.execute command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.execute"; classtype: trojan-activity; sid:100000245; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.id command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.id"; classtype: trojan-activity; sid:100000246; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.nick command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.nick"; classtype: trojan-activity; sid:100000247; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.open command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.open"; classtype: trojan-activity; sid:100000248; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.remove command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.remove"; classtype: trojan-activity; sid:100000249; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.removeallbut command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.removeallbut"; classtype: trojan-activity; sid:100000250; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.rndnick command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.rndnick"; classtype: trojan-activity; sid:100000251; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.status command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.status"; classtype: trojan-activity; sid:100000252; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.sysinfo command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.sysinfo"; classtype: trojan-activity; sid:100000253; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.longuptime command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.longuptime"; classtype: trojan-activity; sid:100000254; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.highspeed command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.highspeed"; classtype: trojan-activity; sid:100000255; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.quit command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.quit"; classtype: trojan-activity; sid:100000256; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.flushdns command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.flushdns"; classtype: trojan-activity; sid:100000257; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.secure command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.secure"; classtype: trojan-activity; sid:100000258; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.unsecure command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.unsecure"; classtype: trojan-activity; sid:100000259; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT Agobot/PhatBot bot.command command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bot.command"; classtype: trojan-activity; sid:100000260; rev:2;)
+
+# Now some rules to look for SDBot traffic, also on established IRC sessions.
+# There are fewer of these, since the commands themselves aren't so distinctive
+# (don't want a lot of false positives on regular IRC conversations).
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SDBot killthread command"; flow: established; flowbits:isset,community_is_proto_irc; content:"killthread"; pcre:"/killthread\s+\d+\b/"; classtype: trojan-activity; sid:100000261; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SDBot cdkey command"; flow: established; flowbits:isset,community_is_proto_irc; content:"cdkey"; classtype: trojan-activity; sid:100000262; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SDBot getcdkey command"; flow: established; flowbits:isset,community_is_proto_irc; content:"getcdkey"; classtype: trojan-activity; sid:100000263; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SDBot rndnick command"; flow: established; flowbits:isset,community_is_proto_irc; content:"rndnick"; classtype: trojan-activity; sid:100000264; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SDBot c_rndnick command"; flow: established; flowbits:isset,community_is_proto_irc; content:"c_rndnick"; classtype: trojan-activity; sid:100000265; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SDBot c_nick command"; flow: established; flowbits:isset,community_is_proto_irc; content:"c_nick"; classtype: trojan-activity; sid:100000266; rev:2;)
+
+# Ok, on to SpyBot rules
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SpyBot stopspy  command"; flow: established; flowbits:isset,community_is_proto_irc; content:"stopspy"; classtype: trojan-activity; sid:100000267; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SpyBot redirectspy  command"; flow: established; flowbits:isset,community_is_proto_irc; content:"redirectspy"; classtype: trojan-activity; sid:100000268; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SpyBot loadclones command"; flow: established; flowbits:isset,community_is_proto_irc; content:"loadclones"; classtype: trojan-activity; sid:100000269; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SpyBot killclones command"; flow: established; flowbits:isset,community_is_proto_irc; content:"killclones"; classtype: trojan-activity; sid:100000270; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT SpyBot rawclones  command"; flow: established; flowbits:isset,community_is_proto_irc; content:"rawclones"; classtype: trojan-activity; sid:100000271; rev:2;)
+
+# Finally GT Bot rules.  These try to account for the case where the bot
+# herder has redifined the command character away from the default '!'.
+# The only bug here is that this won't detect the ':' as the cmdchar.  IRC
+# uses the colon as part of the protocol message, and it was confusing
+# any message the started with (e.g.) "portscan" at the beginning of the line
+# and bot commands in the form of ":portscan".
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT GTBot ver command"; flow: established; flowbits:isset,community_is_proto_irc; content:"ver"; pcre:"/(?<![a-zA-Z0-9\x3A\s])ver/"; classtype: trojan-activity; sid:100000272; rev:3;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT GTBot info command"; flow: established; flowbits:isset,community_is_proto_irc; content:"info"; pcre:"/(?<![a-zA-Z0-9\x3A\s])info/"; classtype: trojan-activity; sid:100000273; rev:3;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT GTBot scan command"; flow: established; flowbits:isset,community_is_proto_irc; content:"scan"; pcre:"/(?<![a-zA-Z0-9\x3A\s])scan/"; classtype: trojan-activity; sid:100000274; rev:3;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT GTBot portscan command"; flow: established; flowbits:isset,community_is_proto_irc; content:"portscan"; pcre:"/(?<![a-zA-Z0-9\x3A\s])portscan/"; classtype: trojan-activity; sid:100000275; rev:3;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT GTBot stopscan command"; flow: established; flowbits:isset,community_is_proto_irc; content:"stopscan"; pcre:"/(?<![a-zA-Z0-9\x3A\s])stopscan/"; classtype: trojan-activity; sid:100000276; rev:3;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT GTBot packet command"; flow: established; flowbits:isset,community_is_proto_irc; content:"packet"; pcre:"/(?<![a-zA-Z0-9\x3A\s])packet/"; classtype: trojan-activity; sid:100000277; rev:3;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY BOT GTBot bnc command"; flow: established; flowbits:isset,community_is_proto_irc; content:"bnc"; pcre:"/(?<![a-zA-Z0-9\x3A\s])bnc/"; classtype: trojan-activity; sid:100000278; rev:3;)
+
+# Mytob chat rules by Philip Jew
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8585 (msg:"COMMUNITY BOT Mytob IRC DCC file transfer request"; flow:established,to_server; content:"PRIVMSG "; nocase; content:" |3A|.DCC SEND"; nocase; distance:0; pcre:"/^\s*PRIVMSG/smi"; classtype:policy-violation; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99; sid:100000900; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8585 (msg:"COMMUNITY BOT Mytob IRC DCC chat request"; flow:established,to_server; content:"PRIVMSG "; nocase; content:" |3A|.DCC CHAT chat"; nocase; distance:0; pcre:"/^\s*PRIVMSG/smi"; classtype:policy-violation; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99; sid:100000901; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8585 (msg:"COMMUNITY BOT Mytob IRC channel join"; flow:established,to_server; content:"JOIN "; nocase; pcre:"/^\s*JOIN/smi"; classtype:policy-violation; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99; sid:100000902; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8585 (msg:"COMMUNITY BOT Mytob IRC dns request"; flow:established,to_server; content:"USERHOST "; nocase; pcre:"/^\s*USERHOST/smi"; classtype:policy-violation; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99; sid:100000903; rev:1;)
+alert tcp $EXTERNAL_NET 8585 -> $HOME_NET any (msg:"COMMUNITY BOT Mytob IRC dns response"; flow:established,to_client; content:"|3A|"; offset:0; content:" 302 "; content:"=+"; classtype:policy-violation; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99; sid:100000904; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8585 (msg:"COMMUNITY BOT Mytob IRC nick change"; flow:established,to_server; content:"NICK "; nocase; pcre:"/^\s*NICK/smi"; classtype:policy-violation; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99; sid:100000905; rev:1;)
--- /dev/null
+++ b/rules/rservices.rules
@@ -0,0 +1,35 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: rservices.rules,v 1.22.2.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $
+#----------------
+# RSERVICES RULES
+#----------------
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|"; classtype:bad-unknown; sid:601; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,384; classtype:attempted-user; sid:602; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|"; reference:arachnids,385; classtype:bad-unknown; sid:603; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rsh froot"; flow:to_server,established; content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; sid:604; rev:5;)
+alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"RSERVICES rlogin login failure"; flow:from_server,established; content:"|01|rlogind|3A| Permission denied."; reference:arachnids,392; classtype:unsuccessful-user; sid:611; rev:7;)
+alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"RSERVICES rlogin login failure"; flow:from_server,established; content:"login incorrect"; reference:arachnids,393; classtype:unsuccessful-user; sid:605; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,389; classtype:attempted-admin; sid:606; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,390; classtype:attempted-user; sid:607; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|"; reference:arachnids,388; classtype:attempted-user; sid:608; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh froot"; flow:to_server,established; content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; sid:609; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,391; classtype:attempted-admin; sid:610; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"RSERVICES rexec username overflow attempt"; flow:to_server,established; content:"|00|"; offset:9; content:"|00|"; distance:0; content:"|00|"; distance:0; classtype:attempted-admin; sid:2113; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"RSERVICES rexec password overflow attempt"; flow:to_server,established; content:"|00|"; content:"|00|"; distance:33; content:"|00|"; distance:0; classtype:attempted-admin; sid:2114; rev:3;)
--- /dev/null
+++ b/rules/community-web-client.rules
@@ -0,0 +1,25 @@
+# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# These rules are licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# $Id: community-web-client.rules,v 1.21 2006/10/20 13:22:38 akirk Exp $
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT Internet Explorer URLMON.DLL Content-Type Overflow Attempt"; flow:to_client,established; content:"Content-Type|3A|"; nocase; pcre:"/Content-Type\x3A[^\r\n]{300,}/i"; classtype:attempted-admin; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; sid:100000118; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT Internet Explorer URLMON.DLL Content-Encoding Overflow Attempt"; flow:to_client,established; content:"Content-Encoding|3A|"; nocase; pcre:"/Content-Encoding\x3A[^\r\n]{300,}/i"; classtype:attempted-admin; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; sid:100000119; rev:2;)
+#Rule submitted by Crusoe Researches Team
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT Winamp PlayList buffer overflow attempt"; flow:from_server,established; content:"playlist"; nocase; content:"\\\\"; reference:bugtraq,16410; reference:cve,2006-0476; reference:url,www.frsirt.com/english/advisories/2006/0361; classtype:attempted-admin; sid:100000228; rev:2;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT IE mulitple event handler heap overflow attempt"; flow:established; content:"on"; nocase; pcre:"/<[^>]*?(on[^>]*?=[\d\w]+\s+){30,}/smi"; reference:bugtraq,17131; reference:cve,2006-1245; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-013.mspx; classtype:attempted-user; sid:100000238; rev:3;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT IE createTextRange overflow attempt"; flow:to_client,established; content:".createTextRange"; nocase; classtype:attempted-user; reference:bugtraq,17196; reference:cve,2006-1359; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-013.mspx; sid:100000239; rev:2;)
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT RealMedia invalid chunk size heap overflow attempt"; flow:to_client,established; content:"Transfer-Encoding|3a|"; nocase; content:"chunked"; nocase; content:"Content-Type|3a|"; nocase; distance:0; content:"realvideo"; nocase; pcre:"/\r\n[0-9A-Fa-f]{9}/Ri"; reference:bugtraq,17202; reference:cve,2005-2922; reference:url,service.real.com/realplayer/security/03162006_player/en/; classtype:attempted-user; sid:100000284; rev:2;)
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT Mozilla Firefox DOMNodeRemoved attack attempt"; flow:to_client,established; content:"document|2e|addEventListener|28 22|DOMNodeRemoved|22|"; nocase; content:"document|2e|body|2e|appendChild|28|document|2e|getElementById|28|"; reference:bugtraq,18228; reference:cve,2006-2779; classtype:attempted-user; sid:100000447; rev:1;)
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT midi file download attempt"; flow:to_client,established; content:"Content-Type|3a|"; nocase; content:"audio|2f|midi"; nocase; distance:0; pcre:"/^Content-Type\s*\x3A\s*audio\x2Fmidi/smi"; flowbits:set,midi.download; flowbits:noalert; reference:bugtraq,18507; classtype:misc-activity; sid:100000692; rev:2;)
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT winamp midi file header overflow attempt"; flow:to_client,established; flowbits:isset,midi.download; content:"|4d 54 68 64 00 00 00 06 00 00 00 01 00 60 4d 54 72 6b 00 00 00|"; nocase; flowbits:unset,midi.download; reference:bugtraq,18507; classtype:attempted-user; sid:100000693; rev:2;)
+
+# Rule by <urleet@gmail.com>
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT tsuserex.dll COM Object Instantiation Vulnerability"; flow:from_server,established; content:"E2E9CAE6-1E7B-4B8E-BABD-E9BF6292AC29"; nocase; reference:url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=14; classtype:attempted-user; sid:100000864; rev:2;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT ImageMagick SGI ZSIZE Header Information Overflow Attempt"; content:"|01 da|"; byte_test: 2,>,4,9,relative; classtype: attempted-user; reference:bugtraq,19507; reference:cve,2006-4144; sid:100000881; rev:1;)
--- /dev/null
+++ b/rules/remove-non-gpl.pl
@@ -0,0 +1,37 @@
+#!/usr/bin/perl
+#
+# Give a rules file, remove all alerts which are not GPL. Based on
+# Sourcefire's VRT Certified Rules License Agreement
+# (http://www.snort.org/about_snort/licenses/vrt_license.html)
+# this means that the rule's sid must be outside the 3,465 - 1,000,000 range
+#
+# This program is copyright 2007 by Javier Fernandez-Sanguino <jfs@debian.org>
+#
+#    This program is free software; you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation; either version 2 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program; if not, write to the Free Software
+#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+#
+# For more information please see
+#  http://www.gnu.org/licenses/licenses.html#GPL
+#
+
+while (<STDIN>) {
+    if ( ! /^alert/ ) {
+        print ;
+    } elsif ( /sid:(\d+)[^\d]/ ) {
+        print if ( $1 < 3465 || $1 > 1000000 );
+    } else {
+        print "WARN: Alert without sid, will not print\n";
+    }
+}
+
--- /dev/null
+++ b/rules/ftp.rules
@@ -0,0 +1,112 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: ftp.rules,v 1.57.2.7.2.6 2005/07/22 19:19:54 mwatchinski Exp $
+#----------
+# FTP RULES
+#----------
+
+
+# protocol verification
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MDTM overflow attempt"; flow:to_server,established; content:"MDTM"; nocase; isdataat:100,relative; pcre:"/^MDTM\s[^\n]{100}/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; reference:nessus,12080; classtype:attempted-admin; sid:2546; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP XMKD overflow attempt"; flow:to_server,established; content:"XMKD"; nocase; isdataat:100,relative; pcre:"/^XMKD\s[^\n]{100}/smi"; reference:bugtraq,7909; reference:cve,2000-0133; reference:cve,2001-1021; classtype:attempted-admin; sid:2373; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP NLST overflow attempt"; flow:to_server,established; content:"NLST"; nocase; isdataat:100,relative; pcre:"/^NLST\s[^\n]{100}/smi"; reference:bugtraq,10184; reference:bugtraq,7909; reference:bugtraq,9675; reference:cve,1999-1544; classtype:attempted-admin; sid:2374; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ALLO overflow attempt"; flow:to_server,established; content:"ALLO"; nocase; isdataat:100,relative; pcre:"/^ALLO\s[^\n]{100}/smi"; reference:bugtraq,9953; classtype:attempted-admin; sid:2449; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RNTO overflow attempt"; flow:to_server,established; content:"RNTO"; nocase; isdataat:100,relative; pcre:"/^RNTO\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2000-0133; reference:cve,2001-1021; reference:cve,2003-0466; classtype:attempted-admin; sid:2389; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STOU overflow attempt"; flow:to_server,established; content:"STOU"; nocase; isdataat:100,relative; pcre:"/^STOU\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2390; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP APPE overflow attempt"; flow:to_server,established; content:"APPE"; nocase; isdataat:100,relative; pcre:"/^APPE\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:bugtraq,8542; reference:cve,2000-0133; reference:cve,2003-0466; classtype:attempted-admin; sid:2391; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RETR overflow attempt"; flow:to_server,established; content:"RETR"; nocase; isdataat:100,relative; pcre:"/^RETR\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; reference:cve,2004-0287; reference:cve,2004-0298; classtype:attempted-admin; sid:2392; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STOR overflow attempt"; flow:to_server,established; content:"STOR"; nocase; isdataat:100,relative; pcre:"/^STOR\s[^\n]{100}/smi"; reference:bugtraq,8668; reference:cve,2000-0133; classtype:attempted-admin; sid:2343; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CEL overflow attempt"; flow:to_server,established; content:"CEL"; nocase; isdataat:100,relative; pcre:"/^CEL\s[^\n]{100}/smi"; reference:arachnids,257; reference:bugtraq,679; reference:cve,1999-0789; reference:nessus,10009; classtype:attempted-admin; sid:337; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP XCWD overflow attempt"; flow:to_server,established; content:"XCWD"; nocase; isdataat:100,relative; pcre:"/^XCWD\s[^\n]{100}/smi"; reference:bugtraq,11542; reference:bugtraq,8704; classtype:attempted-admin; sid:2344; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD overflow attempt"; flow:to_server,established; content:"CWD"; nocase; isdataat:100,relative; pcre:"/^CWD\s[^\n]{100}/smi"; reference:bugtraq,11069; reference:bugtraq,1227; reference:bugtraq,1690; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7950; reference:cve,1999-0219; reference:cve,1999-1058; reference:cve,1999-1510; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0781; reference:cve,2002-0126; reference:cve,2002-0405; classtype:attempted-admin; sid:1919; rev:22;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CMD overflow attempt"; flow:to_server,established; content:"CMD"; nocase; isdataat:100,relative; pcre:"/^CMD\s[^\n]{100}/smi"; classtype:attempted-admin; sid:1621; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:100,relative; pcre:"/^STAT\s[^\n]{100}/smi"; reference:bugtraq,3507; reference:bugtraq,8542; reference:cve,2001-0325; reference:cve,2001-1021; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:1379; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CHMOD overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHMOD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHMOD\s[^\n]{100}/smi"; reference:bugtraq,10181; reference:bugtraq,9483; reference:bugtraq,9675; reference:cve,1999-0838; reference:nessus,12037; classtype:attempted-admin; sid:2340; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CHOWN overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHOWN"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHOWN\s[^\n]{100}/smi"; reference:bugtraq,2120; reference:cve,2001-0065; classtype:attempted-admin; sid:1562; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE NEWER overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+NEWER\s[^\n]{100}/smi"; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-admin; sid:1920; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CPWD overflow attempt"; flow:established,to_server; content:"SITE"; nocase; content:"CPWD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CPWD\s[^\n]{100}/smi"; reference:bugtraq,5427; reference:cve,2002-0826; classtype:misc-attack; sid:1888; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE EXEC format string attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/smi"; classtype:bad-unknown; sid:1971; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE overflow attempt"; flow:to_server,established; content:"SITE"; nocase; isdataat:100,relative; pcre:"/^SITE\s[^\n]{100}/smi"; reference:cve,1999-0838; reference:cve,2001-0755; reference:cve,2001-0770; classtype:attempted-admin; sid:1529; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow attempt"; flow:to_server,established,no_stream; content:"USER"; nocase; isdataat:100,relative; pcre:"/^USER\s[^\n]{100}/smi"; reference:bugtraq,10078; reference:bugtraq,1227; reference:bugtraq,1504; reference:bugtraq,1690; reference:bugtraq,4638; reference:bugtraq,7307; reference:bugtraq,8376; reference:cve,1999-1510; reference:cve,1999-1514; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-0479; reference:cve,2000-0656; reference:cve,2000-0761; reference:cve,2000-0943; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0256; reference:cve,2001-0794; reference:cve,2001-0826; reference:cve,2002-0126; reference:cve,2002-1522; reference:cve,2003-0271; reference:cve,2004-0286; classtype:attempted-admin; sid:1734; rev:30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS overflow attempt"; flow:to_server,established,no_stream; content:"PASS"; nocase; isdataat:100,relative; pcre:"/^PASS\s[^\n]{100}/smi"; reference:bugtraq,10078; reference:bugtraq,10720; reference:bugtraq,1690; reference:bugtraq,3884; reference:bugtraq,8601; reference:bugtraq,9285; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-1035; reference:cve,2002-0126; reference:cve,2002-0895; classtype:attempted-admin; sid:1972; rev:16;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMDIR overflow attempt"; flow:to_server,established; content:"RMDIR"; nocase; isdataat:100,relative; pcre:"/^RMDIR\s[^\n]{100}/smi"; reference:bugtraq,819; classtype:attempted-admin; sid:1942; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MKD overflow attempt"; flow:to_server,established; content:"MKD"; nocase; isdataat:100,relative; pcre:"/^MKD\s[^\n]{100}/smi"; reference:bugtraq,612; reference:bugtraq,7278; reference:bugtraq,9872; reference:cve,1999-0911; reference:nessus,12108; classtype:attempted-admin; sid:1973; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP REST overflow attempt"; flow:to_server,established; content:"REST"; nocase; isdataat:100,relative; pcre:"/^REST\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; classtype:attempted-admin; sid:1974; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:100,relative; pcre:"/^DELE\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; reference:cve,2001-1021; classtype:attempted-admin; sid:1975; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMD overflow attempt"; flow:to_server,established; content:"RMD"; nocase; isdataat:100,relative; pcre:"/^RMD\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2000-0133; reference:cve,2001-0826; reference:cve,2001-1021; classtype:attempted-admin; sid:1976; rev:9;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP invalid MODE"; flow:to_server,established; content:"MODE"; nocase; pcre:"/^MODE\s+[^ABSC]{1}/msi"; classtype:protocol-command-decode; sid:1623; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP large PWD command"; flow:to_server,established; dsize:10; content:"PWD"; nocase; classtype:protocol-command-decode; sid:1624; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP large SYST command"; flow:to_server,established; dsize:10; content:"SYST"; nocase; classtype:protocol-command-decode; sid:1625; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD Root directory transversal attempt"; flow:to_server,established; content:"CWD"; nocase; content:"C|3A 5C|"; distance:1; reference:bugtraq,7674; reference:cve,2003-0392; reference:nessus,11677; classtype:protocol-command-decode; sid:2125; rev:8;)
+
+
+
+
+# bad ftp commands
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE ZIPCHK overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"ZIPCHK"; distance:1; nocase; isdataat:100,relative; pcre:"/^SITE\s+ZIPCHK\s[^\n]{100}/smi"; reference:cve,2000-0040; classtype:attempted-admin; sid:1921; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE NEWER attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:1; nocase; pcre:"/^SITE\s+NEWER/smi"; reference:cve,1999-0880; reference:nessus,10319; classtype:attempted-dos; sid:1864; rev:7;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE EXEC attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC/smi"; reference:arachnids,317; reference:bugtraq,2241; reference:cve,1999-0080; reference:cve,1999-0955; classtype:bad-unknown; sid:361; rev:15;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT * dos attempt"; flow:to_server,established; content:"STAT"; nocase; pcre:"/^STAT\s+[^\n]*\x2a/smi"; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:attempted-dos; sid:1777; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT ? dos attempt"; flow:to_server,established; content:"STAT"; nocase; pcre:"/^STAT\s+[^\n]*\x3f/smi"; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:attempted-dos; sid:1778; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP tar parameters"; flow:to_server,established; content:" --use-compress-program "; nocase; reference:arachnids,134; reference:bugtraq,2240; reference:cve,1999-0202; reference:cve,1999-0997; classtype:bad-unknown; sid:362; rev:12;)
+
+# bad directories
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~root attempt"; flow:to_server,established; content:"CWD"; nocase; content:"~root"; distance:1; nocase; pcre:"/^CWD\s+~root/smi"; reference:arachnids,318; reference:cve,1999-0082; classtype:bad-unknown; sid:336; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ..."; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?\.\.\./smi"; reference:bugtraq,9237; classtype:bad-unknown; sid:1229; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~ attempt"; flow:to_server,established; content:"CWD"; nocase; pcre:"/^CWD\s+~/smi"; reference:bugtraq,2601; reference:bugtraq,9215; reference:cve,2001-0421; classtype:denial-of-service; sid:1672; rev:11;)
+
+# vulnerabilities against specific implementations of ftp
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP serv-u directory transversal"; flow:to_server,established; content:".%20."; nocase; reference:bugtraq,2052; reference:cve,2001-0054; classtype:bad-unknown; sid:360; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp bad file completion attempt ["; flow:to_server,established; content:"~"; content:"["; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:1377; rev:15;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp bad file completion attempt {"; flow:to_server,established; content:"~"; content:"{"; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:1378; rev:15;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RNFR ././ attempt"; flow:to_server,established; content:"RNFR "; nocase; content:" ././"; nocase; classtype:misc-attack; sid:1622; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP command overflow attempt"; flow:to_server,established,no_stream; dsize:>100; reference:bugtraq,4638; reference:cve,2002-0606; classtype:protocol-command-decode; sid:1748; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST directory traversal attempt"; flow:to_server,established; content:"LIST"; nocase; content:".."; distance:1; content:".."; distance:1; reference:bugtraq,2618; reference:cve,2001-0680; reference:cve,2002-1054; reference:nessus,11112; classtype:protocol-command-decode; sid:1992; rev:8;)
+
+
+# BAD FILES
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .forward"; flow:to_server,established; content:".forward"; reference:arachnids,319; classtype:suspicious-filename-detect; sid:334; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .rhosts"; flow:to_server,established; content:".rhosts"; reference:arachnids,328; classtype:suspicious-filename-detect; sid:335; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP authorized_keys"; flow:to_server,established; content:"authorized_keys"; classtype:suspicious-filename-detect; sid:1927; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; reference:arachnids,213; classtype:suspicious-filename-detect; sid:356; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP shadow retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"shadow"; classtype:suspicious-filename-detect; sid:1928; rev:3;)
+
+# suspicious login attempts
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:"w0rm"; distance:1; nocase; pcre:"/^USER\s+w0rm/smi"; reference:arachnids,01; classtype:suspicious-login; sid:144; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP adm scan"; flow:to_server,established; content:"PASS ddd@|0A|"; reference:arachnids,332; classtype:suspicious-login; sid:353; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP iss scan"; flow:to_server,established; content:"pass -iss@iss"; reference:arachnids,331; classtype:suspicious-login; sid:354; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP pass wh00t"; flow:to_server,established; content:"pass wh00t"; nocase; reference:arachnids,324; classtype:suspicious-login; sid:355; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP piss scan"; flow:to_server,established; content:"pass -cklaus"; classtype:suspicious-login; sid:357; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP saint scan"; flow:to_server,established; content:"pass -saint"; reference:arachnids,330; classtype:suspicious-login; sid:358; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP satan scan"; flow:to_server,established; content:"pass -satan"; reference:arachnids,329; classtype:suspicious-login; sid:359; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,7776; reference:bugtraq,9262; reference:bugtraq,9402; reference:bugtraq,9600; reference:bugtraq,9800; reference:cve,2004-0277; reference:nessus,10041; reference:nessus,11687; classtype:misc-attack; sid:2178; rev:16;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,9262; reference:bugtraq,9800; reference:cve,2000-0699; classtype:misc-attack; sid:2179; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MKDIR format string attempt"; flow:to_server,established; content:"MKDIR"; nocase; pcre:"/^MKDIR\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9262; classtype:misc-attack; sid:2332; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RENAME format string attempt"; flow:to_server,established; content:"RENAME"; nocase; pcre:"/^RENAME\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9262; classtype:misc-attack; sid:2333; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST buffer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; pcre:"/^LIST\s[^\n]{100,}/smi"; reference:bugtraq,10181; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7861; reference:bugtraq,8486; reference:bugtraq,9675; reference:cve,1999-0349; reference:cve,1999-1510; reference:cve,2000-0129; reference:url,www.microsoft.com/technet/security/bulletin/MS99-003.mspx; classtype:misc-attack; sid:2338; rev:13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST integer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; pcre:"/^LIST\s+\x22-W\s+\d+/smi"; reference:bugtraq,8875; reference:cve,2003-0853; reference:cve,2003-0854; classtype:misc-attack; sid:2272; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"FTP Yak! FTP server default account login attempt"; flow:to_server,established; content:"USER"; nocase; content:"y049575046"; nocase; pcre:"/^USER\s+y049575046/smi"; reference:bugtraq,9072; classtype:suspicious-login; sid:2334; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"FTP RMD / attempt"; flow:to_server,established; content:"RMD"; nocase; pcre:"/^RMD\s+\x2f$/smi"; reference:bugtraq,9159; classtype:attempted-dos; sid:2335; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP invalid MDTM command attempt"; flow:to_server,established; content:"MDTM"; nocase; pcre:"/^MDTM \d+[-+]\D/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; classtype:attempted-admin; sid:2416; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP format string attempt"; flow:to_server,established; content:"%"; pcre:"/\s+.*?%.*?%/smi"; classtype:string-detect; sid:2417; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RETR format string attempt"; flow:to_server,established; content:"RETR"; nocase; pcre:"/^RETR\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9800; classtype:attempted-admin; sid:2574; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RNFR overflow attempt"; flow:to_server,established; content:"RNFR"; nocase; isdataat:100,relative; pcre:"/^RNFR\s[^\n]{100}/smi"; classtype:attempted-admin; sid:3077; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP REST with numeric argument"; flow:to_server,established; content:"REST"; nocase; pcre:"/REST\s+[0-9]+\n/i"; reference:bugtraq,7825; classtype:attempted-recon; sid:3460; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PORT bounce attempt"; flow:to_server,established; content:"PORT"; nocase; ftpbounce; pcre:"/^PORT/smi"; classtype:misc-attack; sid:3441; rev:1;)
--- /dev/null
+++ b/rules/cgi-bin.list
@@ -0,0 +1,16 @@
+# (C) Copyright 2001,2002 Brian Caswell, et al.  All rights reserved.
+# $Id: cgi-bin.list,v 1.3 2002/08/18 20:28:43 cazz Exp $
+#--------------
+# cgi-bin list
+#--------------
+# if content-list actually worked, this would be our content-list for
+# the different CGI bin directories we would check for.
+
+"/cgi-bin/"
+"/cgi/"
+"/cgi-local/"
+"/perl/"
+"/mod_perl/"
+"/scripts/"
+"/comps/"
+"/cgi-bin-sdb/"
--- /dev/null
+++ b/rules/web-cgi.rules
@@ -0,0 +1,396 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: web-cgi.rules,v 1.77.2.7.2.6 2005/07/22 19:19:54 mwatchinski Exp $
+#--------------
+# WEB-CGI RULES
+#--------------
+#
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI HyperSeek hsx.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/hsx.cgi"; content:"../../"; content:"%00"; distance:1; reference:bugtraq,2314; reference:cve,2001-0253; reference:nessus,10602; classtype:web-application-attack; sid:803; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI HyperSeek hsx.cgi access"; flow:to_server,established; uricontent:"/hsx.cgi"; reference:bugtraq,2314; reference:cve,2001-0253; reference:nessus,10602; classtype:web-application-activity; sid:1607; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SWSoft ASPSeek Overflow attempt"; flow:to_server,established; uricontent:"/s.cgi"; nocase; content:"tmpl="; reference:bugtraq,2492; reference:cve,2001-0476; classtype:web-application-attack; sid:804; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webspeed access"; flow:to_server,established; uricontent:"/wsisa.dll/WService="; nocase; content:"WSMadmin"; nocase; reference:arachnids,467; reference:bugtraq,969; reference:cve,2000-0127; reference:nessus,10304; classtype:attempted-user; sid:805; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI yabb directory traversal attempt"; flow:to_server,established; uricontent:"/YaBB"; nocase; content:"../"; reference:arachnids,462; reference:bugtraq,1668; reference:cve,2000-0853; classtype:attempted-recon; sid:806; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI yabb access"; flow:to_server,established; uricontent:"/YaBB"; nocase; reference:arachnids,462; reference:bugtraq,1668; reference:cve,2000-0853; classtype:attempted-recon; sid:1637; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /wwwboard/passwd.txt access"; flow:to_server,established; uricontent:"/wwwboard/passwd.txt"; nocase; reference:arachnids,463; reference:bugtraq,649; reference:cve,1999-0953; reference:cve,1999-0954; reference:nessus,10321; classtype:attempted-recon; sid:807; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webdriver access"; flow:to_server,established; uricontent:"/webdriver"; nocase; reference:arachnids,473; reference:bugtraq,2166; reference:nessus,10592; classtype:attempted-recon; sid:808; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI whois_raw.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/whois_raw.cgi?"; content:"|0A|"; reference:arachnids,466; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; classtype:web-application-attack; sid:809; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI whois_raw.cgi access"; flow:to_server,established; uricontent:"/whois_raw.cgi"; reference:arachnids,466; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; classtype:attempted-recon; sid:810; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI websitepro path access"; flow:to_server,established; content:" /HTTP/1."; nocase; reference:arachnids,468; reference:bugtraq,932; reference:cve,2000-0066; classtype:attempted-recon; sid:811; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webplus version access"; flow:to_server,established; uricontent:"/webplus?about"; nocase; reference:arachnids,470; reference:bugtraq,1102; reference:cve,2000-0282; classtype:attempted-recon; sid:812; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webplus directory traversal"; flow:to_server,established; uricontent:"/webplus?script"; nocase; content:"../"; reference:arachnids,471; reference:bugtraq,1102; reference:cve,2000-0282; classtype:web-application-attack; sid:813; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI websendmail access"; flow:to_server,established; uricontent:"/websendmail"; nocase; reference:arachnids,469; reference:bugtraq,2077; reference:cve,1999-0196; reference:nessus,10301; classtype:attempted-recon; sid:815; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcforum.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/dcforum.cgi"; content:"forum=../.."; reference:bugtraq,2611; reference:cve,2001-0436; reference:cve,2001-0437; classtype:web-application-attack; sid:1571; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcforum.cgi access"; flow:to_server,established; uricontent:"/dcforum.cgi"; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon; sid:818; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcboard.cgi invalid user addition attempt"; flow:to_server,established; uricontent:"/dcboard.cgi"; content:"command=register"; content:"%7cadmin"; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:web-application-attack; sid:817; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcboard.cgi access"; flow:to_server,established; uricontent:"/dcboard.cgi"; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon; sid:1410; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mmstdod.cgi access"; flow:to_server,established; uricontent:"/mmstdod.cgi"; nocase; reference:bugtraq,2063; reference:cve,2001-0021; reference:nessus,10566; classtype:attempted-recon; sid:819; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI anaconda directory transversal attempt"; flow:to_server,established; uricontent:"/apexec.pl"; content:"template=../"; nocase; reference:bugtraq,2338; reference:bugtraq,2388; reference:cve,2000-0975; reference:cve,2001-0308; classtype:web-application-attack; sid:820; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI imagemap.exe overflow attempt"; flow:to_server,established; uricontent:"/imagemap.exe?"; nocase; reference:arachnids,412; reference:bugtraq,739; reference:cve,1999-0951; reference:nessus,10122; classtype:web-application-attack; sid:821; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI imagemap.exe access"; flow:to_server,established; uricontent:"/imagemap.exe"; nocase; reference:arachnids,412; reference:bugtraq,739; reference:cve,1999-0951; reference:nessus,10122; classtype:web-application-activity; sid:1700; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cvsweb.cgi access"; flow:to_server,established; uricontent:"/cvsweb.cgi"; nocase; reference:bugtraq,1469; reference:cve,2000-0670; reference:nessus,10465; classtype:attempted-recon; sid:823; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI php.cgi access"; flow:to_server,established; uricontent:"/php.cgi"; nocase; reference:arachnids,232; reference:bugtraq,2250; reference:bugtraq,712; reference:cve,1999-0238; reference:cve,1999-058; reference:nessus,10178; classtype:attempted-recon; sid:824; rev:13;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI glimpse access"; flow:to_server,established; uricontent:"/glimpse"; nocase; reference:bugtraq,2026; reference:cve,1999-0147; reference:nessus,10095; classtype:attempted-recon; sid:825; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htmlscript attempt"; flow:to_server,established; uricontent:"/htmlscript?../.."; nocase; reference:bugtraq,2001; reference:cve,1999-0264; reference:nessus,10106; classtype:web-application-attack; sid:1608; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htmlscript access"; flow:to_server,established; uricontent:"/htmlscript"; nocase; reference:bugtraq,2001; reference:cve,1999-0264; reference:nessus,10106; classtype:attempted-recon; sid:826; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI info2www access"; flow:to_server,established; uricontent:"/info2www"; nocase; reference:bugtraq,1995; reference:cve,1999-0266; reference:nessus,10127; classtype:attempted-recon; sid:827; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI maillist.pl access"; flow:to_server,established; uricontent:"/maillist.pl"; nocase; classtype:attempted-recon; sid:828; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nph-test-cgi access"; flow:to_server,established; uricontent:"/nph-test-cgi"; nocase; reference:arachnids,224; reference:bugtraq,686; reference:cve,1999-0045; reference:nessus,10165; classtype:attempted-recon; sid:829; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI NPH-publish access"; flow:to_server,established; uricontent:"/nph-maillist.pl"; nocase; reference:bugtraq,2563; reference:cve,2001-0400; classtype:attempted-recon; sid:1451; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI NPH-publish access"; flow:to_server,established; uricontent:"/nph-publish"; nocase; reference:cve,1999-1177; reference:nessus,10164; classtype:attempted-recon; sid:830; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rguest.exe access"; flow:to_server,established; uricontent:"/rguest.exe"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,1999-0467; classtype:attempted-recon; sid:833; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rwwwshell.pl access"; flow:to_server,established; uricontent:"/rwwwshell.pl"; nocase; reference:url,www.itsecurity.com/papers/p37.htm; classtype:attempted-recon; sid:834; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test-cgi attempt"; flow:to_server,established; uricontent:"/test-cgi/*?*"; nocase; reference:arachnids,218; reference:bugtraq,2003; reference:cve,1999-0070; reference:nessus,10282; classtype:web-application-attack; sid:1644; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test-cgi access"; flow:to_server,established; uricontent:"/test-cgi"; nocase; reference:arachnids,218; reference:bugtraq,2003; reference:cve,1999-0070; reference:nessus,10282; classtype:attempted-recon; sid:835; rev:9;)
+# testcgi is *one* of many scripts to look for.  this *ALSO* triggers on testcgi.exe.
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI testcgi access"; flow:to_server,established; uricontent:"/testcgi"; nocase; reference:bugtraq,7214; reference:nessus,11610; classtype:web-application-activity; sid:1645; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test.cgi access"; flow:to_server,established; uricontent:"/test.cgi"; nocase; classtype:web-application-activity; sid:1646; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI textcounter.pl access"; flow:to_server,established; uricontent:"/textcounter.pl"; nocase; reference:bugtraq,2265; reference:cve,1999-1479; reference:nessus,11451; classtype:attempted-recon; sid:836; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI uploader.exe access"; flow:to_server,established; uricontent:"/uploader.exe"; nocase; reference:bugtraq,1611; reference:cve,1999-0177; reference:cve,2000-0769; reference:nessus,10291; classtype:attempted-recon; sid:837; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webgais access"; flow:to_server,established; uricontent:"/webgais"; nocase; reference:arachnids,472; reference:bugtraq,2058; reference:cve,1999-0176; reference:nessus,10300; classtype:attempted-recon; sid:838; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI finger access"; flow:to_server,established; uricontent:"/finger"; nocase; reference:arachnids,221; reference:cve,1999-0612; reference:nessus,10071; classtype:attempted-recon; sid:839; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI perlshop.cgi access"; flow:to_server,established; uricontent:"/perlshop.cgi"; nocase; reference:cve,1999-1374; classtype:attempted-recon; sid:840; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pfdisplay.cgi access"; flow:to_server,established; uricontent:"/pfdispaly.cgi"; nocase; reference:bugtraq,64; reference:cve,1999-0270; reference:nessus,10174; classtype:attempted-recon; sid:841; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI aglimpse access"; flow:to_server,established; uricontent:"/aglimpse"; nocase; reference:bugtraq,2026; reference:cve,1999-0147; reference:nessus,10095; classtype:attempted-recon; sid:842; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI anform2 access"; flow:to_server,established; uricontent:"/AnForm2"; nocase; reference:arachnids,225; reference:bugtraq,719; reference:cve,1999-0066; classtype:attempted-recon; sid:843; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI args.bat access"; flow:to_server,established; uricontent:"/args.bat"; nocase; reference:cve,1999-1180; reference:nessus,11465; classtype:attempted-recon; sid:844; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI args.cmd access"; flow:to_server,established; uricontent:"/args.cmd"; nocase; reference:cve,1999-1180; reference:nessus,11465; classtype:attempted-recon; sid:1452; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AT-admin.cgi access"; flow:to_server,established; uricontent:"/AT-admin.cgi"; nocase; reference:cve,1999-1072; classtype:attempted-recon; sid:845; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AT-generated.cgi access"; flow:to_server,established; uricontent:"/AT-generated.cgi"; nocase; reference:cve,1999-1072; classtype:attempted-recon; sid:1453; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bnbform.cgi access"; flow:to_server,established; uricontent:"/bnbform.cgi"; nocase; reference:bugtraq,2147; reference:cve,1999-0937; classtype:attempted-recon; sid:846; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI campas access"; flow:to_server,established; uricontent:"/campas"; nocase; reference:bugtraq,1975; reference:cve,1999-0146; reference:nessus,10035; classtype:attempted-recon; sid:847; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view-source directory traversal"; flow:to_server,established; uricontent:"/view-source"; nocase; content:"../"; nocase; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174; classtype:web-application-attack; sid:848; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view-source access"; flow:to_server,established; uricontent:"/view-source"; nocase; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174; classtype:attempted-recon; sid:849; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wais.pl access"; flow:to_server,established; uricontent:"/wais.pl"; nocase; classtype:attempted-recon; sid:850; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wwwwais access"; flow:to_server,established; uricontent:"/wwwwais"; nocase; reference:cve,2001-0223; reference:nessus,10597; classtype:attempted-recon; sid:1454; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI files.pl access"; flow:to_server,established; uricontent:"/files.pl"; nocase; reference:cve,1999-1081; classtype:attempted-recon; sid:851; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wguest.exe access"; flow:to_server,established; uricontent:"/wguest.exe"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,1999-0467; classtype:attempted-recon; sid:852; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wrap access"; flow:to_server,established; uricontent:"/wrap"; reference:arachnids,234; reference:bugtraq,373; reference:cve,1999-0149; reference:nessus,10317; classtype:attempted-recon; sid:853; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI classifieds.cgi access"; flow:to_server,established; uricontent:"/classifieds.cgi"; nocase; reference:bugtraq,2020; reference:cve,1999-0934; classtype:attempted-recon; sid:854; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI environ.cgi access"; flow:to_server,established; uricontent:"/environ.cgi"; nocase; classtype:attempted-recon; sid:856; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey access"; flow:to_server,established; uricontent:"/faxsurvey"; nocase; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-activity; sid:857; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI filemail access"; flow:to_server,established; uricontent:"/filemail.pl"; nocase; reference:cve,1999-1154; classtype:attempted-recon; sid:858; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI man.sh access"; flow:to_server,established; uricontent:"/man.sh"; nocase; reference:bugtraq,2276; reference:cve,1999-1179; classtype:attempted-recon; sid:859; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI snork.bat access"; flow:to_server,established; uricontent:"/snork.bat"; nocase; reference:arachnids,220; reference:bugtraq,1053; reference:cve,2000-0169; classtype:attempted-recon; sid:860; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3-msql access"; flow:to_server,established; uricontent:"/w3-msql/"; nocase; reference:arachnids,210; reference:bugtraq,591; reference:bugtraq,898; reference:cve,1999-0276; reference:cve,1999-0753; reference:cve,2000-0012; reference:nessus,10296; classtype:attempted-recon; sid:861; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI day5datacopier.cgi access"; flow:to_server,established; uricontent:"/day5datacopier.cgi"; nocase; reference:cve,1999-1232; classtype:attempted-recon; sid:863; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI day5datanotifier.cgi access"; flow:to_server,established; uricontent:"/day5datanotifier.cgi"; nocase; reference:cve,1999-1232; classtype:attempted-recon; sid:864; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI post-query access"; flow:to_server,established; uricontent:"/post-query"; nocase; reference:bugtraq,6752; reference:cve,2001-0291; classtype:attempted-recon; sid:866; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI visadmin.exe access"; flow:to_server,established; uricontent:"/visadmin.exe"; nocase; reference:bugtraq,1808; reference:cve,1999-0970; reference:cve,1999-1970; reference:nessus,10295; classtype:attempted-recon; sid:867; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dumpenv.pl access"; flow:to_server,established; uricontent:"/dumpenv.pl"; nocase; reference:cve,1999-1178; reference:nessus,10060; classtype:attempted-recon; sid:869; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar_admin.pl arbitrary command execution attempt"; flow:to_server,established; uricontent:"/calendar_admin.pl?config=|7C|"; reference:cve,2000-0432; classtype:web-application-attack; sid:1536; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar_admin.pl access"; flow:to_server,established; uricontent:"/calendar_admin.pl"; reference:cve,2000-0432; classtype:web-application-activity; sid:1537; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calender_admin.pl access"; flow:to_server,established; uricontent:"/calender_admin.pl"; nocase; reference:cve,2000-0432; classtype:attempted-recon; sid:1456; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar-admin.pl access"; flow:to_server,established; uricontent:"/calendar-admin.pl"; nocase; reference:bugtraq,1215; classtype:web-application-activity; sid:1701; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar.pl access"; flow:to_server,established; uricontent:"calendar"; nocase; pcre:"/calendar(|[-_]admin)\.pl/Ui"; reference:bugtraq,1215; reference:cve,2000-0432; classtype:attempted-recon; sid:1455; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar access"; flow:to_server,established; uricontent:"/calendar"; nocase; classtype:attempted-recon; sid:882; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI user_update_admin.pl access"; flow:to_server,established; uricontent:"/user_update_admin.pl"; nocase; reference:bugtraq,1486; reference:cve,2000-0627; classtype:attempted-recon; sid:1457; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI user_update_passwd.pl access"; flow:to_server,established; uricontent:"/user_update_passwd.pl"; nocase; reference:bugtraq,1486; reference:cve,2000-0627; classtype:attempted-recon; sid:1458; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI snorkerz.cmd access"; flow:to_server,established; uricontent:"/snorkerz.cmd"; nocase; classtype:attempted-recon; sid:870; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI survey.cgi access"; flow:to_server,established; uricontent:"/survey.cgi"; nocase; reference:bugtraq,1817; reference:cve,1999-0936; classtype:attempted-recon; sid:871; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI scriptalias access"; flow:to_server,established; uricontent:"///"; reference:arachnids,227; reference:bugtraq,2300; reference:cve,1999-0236; classtype:attempted-recon; sid:873; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI win-c-sample.exe access"; flow:to_server,established; uricontent:"/win-c-sample.exe"; nocase; reference:arachnids,231; reference:bugtraq,2078; reference:cve,1999-0178; reference:nessus,10008; classtype:attempted-recon; sid:875; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3tvars.pm access"; flow:to_server,established; uricontent:"/w3tvars.pm"; nocase; classtype:attempted-recon; sid:878; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI admin.pl access"; flow:to_server,established; uricontent:"/admin.pl"; nocase; reference:bugtraq,3839; reference:url,online.securityfocus.com/archive/1/249355; classtype:attempted-recon; sid:879; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI LWGate access"; flow:to_server,established; uricontent:"/LWGate"; nocase; reference:url,www.netspace.org/~dwb/lwgate/lwgate-history.html; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:880; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI archie access"; flow:to_server,established; uricontent:"/archie"; nocase; classtype:attempted-recon; sid:881; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI flexform access"; flow:to_server,established; uricontent:"/flexform"; nocase; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:883; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI formmail arbitrary command execution attempt"; flow:to_server,established; uricontent:"/formmail"; nocase; content:"%0a"; nocase; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-attack; sid:1610; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI formmail access"; flow:to_server,established; uricontent:"/formmail"; nocase; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-activity; sid:884; rev:14;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf arbitrary command execution attempt"; flow:to_server,established; uricontent:"/phf"; nocase; content:"QALIAS"; nocase; content:"%0a"; reference:arachnids,128; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-attack; sid:1762; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf access"; flow:to_server,established; uricontent:"/phf"; nocase; reference:arachnids,128; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-activity; sid:886; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI www-sql access"; flow:to_server,established; uricontent:"/www-sql"; nocase; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2; classtype:attempted-recon; sid:887; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wwwadmin.pl access"; flow:to_server,established; uricontent:"/wwwadmin.pl"; nocase; classtype:attempted-recon; sid:888; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ppdscgi.exe access"; flow:to_server,established; uricontent:"/ppdscgi.exe"; nocase; reference:bugtraq,491; reference:nessus,10187; reference:url,online.securityfocus.com/archive/1/16878; classtype:attempted-recon; sid:889; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sendform.cgi access"; flow:to_server,established; uricontent:"/sendform.cgi"; nocase; reference:bugtraq,5286; reference:cve,2002-0710; reference:url,www.scn.org/help/sendform.txt; classtype:attempted-recon; sid:890; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI upload.pl access"; flow:to_server,established; uricontent:"/upload.pl"; nocase; classtype:attempted-recon; sid:891; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AnyForm2 access"; flow:to_server,established; uricontent:"/AnyForm2"; nocase; reference:bugtraq,719; reference:cve,1999-0066; reference:nessus,10277; classtype:attempted-recon; sid:892; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI MachineInfo access"; flow:to_server,established; uricontent:"/MachineInfo"; nocase; reference:cve,1999-1067; classtype:attempted-recon; sid:893; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hist.sh attempt"; flow:to_server,established; uricontent:"/bb-hist.sh?HISTFILE=../.."; nocase; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:web-application-attack; sid:1531; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hist.sh access"; flow:to_server,established; uricontent:"/bb-hist.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:attempted-recon; sid:894; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-histlog.sh access"; flow:to_server,established; uricontent:"/bb-histlog.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:attempted-recon; sid:1459; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-histsvc.sh access"; flow:to_server,established; uricontent:"/bb-histsvc.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1460; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hostscv.sh attempt"; flow:to_server,established; uricontent:"/bb-hostsvc.sh?HOSTSVC?../.."; nocase; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:web-application-attack; sid:1532; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hostscv.sh access"; flow:to_server,established; uricontent:"/bb-hostsvc.sh"; nocase; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:web-application-activity; sid:1533; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-rep.sh access"; flow:to_server,established; uricontent:"/bb-rep.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1461; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-replog.sh access"; flow:to_server,established; uricontent:"/bb-replog.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1462; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI redirect access"; flow:to_server,established; uricontent:"/redirect"; nocase; reference:bugtraq,1179; reference:cve,2000-0382; classtype:attempted-recon; sid:895; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wayboard attempt"; flow:to_server,established; uricontent:"/way-board/way-board.cgi"; content:"db="; content:"../.."; nocase; reference:bugtraq,2370; reference:cve,2001-0214; classtype:web-application-attack; sid:1397; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI way-board access"; flow:to_server,established; uricontent:"/way-board"; nocase; reference:bugtraq,2370; reference:cve,2001-0214; reference:nessus,10610; classtype:web-application-activity; sid:896; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pals-cgi arbitrary file access attempt"; flow:to_server,established; uricontent:"/pals-cgi"; nocase; content:"documentName="; reference:bugtraq,2372; reference:cve,2001-0217; reference:nessus,10611; classtype:web-application-attack; sid:1222; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pals-cgi access"; flow:to_server,established; uricontent:"/pals-cgi"; nocase; reference:bugtraq,2372; reference:cve,2001-0216; reference:cve,2001-0217; reference:nessus,10611; classtype:attempted-recon; sid:897; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI commerce.cgi arbitrary file access attempt"; flow:to_server,established; uricontent:"/commerce.cgi"; content:"page="; content:"/../"; nocase; reference:bugtraq,2361; reference:cve,2001-0210; reference:nessus,10612; classtype:attempted-recon; sid:1572; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI commerce.cgi access"; flow:to_server,established; uricontent:"/commerce.cgi"; nocase; reference:bugtraq,2361; reference:cve,2001-0210; reference:nessus,10612; classtype:attempted-recon; sid:898; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Amaya templates sendtemp.pl directory traversal attempt"; flow:to_server,established; uricontent:"/sendtemp.pl"; nocase; content:"templ="; nocase; reference:bugtraq,2504; reference:cve,2001-0272; classtype:web-application-attack; sid:899; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Amaya templates sendtemp.pl access"; flow:to_server,established; uricontent:"/sendtemp.pl"; nocase; reference:bugtraq,2504; reference:cve,2001-0272; classtype:web-application-activity; sid:1702; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webspirs.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/webspirs.cgi"; nocase; content:"../../"; nocase; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:web-application-attack; sid:900; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webspirs.cgi access"; flow:to_server,established; uricontent:"/webspirs.cgi"; nocase; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:attempted-recon; sid:901; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI tstisapi.dll access"; flow:to_server,established; uricontent:"tstisapi.dll"; nocase; reference:bugtraq,2381; reference:cve,2001-0302; classtype:attempted-recon; sid:902; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sendmessage.cgi access"; flow:to_server,established; uricontent:"/sendmessage.cgi"; nocase; reference:bugtraq,3673; reference:cve,2001-1100; classtype:attempted-recon; sid:1308; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI lastlines.cgi access"; flow:to_server,established; uricontent:"/lastlines.cgi"; nocase; reference:bugtraq,3754; reference:bugtraq,3755; reference:cve,2001-1205; reference:cve,2001-1206; classtype:attempted-recon; sid:1392; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI zml.cgi attempt"; flow:to_server,established; uricontent:"/zml.cgi"; content:"file=../"; reference:bugtraq,3759; reference:cve,2001-1209; classtype:web-application-activity; sid:1395; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI zml.cgi access"; flow:to_server,established; uricontent:"/zml.cgi"; reference:bugtraq,3759; reference:cve,2001-1209; classtype:web-application-activity; sid:1396; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AHG search.cgi access"; flow:to_server,established; uricontent:"/publisher/search.cgi"; nocase; content:"template="; nocase; reference:bugtraq,3985; classtype:web-application-activity; sid:1405; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI agora.cgi attempt"; flow:to_server,established; uricontent:"/store/agora.cgi?cart_id=<SCRIPT>"; nocase; reference:bugtraq,3702; reference:bugtraq,3976; reference:cve,2001-1199; reference:cve,2002-0215; reference:nessus,10836; classtype:web-application-attack; sid:1534; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI agora.cgi access"; flow:to_server,established; uricontent:"/store/agora.cgi"; nocase; reference:bugtraq,3702; reference:bugtraq,3976; reference:cve,2001-1199; reference:cve,2002-0215; reference:nessus,10836; classtype:web-application-activity; sid:1406; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rksh access"; flow:to_server,established; uricontent:"/rksh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:877; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bash access"; flow:to_server,established; uricontent:"/bash"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:web-application-activity; sid:885; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI perl.exe command attempt"; flow:to_server,established; uricontent:"/perl.exe?"; nocase; reference:arachnids,219; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1648; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI perl.exe access"; flow:to_server,established; uricontent:"/perl.exe"; nocase; reference:arachnids,219; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:832; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI perl command attempt"; flow:to_server,established; uricontent:"/perl?"; nocase; reference:arachnids,219; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1649; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI zsh access"; flow:to_server,established; uricontent:"/zsh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1309; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csh access"; flow:to_server,established; uricontent:"/csh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:862; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI tcsh access"; flow:to_server,established; uricontent:"/tcsh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:872; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rsh access"; flow:to_server,established; uricontent:"/rsh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:868; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ksh access"; flow:to_server,established; uricontent:"/ksh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:865; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI auktion.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/auktion.cgi"; nocase; content:"menue=../../"; nocase; reference:bugtraq,2367; reference:cve,2001-0212; reference:nessus,10638; classtype:web-application-attack; sid:1703; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI auktion.cgi access"; flow:to_server,established; uricontent:"/auktion.cgi"; nocase; reference:bugtraq,2367; reference:cve,2001-0212; reference:nessus,10638; classtype:web-application-activity; sid:1465; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgiforum.pl attempt"; flow:to_server,established; uricontent:"/cgiforum.pl?thesection=../.."; nocase; reference:bugtraq,1963; reference:cve,2000-1171; reference:nessus,10552; classtype:web-application-attack; sid:1573; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgiforum.pl access"; flow:to_server,established; uricontent:"/cgiforum.pl"; nocase; reference:bugtraq,1963; reference:cve,2000-1171; reference:nessus,10552; classtype:web-application-activity; sid:1466; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI directorypro.cgi attempt"; flow:to_server,established; uricontent:"/directorypro.cgi"; content:"show="; content:"../.."; distance:1; nocase; reference:bugtraq,2793; reference:cve,2001-0780; classtype:web-application-attack; sid:1574; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI directorypro.cgi access"; flow:to_server,established; uricontent:"/directorypro.cgi"; nocase; reference:bugtraq,2793; reference:cve,2001-0780; classtype:web-application-activity; sid:1467; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Web Shopper shopper.cgi attempt"; flow:to_server,established; uricontent:"/shopper.cgi"; nocase; content:"newpage=../"; nocase; reference:bugtraq,1776; reference:cve,2000-0922; classtype:web-application-attack; sid:1468; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Web Shopper shopper.cgi access"; flow:to_server,established; uricontent:"/shopper.cgi"; nocase; reference:bugtraq,1776; reference:cve,2000-0922; classtype:attempted-recon; sid:1469; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI listrec.pl access"; flow:to_server,established; uricontent:"/listrec.pl"; nocase; reference:bugtraq,3328; reference:cve,2001-0997; classtype:attempted-recon; sid:1470; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailnews.cgi access"; flow:to_server,established; uricontent:"/mailnews.cgi"; nocase; reference:bugtraq,2391; reference:cve,2001-0271; reference:nessus,10641; classtype:attempted-recon; sid:1471; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI book.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/book.cgi"; nocase; content:"current=|7C|"; nocase; reference:bugtraq,3178; reference:cve,2001-1114; reference:nessus,10721; classtype:web-application-attack; sid:1879; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI book.cgi access"; flow:to_server,established; uricontent:"/book.cgi"; nocase; reference:bugtraq,3178; reference:cve,2001-1114; reference:nessus,10721; classtype:web-application-activity; sid:1472; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI newsdesk.cgi access"; flow:to_server,established; uricontent:"/newsdesk.cgi"; nocase; reference:bugtraq,2172; reference:cve,2001-0232; classtype:attempted-recon; sid:1473; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cal_make.pl directory traversal attempt"; flow:to_server,established; uricontent:"/cal_make.pl"; nocase; content:"p0=../../"; nocase; reference:bugtraq,2663; reference:cve,2001-0463; reference:nessus,10664; classtype:web-application-attack; sid:1704; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cal_make.pl access"; flow:to_server,established; uricontent:"/cal_make.pl"; nocase; reference:bugtraq,2663; reference:cve,2001-0463; reference:nessus,10664; classtype:web-application-activity; sid:1474; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailit.pl access"; flow:to_server,established; uricontent:"/mailit.pl"; nocase; reference:nessus,10417; classtype:attempted-recon; sid:1475; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sdbsearch.cgi access"; flow:to_server,established; uricontent:"/sdbsearch.cgi"; nocase; reference:bugtraq,1658; reference:cve,2001-1130; reference:nessus,10503; reference:nessus,10720; classtype:attempted-recon; sid:1476; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI swc access"; flow:to_server,established; uricontent:"/swc"; nocase; reference:nessus,10493; classtype:attempted-recon; sid:1478; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ttawebtop.cgi arbitrary file attempt"; flow:to_server,established; uricontent:"/ttawebtop.cgi"; nocase; content:"pg=../"; nocase; reference:bugtraq,2890; reference:cve,2001-0805; reference:nessus,10696; classtype:web-application-attack; sid:1479; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ttawebtop.cgi access"; flow:to_server,established; uricontent:"/ttawebtop.cgi"; nocase; reference:bugtraq,2890; reference:cve,2001-0805; reference:nessus,10696; classtype:attempted-recon; sid:1480; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI upload.cgi access"; flow:to_server,established; uricontent:"/upload.cgi"; nocase; reference:nessus,10290; classtype:attempted-recon; sid:1481; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view_source access"; flow:to_server,established; uricontent:"/view_source"; nocase; reference:bugtraq,2251; reference:cve,1999-0174; reference:nessus,10294; classtype:attempted-recon; sid:1482; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ustorekeeper.pl directory traversal attempt"; flow:to_server,established; uricontent:"/ustorekeeper.pl"; nocase; content:"file=../../"; nocase; reference:bugtraq,2536; reference:cve,2001-0466; reference:nessus,10645; classtype:web-application-attack; sid:1730; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ustorekeeper.pl access"; flow:to_server,established; uricontent:"/ustorekeeper.pl"; nocase; reference:cve,2001-0466; reference:nessus,10645; classtype:web-application-activity; sid:1483; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI icat access"; flow:to_server,established; uricontent:"/icat"; reference:cve,1999-1069; classtype:web-application-activity; sid:1606; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Bugzilla doeditvotes.cgi access"; flow:to_server,established; uricontent:"/doeditvotes.cgi"; reference:bugtraq,3800; reference:cve,2002-0011; classtype:web-application-activity; sid:1617; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htsearch arbitrary configuration file attempt"; flow:to_server,established; uricontent:"/htsearch?-c"; nocase; reference:cve,2000-0208; classtype:web-application-attack; sid:1600; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htsearch arbitrary file read attempt"; flow:to_server,established; uricontent:"/htsearch?exclude=`"; nocase; reference:bugtraq,1026; reference:cve,2000-0208; reference:nessus,10105; classtype:web-application-attack; sid:1601; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htsearch access"; flow:to_server,established; uricontent:"/htsearch"; nocase; reference:bugtraq,1026; reference:cve,2000-0208; reference:nessus,10105; classtype:web-application-activity; sid:1602; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI a1stats a1disp3.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/a1disp3.cgi?/../../"; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-attack; sid:1501; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI a1stats a1disp3.cgi access"; flow:to_server,established; uricontent:"/a1disp3.cgi"; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-activity; sid:1502; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI a1stats access"; flow:to_server,established; uricontent:"/a1stats/"; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-activity; sid:1731; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI admentor admin.asp access"; flow:to_server,established; uricontent:"/admentor/admin/admin.asp"; reference:bugtraq,4152; reference:cve,2002-0308; reference:nessus,10880; reference:url,www.securiteam.com/windowsntfocus/5DP0N1F6AW.html; classtype:web-application-activity; sid:1503; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alchemy http server PRN arbitrary command execution attempt"; flow:to_server,established; uricontent:"/PRN/../../"; reference:bugtraq,3599; reference:cve,2001-0871; classtype:web-application-activity; sid:1505; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alchemy http server NUL arbitrary command execution attempt"; flow:to_server,established; uricontent:"/NUL/../../"; reference:bugtraq,3599; reference:cve,2001-0871; classtype:web-application-activity; sid:1506; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alibaba.pl arbitrary command execution attempt"; flow:to_server,established; uricontent:"/alibaba.pl|7C|"; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10013; classtype:web-application-attack; sid:1507; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alibaba.pl access"; flow:to_server,established; uricontent:"/alibaba.pl"; reference:bugtraq,770; reference:cve ,CAN-1999-0885; reference:nessus,10013; classtype:web-application-activity; sid:1508; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AltaVista Intranet Search directory traversal attempt"; flow:to_server,established; uricontent:"/query?mss=.."; reference:bugtraq,896; reference:cve,2000-0039; reference:nessus,10015; classtype:web-application-attack; sid:1509; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/test.bat|7C|"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1510; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test.bat access"; flow:to_server,established; uricontent:"/test.bat"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1511; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI input.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/input.bat|7C|"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1512; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI input.bat access"; flow:to_server,established; uricontent:"/input.bat"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1513; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI input2.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/input2.bat|7C|"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1514; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI input2.bat access"; flow:to_server,established; uricontent:"/input2.bat"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1515; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI envout.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/envout.bat|7C|"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1516; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI envout.bat access"; flow:to_server,established; uricontent:"/envout.bat"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1517; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI echo.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/echo.bat"; content:"&"; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-attack; sid:1705; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI echo.bat access"; flow:to_server,established; uricontent:"/echo.bat"; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-activity; sid:1706; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI hello.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/hello.bat"; content:"&"; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-attack; sid:1707; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI hello.bat access"; flow:to_server,established; uricontent:"/hello.bat"; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-activity; sid:1708; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI tst.bat access"; flow:to_server,established; uricontent:"/tst.bat"; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10014; classtype:web-application-activity; sid:1650; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-bin/ls access"; flow:to_server,established; uricontent:"/cgi-bin/ls"; nocase; reference:bugtraq,936; reference:cve,2000-0079; classtype:web-application-activity; sid:1539; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgimail access"; flow:to_server,established; uricontent:"/cgimail"; nocase; reference:bugtraq,1623; reference:cve,2000-0726; reference:nessus,11721; classtype:web-application-activity; sid:1542; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgiwrap access"; flow:to_server,established; uricontent:"/cgiwrap"; nocase; reference:bugtraq,1238; reference:bugtraq,3084; reference:bugtraq,777; reference:cve,1999-1530; reference:cve,2000-0431; reference:cve,2001-0987; reference:nessus,10041; classtype:web-application-activity; sid:1543; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csSearch.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/csSearch.cgi"; content:"setup="; content:"`"; content:"`"; distance:1; reference:bugtraq,4368; reference:cve,2002-0495; reference:nessus,10924; classtype:web-application-attack; sid:1547; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csSearch.cgi access"; flow:to_server,established; uricontent:"/csSearch.cgi"; reference:bugtraq,4368; reference:cve,2002-0495; reference:nessus,10924; classtype:web-application-activity; sid:1548; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cart/cart.cgi access"; flow:to_server,established; uricontent:"/cart/cart.cgi"; reference:bugtraq,1115; reference:cve,2000-0252; classtype:web-application-activity; sid:1553; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dbman db.cgi access"; flow:to_server,established; uricontent:"/dbman/db.cgi"; reference:bugtraq,1178; reference:cve,2000-0381; reference:nessus,10403; classtype:web-application-activity; sid:1554; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI DCShop access"; flow:to_server,established; uricontent:"/dcshop"; nocase; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1555; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI DCShop orders.txt access"; flow:to_server,established; uricontent:"/orders/orders.txt"; nocase; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1556; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI DCShop auth_user_file.txt access"; flow:to_server,established; uricontent:"/auth_data/auth_user_file.txt"; nocase; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1557; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI eshop.pl arbitrary commane execution attempt"; flow:to_server,established; uricontent:"/eshop.pl?seite=|3B|"; nocase; reference:bugtraq,3340; reference:cve,2001-1014; classtype:web-application-attack; sid:1565; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI eshop.pl access"; flow:to_server,established; uricontent:"/eshop.pl"; nocase; reference:bugtraq,3340; reference:cve,2001-1014; classtype:web-application-activity; sid:1566; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI loadpage.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/loadpage.cgi"; content:"file=../"; nocase; reference:bugtraq,2109; reference:cve,2000-1092; classtype:web-application-attack; sid:1569; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI loadpage.cgi access"; flow:to_server,established; uricontent:"/loadpage.cgi"; nocase; reference:bugtraq,2109; reference:cve,2000-1092; classtype:web-application-activity; sid:1570; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faqmanager.cgi arbitrary file access attempt"; flow:to_server,established; uricontent:"/faqmanager.cgi?toc="; uricontent:"|00|"; nocase; reference:bugtraq,3810; reference:nessus,10837; classtype:web-application-attack; sid:1590; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faqmanager.cgi access"; flow:to_server,established; uricontent:"/faqmanager.cgi"; nocase; reference:bugtraq,3810; reference:nessus,10837; classtype:web-application-activity; sid:1591; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /fcgi-bin/echo.exe access"; flow:to_server,established; uricontent:"/fcgi-bin/echo.exe"; nocase; reference:nessus,10838; classtype:web-application-activity; sid:1592; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI FormHandler.cgi directory traversal attempt attempt"; flow:to_server,established; uricontent:"/FormHandler.cgi"; nocase; content:"reply_message_attach="; nocase; content:"/../"; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-attack; sid:1628; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI FormHandler.cgi external site redirection attempt"; flow:to_server,established; uricontent:"/FormHandler.cgi"; nocase; content:"redirect=http"; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-attack; sid:1593; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI FormHandler.cgi access"; flow:to_server,established; uricontent:"/FormHandler.cgi"; nocase; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-activity; sid:1594; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI guestbook.cgi access"; flow:to_server,established; uricontent:"/guestbook.cgi"; nocase; reference:cve,1999-0237; reference:nessus,10098; classtype:web-application-activity; sid:1597; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Home Free search.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/search.cgi"; content:"letter=../.."; nocase; reference:bugtraq,921; reference:cve,2000-0054; classtype:web-application-attack; sid:1598; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI search.cgi access"; flow:to_server,established; uricontent:"/search.cgi"; nocase; reference:bugtraq,921; reference:cve,2000-0054; classtype:web-application-activity; sid:1599; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI environ.pl access"; flow:to_server,established; uricontent:"/environ.pl"; nocase; classtype:web-application-activity; sid:1651; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI campus attempt"; flow:to_server,established; uricontent:"/campus?|0A|"; nocase; reference:bugtraq,1975; reference:cve,1999-0146; reference:nessus,10035; classtype:web-application-attack; sid:1652; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI campus access"; flow:to_server,established; uricontent:"/campus"; nocase; reference:bugtraq,1975; reference:cve,1999-0146; reference:nessus,10035; classtype:web-application-activity; sid:1653; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cart32.exe access"; flow:to_server,established; uricontent:"/cart32.exe"; nocase; reference:bugtraq,1153; classtype:web-application-activity; sid:1654; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pfdispaly.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/pfdispaly.cgi?'"; nocase; reference:cve,1999-0270; reference:nessus,10174; classtype:web-application-attack; sid:1655; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pfdispaly.cgi access"; flow:to_server,established; uricontent:"/pfdispaly.cgi"; nocase; reference:cve,1999-0270; reference:nessus,10174; classtype:web-application-activity; sid:1656; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pagelog.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/pagelog.cgi"; nocase; content:"name=../"; nocase; reference:bugtraq,1864; reference:cve,2000-0940; reference:nessus,10591; classtype:web-application-activity; sid:1657; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pagelog.cgi access"; flow:to_server,established; uricontent:"/pagelog.cgi"; nocase; reference:bugtraq,1864; reference:cve,2000-0940; reference:nessus,10591; classtype:web-application-activity; sid:1658; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ad.cgi access"; flow:to_server,established; uricontent:"/ad.cgi"; nocase; reference:bugtraq,2103; reference:cve,2001-0025; reference:nessus,11464; classtype:web-application-activity; sid:1709; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bbs_forum.cgi access"; flow:to_server,established; uricontent:"/bbs_forum.cgi"; nocase; reference:bugtraq,2177; reference:cve,2001-0123; reference:url,www.cgisecurity.com/advisory/3.1.txt; classtype:web-application-activity; sid:1710; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bsguest.cgi access"; flow:to_server,established; uricontent:"/bsguest.cgi"; nocase; reference:bugtraq,2159; reference:cve,2001-0099; classtype:web-application-activity; sid:1711; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bslist.cgi access"; flow:to_server,established; uricontent:"/bslist.cgi"; nocase; reference:bugtraq,2160; reference:cve,2001-0100; classtype:web-application-activity; sid:1712; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgforum.cgi access"; flow:to_server,established; uricontent:"/cgforum.cgi"; nocase; reference:bugtraq,1951; reference:cve,2000-1132; classtype:web-application-activity; sid:1713; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI newdesk access"; flow:to_server,established; uricontent:"/newdesk"; nocase; classtype:web-application-activity; sid:1714; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI register.cgi access"; flow:to_server,established; uricontent:"/register.cgi"; nocase; reference:bugtraq,2157; reference:cve,2001-0076; classtype:web-application-activity; sid:1715; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI gbook.cgi access"; flow:to_server,established; uricontent:"/gbook.cgi"; nocase; reference:bugtraq,1940; reference:cve,2000-1131; classtype:web-application-activity; sid:1716; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI simplestguest.cgi access"; flow:to_server,established; uricontent:"/simplestguest.cgi"; nocase; reference:bugtraq,2106; reference:cve,2001-0022; classtype:web-application-activity; sid:1717; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI statsconfig.pl access"; flow:to_server,established; uricontent:"/statsconfig.pl"; nocase; reference:bugtraq,2211; reference:cve,2001-0113; classtype:web-application-activity; sid:1718; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI talkback.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/talkbalk.cgi"; nocase; content:"article=../../"; nocase; reference:bugtraq,2547; reference:cve,2001-0420; classtype:web-application-attack; sid:1719; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI talkback.cgi access"; flow:to_server,established; uricontent:"/talkbalk.cgi"; nocase; reference:bugtraq,2547; reference:cve,2001-0420; classtype:web-application-activity; sid:1720; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI adcycle access"; flow:to_server,established; uricontent:"/adcycle"; nocase; reference:bugtraq,3741; reference:cve,2001-1226; classtype:web-application-activity; sid:1721; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI MachineInfo access"; flow:to_server,established; uricontent:"/MachineInfo"; nocase; reference:cve,1999-1067; classtype:web-application-activity; sid:1722; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI emumail.cgi NULL attempt"; flow:to_server,established; uricontent:"/emumail.cgi"; content:"type="; nocase; content:"%00"; reference:bugtraq,5824; reference:cve,2002-1526; classtype:web-application-activity; sid:1723; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI emumail.cgi access"; flow:to_server,established; uricontent:"/emumail.cgi"; nocase; reference:bugtraq,5824; reference:cve,2002-1526; classtype:web-application-activity; sid:1724; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI document.d2w access"; flow:to_server,established; uricontent:"/document.d2w"; reference:bugtraq,2017; reference:cve,2000-1110; classtype:web-application-activity; sid:1642; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI db2www access"; flow:to_server,established; uricontent:"/db2www"; reference:cve,2000-0677; classtype:web-application-activity; sid:1643; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-bin/ access"; flow:to_server,established; uricontent:"/cgi-bin/"; content:"/cgi-bin/ HTTP"; nocase; classtype:web-application-attack; sid:1668; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-dos/ access"; flow:to_server,established; uricontent:"/cgi-dos/"; content:"/cgi-dos/ HTTP"; nocase; classtype:web-application-attack; sid:1669; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI technote main.cgi file directory traversal attempt"; flow:to_server,established; uricontent:"/technote/main.cgi"; nocase; content:"filename="; nocase; content:"../../"; reference:bugtraq,2156; reference:cve,2001-0075; reference:nessus,10584; classtype:web-application-attack; sid:1051; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI technote print.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/technote/print.cgi"; nocase; content:"board="; nocase; content:"../../"; content:"%00"; reference:bugtraq,2156; reference:cve,2001-0075; reference:nessus,10584; classtype:web-application-attack; sid:1052; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ads.cgi command execution attempt"; flow:to_server,established; uricontent:"/ads.cgi"; nocase; content:"file="; nocase; content:"../../"; content:"|7C|"; reference:bugtraq,2103; reference:cve,2001-0025; reference:nessus,11464; classtype:web-application-attack; sid:1053; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI eXtropia webstore directory traversal"; flow:to_server,established; uricontent:"/web_store.cgi"; content:"page=../"; reference:bugtraq,1774; reference:cve,2000-1005; reference:nessus,10532; classtype:web-application-attack; sid:1088; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI eXtropia webstore access"; flow:to_server,established; uricontent:"/web_store.cgi"; reference:bugtraq,1774; reference:cve,2000-1005; reference:nessus,10532; classtype:web-application-activity; sid:1611; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI shopping cart directory traversal"; flow:to_server,established; uricontent:"/shop.cgi"; content:"page=../"; reference:bugtraq,1777; reference:cve,2000-0921; classtype:web-application-attack; sid:1089; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Allaire Pro Web Shell attempt"; flow:to_server,established; uricontent:"/authenticate.cgi?PASSWORD"; content:"config.ini"; classtype:web-application-attack; sid:1090; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Armada Style Master Index directory traversal"; flow:to_server,established; uricontent:"/search.cgi?keys"; content:"catigory=../"; reference:bugtraq,1772; reference:cve,2000-0924; reference:nessus,10562; reference:url,www.synnergy.net/downloads/advisories/SLA-2000-16.masterindex.txt; classtype:web-application-attack; sid:1092; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cached_feed.cgi moreover shopping cart directory traversal"; flow:to_server,established; uricontent:"/cached_feed.cgi"; content:"../"; reference:bugtraq,1762; reference:cve,2000-0906; classtype:web-application-attack; sid:1093; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cached_feed.cgi moreover shopping cart access"; flow:to_server,established; uricontent:"/cached_feed.cgi"; reference:bugtraq,1762; reference:cve,2000-0906; classtype:web-application-activity; sid:2051; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Talentsoft Web+ exploit attempt"; flow:to_server,established; uricontent:"/webplus.cgi?Script=/webplus/webping/webping.wml"; reference:bugtraq,1725; classtype:web-application-attack; sid:1097; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Poll-it access"; flow:to_server,established; uricontent:"/pollit/Poll_It_SSI_v2.0.cgi"; nocase; reference:bugtraq,1431; reference:cve,2000-0590; reference:nessus,10459; classtype:web-application-activity; sid:1106; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI count.cgi access"; flow:to_server,established; uricontent:"/count.cgi"; nocase; reference:bugtraq,128; reference:cve,1999-0021; reference:nessus,10049; classtype:web-application-activity; sid:1149; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webdist.cgi arbitrary command attempt"; flow:to_server,established; uricontent:"/webdist.cgi"; nocase; content:"distloc=|3B|"; nocase; reference:bugtraq,374; reference:cve,1999-0039; reference:nessus,10299; classtype:web-application-attack; sid:1865; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webdist.cgi access"; flow:to_server,established; uricontent:"/webdist.cgi"; nocase; reference:bugtraq,374; reference:cve,1999-0039; reference:nessus,10299; classtype:web-application-activity; sid:1163; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bigconf.cgi access"; flow:to_server,established; uricontent:"/bigconf.cgi"; nocase; reference:bugtraq,778; reference:cve,1999-1550; reference:nessus,10027; classtype:web-application-activity; sid:1172; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-bin/jj access"; flow:to_server,established; uricontent:"/cgi-bin/jj"; nocase; reference:bugtraq,2002; reference:cve,1999-0260; reference:nessus,10131; classtype:web-application-activity; sid:1174; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bizdbsearch attempt"; flow:to_server,established; uricontent:"/bizdb1-search.cgi"; nocase; content:"mail"; nocase; reference:bugtraq,1104; reference:cve,2000-0287; reference:nessus,10383; classtype:web-application-attack; sid:1185; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bizdbsearch access"; flow:to_server,established; uricontent:"/bizdb1-search.cgi"; nocase; reference:bugtraq,1104; reference:cve,2000-0287; reference:nessus,10383; classtype:web-application-activity; sid:1535; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sojourn.cgi File attempt"; flow:to_server,established; uricontent:"/sojourn.cgi?cat="; content:"%00"; nocase; reference:bugtraq,1052; reference:cve,2000-0180; reference:nessus,10349; classtype:web-application-attack; sid:1194; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sojourn.cgi access"; flow:to_server,established; uricontent:"/sojourn.cgi"; nocase; reference:bugtraq,1052; reference:cve,2000-0180; reference:nessus,10349; classtype:web-application-activity; sid:1195; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SGI InfoSearch fname attempt"; flow:to_server,established; uricontent:"/infosrch.cgi?"; content:"fname="; nocase; reference:arachnids,290; reference:bugtraq,1031; reference:cve,2000-0207; classtype:web-application-attack; sid:1196; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SGI InfoSearch fname access"; flow:to_server,established; uricontent:"/infosrch.cgi"; reference:arachnids,290; reference:bugtraq,1031; reference:cve,2000-0207; classtype:web-application-activity; sid:1727; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ax-admin.cgi access"; flow:to_server,established; uricontent:"/ax-admin.cgi"; classtype:web-application-activity; sid:1204; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI axs.cgi access"; flow:to_server,established; uricontent:"/axs.cgi"; classtype:web-application-activity; sid:1205; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cachemgr.cgi access"; flow:to_server,established; uricontent:"/cachemgr.cgi"; reference:bugtraq,2059; reference:cve,1999-0710; reference:nessus,10034; classtype:web-application-activity; sid:1206; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI responder.cgi access"; flow:to_server,established; uricontent:"/responder.cgi"; reference:bugtraq,3155; classtype:web-application-activity; sid:1208; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI web-map.cgi access"; flow:to_server,established; uricontent:"/web-map.cgi"; classtype:web-application-activity; sid:1211; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ministats admin access"; flow:to_server,established; uricontent:"/ministats/admin.cgi"; nocase; classtype:web-application-activity; sid:1215; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dfire.cgi access"; flow:to_server,established; uricontent:"/dfire.cgi"; nocase; reference:bugtraq,564; reference:cve,1999-0913; classtype:web-application-activity; sid:1219; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI txt2html.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/txt2html.cgi"; nocase; content:"/../../../../"; classtype:web-application-attack; sid:1305; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI txt2html.cgi access"; flow:to_server,established; uricontent:"/txt2html.cgi"; nocase; classtype:web-application-activity; sid:1304; rev:7;)
+# do we really need two of these?
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI store.cgi product directory traversal attempt"; flow:to_server,established; uricontent:"/store.cgi"; nocase; content:"product="; content:"../.."; reference:bugtraq,2385; reference:cve,2001-0305; classtype:web-application-attack; sid:1306; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI store.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/store.cgi"; nocase; content:"../"; reference:bugtraq,2385; reference:cve,2001-0305; reference:nessus,10639; classtype:web-application-attack; sid:1488; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI store.cgi access"; flow:to_server,established; uricontent:"/store.cgi"; nocase; reference:bugtraq,2385; reference:cve,2001-0305; reference:nessus,10639; classtype:web-application-activity; sid:1307; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SIX webboard generate.cgi attempt"; flow:to_server,established; uricontent:"/generate.cgi"; content:"content=../"; reference:bugtraq,3175; reference:cve,2001-1115; reference:nessus,10725; classtype:web-application-attack; sid:1494; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SIX webboard generate.cgi access"; flow:to_server,established; uricontent:"/generate.cgi"; reference:bugtraq,3175; reference:cve,2001-1115; classtype:web-application-activity; sid:1495; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI spin_client.cgi access"; flow:to_server,established; uricontent:"/spin_client.cgi"; reference:nessus,10393; classtype:web-application-activity; sid:1496; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csPassword.cgi access"; flow:to_server,established; uricontent:"/csPassword.cgi"; reference:bugtraq,4885; reference:bugtraq,4886; reference:bugtraq,4887; reference:bugtraq,4889; reference:cve,2002-0917; reference:cve,2002-0918; classtype:web-application-activity; sid:1787; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csPassword password.cgi.tmp access"; flow:to_server,established; uricontent:"/password.cgi.tmp"; reference:bugtraq,4889; reference:cve,2002-0920; classtype:web-application-activity; sid:1788; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Nortel Contivity cgiproc DOS attempt"; flow:to_server,established; uricontent:"/cgiproc?Nocfile="; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-attack; sid:1763; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Nortel Contivity cgiproc DOS attempt"; flow:to_server,established; uricontent:"/cgiproc?|24|"; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-attack; sid:1764; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Nortel Contivity cgiproc access"; flow:to_server,established; uricontent:"/cgiproc"; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-activity; sid:1765; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Oracle reports CGI access"; flow:to_server,established; uricontent:"/rwcgi60"; content:"setauth="; reference:bugtraq,4848; reference:cve,2002-0947; classtype:web-application-activity; sid:1805; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alienform.cgi directory traversal attempt"; flow:established,to_server; uricontent:"/alienform.cgi"; content:".|7C|./.|7C|."; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-attack; sid:1822; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AlienForm af.cgi directory traversal attempt"; flow:established,to_server; uricontent:"/af.cgi"; content:".|7C|./.|7C|."; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-attack; sid:1823; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alienform.cgi access"; flow:established,to_server; uricontent:"/alienform.cgi"; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-activity; sid:1824; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AlienForm af.cgi access"; flow:established,to_server; uricontent:"/af.cgi"; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-activity; sid:1825; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-CGI story.pl arbitrary file read attempt"; flow:to_server,established; uricontent:"/story.pl"; content:"next=../"; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:1868; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-CGI story.pl access"; flow:to_server,established; uricontent:"/story.pl"; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:1869; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI siteUserMod.cgi access"; flow:to_server,established; uricontent:"/.cobalt/siteUserMod/siteUserMod.cgi"; reference:bugtraq,951; reference:cve,2000-0117; reference:nessus,10253; classtype:web-application-activity; sid:1870; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgicso access"; flow:to_server,established; uricontent:"/cgicso"; reference:bugtraq,6141; reference:nessus,10779; reference:nessus,10780; classtype:web-application-activity; sid:1875; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nph-publish.cgi access"; flow:to_server,established; uricontent:"/nph-publish.cgi"; reference:cve,1999-1177; reference:nessus,10164; classtype:web-application-activity; sid:1876; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI printenv access"; flow:to_server,established; uricontent:"/printenv"; reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10188; reference:nessus,10503; classtype:web-application-activity; sid:1877; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sdbsearch.cgi access"; flow:to_server,established; uricontent:"/sdbsearch.cgi"; reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10503; classtype:web-application-activity; sid:1878; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rpc-nlog.pl access"; flow:to_server,established; uricontent:"/rpc-nlog.pl"; reference:cve,1999-1278; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=91470326629357&w=2; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=91471400632145&w=2; classtype:web-application-activity; sid:1931; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rpc-smb.pl access"; flow:to_server,established; uricontent:"/rpc-smb.pl"; reference:cve,1999-1278; classtype:web-application-activity; sid:1932; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cart.cgi access"; flow:to_server,established; uricontent:"/cart.cgi"; reference:bugtraq,1115; reference:cve,2000-0252; reference:nessus,10368; classtype:web-application-activity; sid:1933; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI vpasswd.cgi access"; flow:to_server,established; uricontent:"/vpasswd.cgi"; reference:bugtraq,6038; reference:nessus,11165; classtype:web-application-activity; sid:1994; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alya.cgi access"; flow:to_server,established; uricontent:"/alya.cgi"; reference:nessus,11118; classtype:web-application-activity; sid:1995; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI viralator.cgi access"; flow:to_server,established; uricontent:"/viralator.cgi"; reference:bugtraq,3495; reference:cve,2001-0849; reference:nessus,11107; classtype:web-application-activity; sid:1996; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI smartsearch.cgi access"; flow:to_server,established; uricontent:"/smartsearch.cgi"; reference:bugtraq,7133; classtype:web-application-activity; sid:2001; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mrtg.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/mrtg.cgi"; content:"cfg=/../"; reference:bugtraq,4017; reference:cve,2002-0232; reference:nessus,11001; classtype:web-application-attack; sid:1862; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI overflow.cgi access"; flow:to_server,established; uricontent:"/overflow.cgi"; reference:bugtraq,6326; reference:cve,2002-1361; reference:nessus,11190; reference:url,www.cert.org/advisories/CA-2002-35.html; classtype:web-application-activity; sid:2052; rev:5;)
+
+# NOTES: this signature looks for someone accessing the web application
+# "way-board.cgi".  This application allows attackers to view arbitrary
+# files that are readable with the privilages of the web server.
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI way-board.cgi access"; flow:to_server,established; uricontent:"/way-board.cgi"; nocase; reference:nessus,10610; classtype:web-application-activity; sid:1850; rev:3;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI process_bug.cgi access"; flow:to_server,established; uricontent:"/process_bug.cgi"; nocase; reference:bugtraq,3272; reference:cve,2002-0008; classtype:web-application-activity; sid:2053; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI enter_bug.cgi arbitrary command attempt"; flow:to_server,established; uricontent:"/enter_bug.cgi"; nocase; content:"who="; content:"|3B|"; distance:0; reference:bugtraq,3272; reference:cve,2002-0008; classtype:web-application-attack; sid:2054; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI enter_bug.cgi access"; flow:to_server,established; uricontent:"/enter_bug.cgi"; nocase; reference:bugtraq,3272; reference:cve,2002-0008; classtype:web-application-activity; sid:2055; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI parse_xml.cgi access"; flow:to_server,established; uricontent:"/parse_xml.cgi"; nocase; reference:bugtraq,6960; reference:cve,2003-0054; classtype:web-application-activity; sid:2085; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 1220 (msg:"WEB-CGI streaming server parse_xml.cgi access"; flow:to_server,established; content:"/parse_xml.cgi"; nocase; reference:bugtraq,6960; reference:cve,2003-0054; classtype:web-application-activity; sid:2086; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI album.pl access"; flow:to_server,established; content:"/album.pl"; nocase; reference:bugtraq,7444; reference:nessus,11581; classtype:web-application-activity; sid:2115; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI chipcfg.cgi access"; flow:to_server,established; uricontent:"/chipcfg.cgi"; nocase; reference:bugtraq,2767; reference:cve,2001-1341; reference:url,archives.neohapsis.com/archives/bugtraq/2001-05/0233.html; classtype:web-application-activity; sid:2116; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ikonboard.cgi access"; flow:to_server,established; uricontent:"/ikonboard.cgi"; nocase; reference:bugtraq,7361; reference:nessus,11605; classtype:web-application-activity; sid:2127; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI swsrv.cgi access"; flow:to_server,established; uricontent:"/swsrv.cgi"; nocase; reference:bugtraq,7510; reference:cve,2003-0217; reference:nessus,11608; classtype:web-application-activity; sid:2128; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI CSMailto.cgi access"; flow:to_server,established; uricontent:"/CSMailto.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,6265; reference:cve,2002-0749; reference:nessus,11748; classtype:web-application-activity; sid:2194; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alert.cgi access"; flow:to_server,established; uricontent:"/alert.cgi"; nocase; reference:bugtraq,4211; reference:bugtraq,4579; reference:cve,2002-0346; reference:nessus,11748; classtype:web-application-activity; sid:2195; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI catgy.cgi access"; flow:to_server,established; uricontent:"/alert.cgi"; nocase; reference:bugtraq,3714; reference:bugtraq,4579; reference:cve,2001-1212; reference:nessus,11748; classtype:web-application-activity; sid:2196; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cvsview2.cgi access"; flow:to_server,established; uricontent:"/cvsview2.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2197; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cvslog.cgi access"; flow:to_server,established; uricontent:"/cvslog.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2198; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI multidiff.cgi access"; flow:to_server,established; uricontent:"/multidiff.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2199; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dnewsweb.cgi access"; flow:to_server,established; uricontent:"/dnewsweb.cgi"; nocase; reference:bugtraq,1172; reference:bugtraq,4579; reference:cve,2000-0423; reference:nessus,11748; classtype:web-application-activity; sid:2200; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI download.cgi access"; flow:to_server,established; uricontent:"/download.cgi"; nocase; reference:bugtraq,4579; reference:cve,1999-1377; reference:nessus,11748; classtype:web-application-activity; sid:2201; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI edit_action.cgi access"; flow:to_server,established; uricontent:"/edit_action.cgi"; nocase; reference:bugtraq,3698; reference:bugtraq,4579; reference:cve,2001-1196; reference:nessus,11748; classtype:web-application-activity; sid:2202; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI everythingform.cgi access"; flow:to_server,established; uricontent:"/everythingform.cgi"; nocase; reference:bugtraq,2101; reference:bugtraq,4579; reference:cve,2001-0023; reference:nessus,11748; classtype:web-application-activity; sid:2203; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ezadmin.cgi access"; flow:to_server,established; uricontent:"/ezadmin.cgi"; nocase; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2204; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ezboard.cgi access"; flow:to_server,established; uricontent:"/ezboard.cgi"; nocase; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2205; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ezman.cgi access"; flow:to_server,established; uricontent:"/ezman.cgi"; nocase; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2206; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI fileseek.cgi access"; flow:to_server,established; uricontent:"/fileseek.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,6784; reference:cve,2002-0611; reference:nessus,11748; classtype:web-application-activity; sid:2207; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI fom.cgi access"; flow:to_server,established; uricontent:"/fom.cgi"; nocase; reference:bugtraq,4579; reference:cve,2002-0230; reference:nessus,11748; classtype:web-application-activity; sid:2208; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI getdoc.cgi access"; flow:to_server,established; uricontent:"/getdoc.cgi"; nocase; reference:bugtraq,4579; reference:cve,2000-0288; reference:nessus,11748; classtype:web-application-activity; sid:2209; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI global.cgi access"; flow:to_server,established; uricontent:"/global.cgi"; nocase; reference:bugtraq,4579; reference:cve,2000-0952; reference:nessus,11748; classtype:web-application-activity; sid:2210; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI guestserver.cgi access"; flow:to_server,established; uricontent:"/guestserver.cgi"; nocase; reference:bugtraq,4579; reference:cve,2001-0180; reference:nessus,11748; classtype:web-application-activity; sid:2211; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI imageFolio.cgi access"; flow:to_server,established; uricontent:"/imageFolio.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,6265; reference:cve,2002-1334; reference:nessus,11748; classtype:web-application-activity; sid:2212; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailfile.cgi access"; flow:to_server,established; uricontent:"/mailfile.cgi"; nocase; reference:bugtraq,1807; reference:bugtraq,4579; reference:cve,2000-0977; reference:nessus,11748; classtype:web-application-activity; sid:2213; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailview.cgi access"; flow:to_server,established; uricontent:"/mailview.cgi"; nocase; reference:bugtraq,1335; reference:bugtraq,4579; reference:cve,2000-0526; reference:nessus,11748; classtype:web-application-activity; sid:2214; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nsManager.cgi access"; flow:to_server,established; uricontent:"/nsManager.cgi"; nocase; reference:bugtraq,1710; reference:bugtraq,4579; reference:cve,2000-1023; reference:nessus,11748; classtype:web-application-activity; sid:2215; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI readmail.cgi access"; flow:to_server,established; uricontent:"/readmail.cgi"; nocase; reference:bugtraq,3427; reference:bugtraq,4579; reference:cve,2001-1283; reference:nessus,11748; classtype:web-application-activity; sid:2216; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI printmail.cgi access"; flow:to_server,established; uricontent:"/printmail.cgi"; nocase; reference:bugtraq,3427; reference:bugtraq,4579; reference:cve,2001-1283; reference:nessus,11748; classtype:web-application-activity; sid:2217; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI service.cgi access"; flow:to_server,established; uricontent:"/service.cgi"; nocase; reference:bugtraq,4211; reference:bugtraq,4579; reference:cve,2002-0346; reference:nessus,11748; classtype:web-application-activity; sid:2218; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI setpasswd.cgi access"; flow:to_server,established; uricontent:"/setpasswd.cgi"; nocase; reference:bugtraq,2212; reference:bugtraq,4579; reference:cve,2001-0133; reference:nessus,11748; classtype:web-application-activity; sid:2219; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI simplestmail.cgi access"; flow:to_server,established; uricontent:"/simplestmail.cgi"; nocase; reference:bugtraq,2106; reference:bugtraq,4579; reference:cve,2001-0022; reference:nessus,11748; classtype:web-application-activity; sid:2220; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ws_mail.cgi access"; flow:to_server,established; uricontent:"/ws_mail.cgi"; nocase; reference:bugtraq,2861; reference:bugtraq,4579; reference:cve,2001-1343; reference:nessus,11748; classtype:web-application-activity; sid:2221; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nph-exploitscanget.cgi access"; flow:to_server,established; uricontent:"/nph-exploitscanget.cgi"; nocase; reference:bugtraq,7910; reference:bugtraq,7911; reference:bugtraq,7913; reference:cve,2003-0434; reference:nessus,11740; classtype:web-application-activity; sid:2222; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csNews.cgi access"; flow:to_server,established; uricontent:"/csNews.cgi"; nocase; reference:bugtraq,4994; reference:cve,2002-0923; reference:nessus,11726; classtype:web-application-activity; sid:2223; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI psunami.cgi access"; flow:to_server,established; uricontent:"/psunami.cgi"; nocase; reference:bugtraq,6607; reference:nessus,11750; classtype:web-application-activity; sid:2224; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI gozila.cgi access"; flow:to_server,established; uricontent:"/gozila.cgi"; nocase; reference:bugtraq,6086; reference:cve,2002-1236; reference:nessus,11773; classtype:web-application-activity; sid:2225; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI quickstore.cgi access"; flow:to_server,established; uricontent:"/quickstore.cgi"; nocase; reference:bugtraq,9282; reference:nessus,11975; classtype:web-application-activity; sid:2323; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view_broadcast.cgi access"; flow:to_server,established; uricontent:"/view_broadcast.cgi"; nocase; reference:bugtraq,8257; reference:cve,2003-0422; classtype:web-application-activity; sid:2387; rev:4;)
+# when we get por lists... merge this with 2387...
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 1220 (msg:"WEB-CGI streaming server view_broadcast.cgi access"; flow:to_server,established; uricontent:"/view_broadcast.cgi"; nocase; reference:bugtraq,8257; reference:cve,2003-0422; classtype:web-application-activity; sid:2388; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI CCBill whereami.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/whereami.cgi?g="; nocase; reference:bugtraq,8095; reference:url,secunia.com/advisories/9191/; classtype:web-application-attack; sid:2396; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI CCBill whereami.cgi access"; flow:to_server,established; uricontent:"/whereami.cgi"; nocase; reference:bugtraq,8095; reference:url,secunia.com/advisories/9191/; classtype:web-application-activity; sid:2397; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 3000 (msg:"WEB-CGI MDaemon form2raw.cgi overflow attempt"; flow:to_server,established; uricontent:"/form2raw.cgi"; nocase; pcre:"/\Wfrom=[^\x3b&\n]{100}/si"; reference:bugtraq,9317; reference:url,secunia.com/advisories/10512/; classtype:web-application-attack; sid:2433; rev:3;)
+# the prevous rule looks for the attack, but we still want to catch the
+# scanners.  if we had port lists, this rule would be HTTP_PORTS and 3000
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI MDaemon form2raw.cgi access"; flow:to_server,established; content:"/form2raw.cgi"; nocase; reference:bugtraq,9317; reference:url,secunia.com/advisories/10512/; classtype:web-application-activity; sid:2434; rev:3;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Emumail init.emu access"; flow:to_server,established; uricontent:"/init.emu"; nocase; reference:bugtraq,9861; reference:nessus,12095; classtype:web-application-activity; sid:2567; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Emumail emumail.fcgi access"; flow:to_server,established; uricontent:"/emumail.fcgi"; nocase; reference:bugtraq,9861; reference:nessus,12095; classtype:web-application-activity; sid:2568; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pgpmail.pl access"; flow:to_server,established; uricontent:"/pgpmail.pl"; reference:bugtraq,3605; reference:cve,2001-0937; reference:nessus,11070; classtype:web-application-activity; sid:2670; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI processit access"; flow:to_server,established; uricontent:"/processit.pl"; nocase; reference:nessus,10649; classtype:web-application-activity; sid:2668; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI WhatsUpGold instancename overflow attempt"; flow:to_server,established; uricontent:"/_maincfgret.cgi"; nocase; pcre:"/instancename=[^&\x3b\r\n]{513}/smi"; reference:bugtraq,11043; reference:cve,2004-0798; classtype:web-application-attack; sid:2663; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ibillpm.pl access"; flow:to_server,established; uricontent:"/ibillpm.pl"; nocase; reference:bugtraq,3476; reference:nessus,11083; classtype:web-application-activity; sid:2669; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI NetScreen SA 5000 delhomepage.cgi access"; flow:to_server,established; uricontent:"/delhomepage.cgi"; reference:bugtraq,9791; classtype:web-application-activity; sid:3062; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailman directory traversal attempt"; flow:to_server,established; uricontent:"/mailman/"; uricontent:".../"; reference:cve,2005-0202; classtype:web-application-attack; sid:3131; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI awstats.pl command execution attempt"; flow:to_server,established; uricontent:"/awstats.pl?"; nocase; uricontent:"update="; pcre:"/update=[^\r\n\x26]+/Ui"; uricontent:"logfile="; nocase; pcre:"/awstats.pl?[^\r\n]*logfile=\x7C/Ui"; reference:bugtraq,12572; classtype:web-application-attack; sid:3464; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Ipswitch WhatsUp Gold dos attempt"; flow:to_server,established; uricontent:"/prn"; nocase; pcre:"/\/prn\.(asp|cgi|html?)/Ui"; reference:bugtraq,11110; reference:cve,2004-0799; reference:url,www.idefense.com/application/poi/display?id=142&type=vulnerabilities; reference:url,www.ipswitch.com/Support/WhatsUp/patch-upgrades.html; reference:url,www.secunia.com/advisories/12578/; classtype:attempted-dos; sid:3469; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI awstats access"; flow:to_server,established; uricontent:"/awstats.pl"; nocase; reference:bugtraq,12572; classtype:web-application-activity; sid:3463; rev:1;)
--- /dev/null
+++ b/rules/shellcode.rules
@@ -0,0 +1,50 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: shellcode.rules,v 1.25.2.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $
+# ---------------
+# SHELLCODE RULES
+# ---------------
+# These signatures are based on shellcode that is common ammong multiple
+# publicly available exploits.
+#
+# Because these signatures check ALL traffic for shellcode, these signatures
+# are disabled by default.  There is a LARGE performance hit by enabling
+# these signatures.
+#
+
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; reference:arachnids,282; classtype:system-call-detect; sid:647; rev:6;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; reference:arachnids,284; classtype:system-call-detect; sid:649; rev:8;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; reference:arachnids,436; classtype:system-call-detect; sid:650; rev:8;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; reference:arachnids,356; classtype:shellcode-detect; sid:638; rev:5;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; reference:arachnids,357; classtype:shellcode-detect; sid:639; rev:5;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|"; classtype:shellcode-detect; sid:640; rev:6;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; reference:arachnids,352; classtype:shellcode-detect; sid:641; rev:6;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; reference:arachnids,358; classtype:shellcode-detect; sid:642; rev:6;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; reference:arachnids,359; classtype:shellcode-detect; sid:643; rev:7;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|"; reference:arachnids,345; classtype:shellcode-detect; sid:644; rev:5;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; reference:arachnids,353; classtype:shellcode-detect; sid:645; rev:5;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; reference:arachnids,355; classtype:shellcode-detect; sid:646; rev:5;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth:128; reference:arachnids,181; classtype:shellcode-detect; sid:648; rev:7;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 stealth NOOP"; content:"|EB 02 EB 02 EB 02|"; reference:arachnids,291; classtype:shellcode-detect; sid:651; rev:8;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0x90 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:653; rev:9;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; reference:arachnids,343; classtype:shellcode-detect; sid:652; rev:9;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:1390; rev:5;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 NOOP"; content:"aaaaaaaaaaaaaaaaaaaaa"; classtype:shellcode-detect; sid:1394; rev:5;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0xEB0C NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; classtype:shellcode-detect; sid:1424; rev:6;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0x71FB7BAB NOOP"; content:"q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|"; classtype:shellcode-detect; sid:2312; rev:2;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0x71FB7BAB NOOP unicode"; content:"q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|"; classtype:shellcode-detect; sid:2313; rev:2;)
--- /dev/null
+++ b/rules/porn.rules
@@ -0,0 +1,51 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: porn.rules,v 1.12.6.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $
+#-------------
+# PORN RULES
+#-------------
+#
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN alt.binaries.pictures.erotica"; flow:to_client,established; content:"alt.binaries.pictures.erotica"; nocase; classtype:kickass-porn; sid:1836; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN alt.binaries.pictures.tinygirls"; flow:to_client,established; content:"alt.binaries.pictures.tinygirls"; nocase; classtype:kickass-porn; sid:1837; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN free XXX"; content:"FREE XXX"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1310; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN hardcore anal"; content:"hardcore anal"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1311; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nude cheerleader"; content:"nude cheerleader"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1312; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN up skirt"; content:"up skirt"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1313; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN young teen"; content:"young teen"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1314; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN hot young sex"; content:"hot young sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1315; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fuck fuck fuck"; content:"fuck fuck fuck"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1316; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN anal sex"; content:"anal sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1317; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN hardcore rape"; content:"hardcore rape"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1318; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN real snuff"; content:"real snuff"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1319; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fuck movies"; content:"fuck movies"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1320; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN dildo"; content:"dildo"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1781; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nipple clamp"; content:"nipple"; nocase; content:"clamp"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1782; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN oral sex"; content:"oral sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1783; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nude celeb"; content:"nude celeb"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1784; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN voyeur"; content:"voyeur"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1785; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN raw sex"; content:"raw sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1786; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fetish"; content:"fetish"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1793; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN masturbation"; content:"masturbat"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1794; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN ejaculation"; content:"ejaculat"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1795; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN virgin"; content:"virgin "; nocase; flow:to_client,established; classtype:kickass-porn; sid:1796; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN BDSM"; content:"BDSM"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1797; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN erotica"; content:"erotic"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1798; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fisting"; content:"fisting"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1799; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN naked lesbians"; content:"naked lesbians"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1833; rev:1;)
+
--- /dev/null
+++ b/rules/community-web-php.rules
@@ -0,0 +1,474 @@
+# Copyright 2005 Sourcefire, Inc. All Rights Reserved.  # These rules are licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# $Id: community-web-php.rules,v 1.32 2007/02/22 20:44:35 akirk Exp $
+
+#Rules submitted by rmkml
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP piranha default passwd attempt"; flow:to_server,established; uricontent:"/piranha/secure/control.php3"; content:"Authorization|3A| Basic cGlyYW5oYTp"; reference:bugtraq,1148; reference:cve,2000-0248; reference:nessus,10381; classtype:attempted-recon; sid:100000151; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP phpinfo access"; flow:to_server,established; uricontent:"/phpinfo.php"; nocase; reference:bugtraq,5789; reference:cve,2002-1149; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=3356; classtype:successful-recon-limited; sid:100000186; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP XSS attempt"; flow:to_server,established; uricontent:"|2E|php"; nocase; uricontent:"|3C|script|3E|"; nocase; uricontent:"|3C 2F|script|3E|"; nocase; classtype:web-application-attack; sid:100000187; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Vubb Path attempt"; flow:to_server,established; uricontent:"/forum/index.php"; nocase; content:"|26 66 3D 27|"; reference:cve,2005-3513; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=113087965608496&w=2; classtype:web-application-attack; sid:100000188; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP _SERVER HTTP_ACCEPT_LANGUAGE access"; flow:to_server,established; content:"GET"; nocase; depth:3; uricontent:"|2E|php"; nocase; uricontent:"|5F|SERVER|5B|HTTP|5F|ACCEPT|5F|LANGUAGE|5D|"; nocase; reference:bugtraq,15414; reference:cve,2005-3347; classtype:web-application-attack; sid:100000195; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP CuteNews flood.db.php access"; flow:to_server,established; uricontent:"/data/flood.db.php"; nocase; reference:bugtraq,14869; reference:cve,2005-3010; reference:nessus,19756; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19478; classtype:web-application-attack; sid:100000201; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP DeluxeBB topic.php access"; flow:to_server,established; uricontent:"/topic.php"; nocase; uricontent:"tid|3D|"; nocase; reference:bugtraq,14851; reference:cve,2005-2989; reference:nessus,19750; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19404; classtype:web-application-attack; sid:100000202; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP DeluxeBB misc.php access"; flow:to_server,established; uricontent:"/misc.php"; nocase; uricontent:"uid|3D|"; nocase; reference:bugtraq,14851; reference:cve,2005-2989; reference:nessus,19750; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19405; classtype:web-application-attack; sid:100000203; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP DeluxeBB pm.php access"; flow:to_server,established; uricontent:"/pm.php"; nocase; uricontent:"uid|3D|"; nocase; reference:bugtraq,14851; reference:cve,2005-2989; reference:nessus,19750; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19407; classtype:web-application-attack; sid:100000204; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP DeluxeBB forums.php access"; flow:to_server,established; uricontent:"/forums.php"; nocase; uricontent:"fid|3D|"; nocase; reference:bugtraq,14851; reference:cve,2005-2989; reference:nessus,19750; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19406; classtype:web-application-attack; sid:100000205; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP DeluxeBB newpost.php access"; flow:to_server,established; uricontent:"/newpost.php"; nocase; uricontent:"fid|3D|"; nocase; reference:bugtraq,14851; reference:cve,2005-2989; reference:nessus,19750; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19408; classtype:web-application-attack; sid:100000206; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gallery g2_itemId access"; flow:to_server,established; uricontent:"/main.php"; nocase; uricontent:"g2_itemId|3D|"; nocase; reference:bugtraq,15108; reference:cve,2005-0222; reference:nessus,20015; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=13034; classtype:web-application-attack; sid:100000211; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gallery g2_return access"; flow:to_server,established; uricontent:"/main.php"; nocase; uricontent:"g2_return|3D|"; nocase; reference:bugtraq,15108; reference:cve,2005-0222; reference:nessus,20015; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=13034; classtype:web-application-attack; sid:100000212; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gallery g2_view access"; flow:to_server,established; uricontent:"/main.php"; nocase; uricontent:"g2_view|3D|"; nocase; reference:bugtraq,15108; reference:cve,2005-0222; reference:nessus,20015; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=13034; classtype:web-application-attack; sid:100000213; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gallery g2_subView access"; flow:to_server,established; uricontent:"/main.php"; nocase; uricontent:"g2_subView|3D|"; nocase; reference:bugtraq,15108; reference:cve,2005-0222; reference:nessus,20015; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=13034; classtype:web-application-attack; sid:100000214; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MailGust SQL Injection email attempt"; flow:to_server,established; uricontent:"method|3D|remind_password"; nocase; uricontent:"list|3D|maillistuser"; nocase; uricontent:"email|3D 27|"; nocase; reference:bugtraq,14933; reference:cve,2005-3063; reference:nessus,19947; classtype:web-application-attack; sid:100000218; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP-Nuke admin_styles.php phpbb_root_path access"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_styles.php"; nocase; uricontent:"phpbb_root_path|3D|"; nocase; reference:url,www.autistici.org/anacron-group-italy/file/txt/sile002adv.txt; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=16244; classtype:web-application-attack; sid:100000220; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP AppServ main.php appserv_root param access"; flow:to_server,established; uricontent:"/appserv/main.php"; nocase; uricontent:"appserv_root|3D|"; nocase; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=22228; classtype:web-application-attack; sid:100000221; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ldap_var.inc.php remote file include attempt"; flow:to_server,established; uricontent:"ldap_var.inc.php"; nocase; uricontent:"includePath="; nocase; pcre:"/includePath=(https?|ftp)/Ui"; reference:bugtraq,17915; classtype:web-application-attack; sid:100000285; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP X Poll admin access"; flow:to_server,established; uricontent:"/admin/images/add.php"; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=114710173409997&w=2; classtype:web-application-attack; sid:100000286; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline ldap.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/ldap.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000287; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline atutor.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/atutor.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000288; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline db-generic.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/db-generic.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000289; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline docebo.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/docebo.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000290; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline dokeos.1.6.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/dokeos.1.6.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000291; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline dokeos.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/dokeos.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000292; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline ganesha.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/ganesha.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000293; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline mambo.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/mambo.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000294; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline moodle.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/moodle.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000295; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline phpnuke.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/phpnuke.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000296; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline postnuke.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/postnuke.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000297; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline spip.inc.php access"; flow:to_server,established; uricontent:"claroline/auth/extauth/drivers/spip.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000298; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline event/init_event_manager.inc.php access"; flow:to_server,established; uricontent:"claroline/inc/lib/event/init_event_manager.inc.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000299; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Claroline export_exe_tracking.class.php access"; flow:to_server,established; uricontent:"claroline/inc/lib/export_exe_tracking.class.php"; reference:url,www.claroline.net; reference:url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2; classtype:web-application-attack; sid:100000300; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gphoto index.php rep parameter remote file include attempt"; flow:to_server,established; uricontent:"index.php"; nocase; uricontent:"rep="; nocase; pcre:"/rep=(https?|ftp)/Ui"; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2; classtype:web-application-attack; sid:100000304; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gphoto index.php image parameter remote file include attempt"; flow:to_server,established; uricontent:"index.php"; nocase; uricontent:"image="; nocase; pcre:"/image=(https?|ftp)/Ui"; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2; classtype:web-application-attack; sid:100000305; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gphoto diapho.php rep parameter remote file include attempt"; flow:to_server,established; uricontent:"diapho.php"; nocase; uricontent:"rep="; nocase; pcre:"/rep=(https?|ftp)/Ui"; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2; classtype:web-application-attack; sid:100000306; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gphoto diapho.php image parameter remote file include attempt"; flow:to_server,established; uricontent:"diapho.php"; nocase; uricontent:"image="; nocase; pcre:"/image=(https?|ftp)/Ui"; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2; classtype:web-application-attack; sid:100000307; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gphoto affich.php rep parameter remote file include attempt"; flow:to_server,established; uricontent:"affich.php"; nocase; uricontent:"rep="; nocase; pcre:"/rep=(https?|ftp)/Ui"; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2; classtype:web-application-attack; sid:100000308; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Gphoto affich.php image parameter remote file include attempt"; flow:to_server,established; uricontent:"affich.php"; nocase; uricontent:"image="; nocase; pcre:"/image=(https?|ftp)/Ui"; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2; classtype:web-application-attack; sid:100000309; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Particle Gallery Viewimage PHP Variable Injection Attempt"; flow:to_server,established; uricontent:"viewimage.php?imageid="; nocase; pcre:"/viewimage\.php\?imageid=(![\d]+[\sa-zA-Z_]+)|([\d]+[\sa-zA-Z_]+)/Ui"; reference:bugtraq,18270; classtype:web-application-attack; sid:100000445; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Particle Wiki PHP SQL Injection attempt"; flow:to_server,established; uricontent:"version="; nocase; pcre:"/[\x3f\x26\x3b]version=(![\d]+[\sa-zA-Z_]+)|([\d]+[\sa-zA-Z_]+)/Ui"; reference:bugtraq,18273; classtype:web-application-attack; sid:100000446; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Joomla joomla.php remote file include"; flow:to_server,established; uricontent:"/joomla.php"; nocase; uricontent:"includepath="; nocase; pcre:"/includepath=(https?|ftp)/Ui"; reference:bugtraq,18363; classtype:web-application-attack; sid:100000463; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP LoveCompass AEPartner design.inc.php remote file include"; flow:to_server,established; uricontent:"/design.inc.php"; nocase; uricontent:"dir[data]="; nocase; pcre:"/dir\[data\]=(https?|ftp)/Ui"; reference:bugtraq,18370; classtype:web-application-attack; sid:100000464; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Empris sql_fcnsOLD.php remote file include"; flow:to_server,established; uricontent:"/sql_fcnsOLD.php"; nocase; uricontent:"phormationdir="; nocase; pcre:"/phormationdir=(https?|ftp)/Ui"; reference:bugtraq,18371; classtype:web-application-attack; sid:100000465; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Free QBoard post.php remote file include"; flow:to_server,established; uricontent:"/post.php"; nocase; uricontent:"qb_path="; nocase; pcre:"/qb_path=(https?|ftp)/Ui"; reference:bugtraq,18373; classtype:web-application-attack; sid:100000466; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP WebprojectDB nav.php remote file include"; flow:to_server,established; uricontent:"/nav.php"; nocase; uricontent:"INCDIR="; nocase; pcre:"/INCDIR=(https?|ftp)/Ui"; reference:bugtraq,18378; classtype:web-application-attack; sid:100000467; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP WebprojectDB lang.php remote file include"; flow:to_server,established; uricontent:"/lang.php"; nocase; uricontent:"INCDIR="; nocase; pcre:"/INCDIR=(https?|ftp)/Ui"; reference:bugtraq,18378; classtype:web-application-attack; sid:100000468; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP iFoto index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"dir="; nocase; pcre:"/dir(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18391; classtype:web-application-attack; sid:100000469; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Foing manage_songs.php remote file include"; flow:to_server,established; uricontent:"/manage_songs.php"; nocase; uricontent:"foing_root_path="; nocase; pcre:"/foing_root_path=(https?|ftp)/Ui"; reference:bugtraq,18392; classtype:web-application-attack; sid:100000470; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom show.php SQL injection attempt"; flow:to_server,established; uricontent:"/show.php"; nocase; uricontent:"objectID="; nocase; pcre:"/objectID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18403; classtype:web-application-attack; sid:100000471; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom show.php SQL injection attempt"; flow:to_server,established; uricontent:"/show.php"; nocase; uricontent:"MAINID="; nocase; pcre:"/MAINID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18403; classtype:web-application-attack; sid:100000472; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom language.php SQL injection attempt"; flow:to_server,established; uricontent:"/language.php"; nocase; uricontent:"Action="; nocase; pcre:"/Action(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18403; classtype:web-application-attack; sid:100000473; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt"; flow:to_server,established; uricontent:"/meaning.php"; nocase; uricontent:"QuaranID="; nocase; pcre:"/QuaranID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18403; classtype:web-application-attack; sid:100000474; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt"; flow:to_server,established; uricontent:"/meaning.php"; nocase; uricontent:"ShowByQuranID="; nocase; pcre:"/ShowByQuranID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18403; classtype:web-application-attack; sid:100000475; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt"; flow:to_server,established; uricontent:"/meaning.php"; nocase; uricontent:"Action="; nocase; pcre:"/Action(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18403; classtype:web-application-attack; sid:100000476; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom subject.php SQL injection attempt"; flow:to_server,established; uricontent:"/subject.php"; nocase; uricontent:"MainID="; nocase; pcre:"/MainID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18403; classtype:web-application-attack; sid:100000477; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP aWebNews visview.php remote file include"; flow:to_server,established; uricontent:"/visview.php"; nocase; uricontent:"path_to_news="; nocase; pcre:"/path_to_news=(https?|ftp)/Ui"; reference:bugtraq,18406; classtype:web-application-attack; sid:100000478; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP CzarNews headlines.php remote file include"; flow:to_server,established; uricontent:"/headlines.php"; nocase; uricontent:"tpath="; nocase; pcre:"/tpath=(https?|ftp)/Ui"; reference:bugtraq,18411; classtype:web-application-attack; sid:100000479; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Somery team.php remote file include"; flow:to_server,established; uricontent:"/team.php"; nocase; uricontent:"checkauth="; nocase; pcre:"/checkauth=(https?|ftp)/Ui"; reference:bugtraq,18412; classtype:web-application-attack; sid:100000480; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Hinton Design PHPHG signed.php remote file include"; flow:to_server,established; uricontent:"/signed.php"; nocase; uricontent:"phphg_real_path="; nocase; pcre:"/phphg_real_path=(https?|ftp)/Ui"; reference:bugtraq,18413; classtype:web-application-attack; sid:100000481; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP BoastMachine vote.php remote file include"; flow:to_server,established; uricontent:"/vote.php"; nocase; uricontent:"bmc_dir="; nocase; pcre:"/bmc_dir=(https?|ftp)/Ui"; reference:bugtraq,18415; classtype:web-application-attack; sid:100000482; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Wheatblog view_links.php remote file include"; flow:to_server,established; uricontent:"/view_links.php"; nocase; uricontent:"wb_inc_dir="; nocase; pcre:"/wb_inc_dir=(https?|ftp)/Ui"; reference:bugtraq,18416; classtype:web-application-attack; sid:100000483; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Confixx ftp_index.php xss attempt"; flow:to_server,established; uricontent:"/ftp_index.php"; nocase; uricontent:"lpath="; nocase; pcre:"/lpath(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18426; classtype:web-application-attack; sid:100000484; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP RahnemaCo page.php remote file include"; flow:to_server,established; uricontent:"/page.php"; nocase; uricontent:"osCsid="; nocase; pcre:"/osCsid=(https?|ftp)/Ui"; reference:bugtraq,18435; classtype:web-application-attack; sid:100000485; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PhpBlueDragon CMS template.php remote file include"; flow:to_server,established; uricontent:"/template.php"; nocase; uricontent:"vsDragonRootPath="; nocase; pcre:"/vsDragonRootPath=(https?|ftp)/Ui"; reference:bugtraq,18440; classtype:web-application-attack; sid:100000486; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ISPConfig server.inc.php remote file include"; flow:to_server,established; uricontent:"/server.inc.php"; nocase; uricontent:"go_info[isp][classes_root]="; nocase; pcre:"/go_info\[isp\]\[classes_root\]=(https?|ftp)/Ui"; reference:bugtraq,18441; classtype:web-application-attack; sid:100000487; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ISPConfig app.inc.php remote file include"; flow:to_server,established; uricontent:"/app.inc.php"; nocase; uricontent:"go_info[isp][classes_root]="; nocase; pcre:"/go_info\[isp\]\[classes_root\]=(https?|ftp)/Ui"; reference:bugtraq,18441; classtype:web-application-attack; sid:100000488; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ISPConfig login.php remote file include"; flow:to_server,established; uricontent:"/login.php"; nocase; uricontent:"go_info[isp][classes_root]="; nocase; pcre:"/go_info\[isp\]\[classes_root\]=(https?|ftp)/Ui"; reference:bugtraq,18441; classtype:web-application-attack; sid:100000489; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ISPConfig trylogin.php remote file include"; flow:to_server,established; uricontent:"/trylogin.php"; nocase; uricontent:"go_info[isp][classes_root]="; nocase; pcre:"/go_info\[isp\]\[classes_root\]=(https?|ftp)/Ui"; reference:bugtraq,18441; classtype:web-application-attack; sid:100000490; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP DeluxeBB posting.php remote file include"; flow:to_server,established; uricontent:"/posting.php"; nocase; uricontent:"templatefolder="; nocase; pcre:"/templatefolder=(https?|ftp)/Ui"; reference:bugtraq,18455; classtype:web-application-attack; sid:100000491; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP DeluxeBB newpm.php remote file include"; flow:to_server,established; uricontent:"/newpm.php"; nocase; uricontent:"templatefolder="; nocase; pcre:"/templatefolder=(https?|ftp)/Ui"; reference:bugtraq,18455; classtype:web-application-attack; sid:100000492; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP DeluxeBB postreply.php remote file include"; flow:to_server,established; uricontent:"/postreply.php"; nocase; uricontent:"templatefolder="; nocase; pcre:"/templatefolder=(https?|ftp)/Ui"; reference:bugtraq,18455; classtype:web-application-attack; sid:100000493; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Zeroboard write_ok.php xss attempt"; flow:to_server,established; uricontent:"/write_ok.php"; nocase; uricontent:"$s_file_name="; nocase; pcre:"/$s_file_name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18458; classtype:web-application-attack; sid:100000494; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Zeroboard write_ok.php xss attempt"; flow:to_server,established; uricontent:"/write_ok.php"; nocase; uricontent:"$file_name="; nocase; pcre:"/$file_name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18458; classtype:web-application-attack; sid:100000495; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Chipmailer index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"anfang="; nocase; pcre:"/anfang(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18463; classtype:web-application-attack; sid:100000496; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Calendarix cal_event.php SQL injection attempt"; flow:to_server,established; uricontent:"/cal_event.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18469; classtype:web-application-attack; sid:100000497; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Calendarix cal_popup.php SQL injection attempt"; flow:to_server,established; uricontent:"/cal_popup.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18469; classtype:web-application-attack; sid:100000498; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PictureDis thumstbl.php remote file include"; flow:to_server,established; uricontent:"/thumstbl.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18471; classtype:web-application-attack; sid:100000499; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PictureDis wpfiles.php remote file include"; flow:to_server,established; uricontent:"/wpfiles.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18471; classtype:web-application-attack; sid:100000500; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PictureDis wallpapr.php remote file include"; flow:to_server,established; uricontent:"/wallpapr.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18471; classtype:web-application-attack; sid:100000501; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Ji-Takz tag.class.php remote file include"; flow:to_server,established; uricontent:"/tag.class.php"; nocase; uricontent:"mycfg="; nocase; pcre:"/mycfg=(https?|ftp)/Ui"; reference:bugtraq,18474; classtype:web-application-attack; sid:100000502; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Nucleus CMS action.php remote file include"; flow:to_server,established; uricontent:"/action.php"; nocase; uricontent:"DIR_LIB="; nocase; pcre:"/DIR_LIB=(https?|ftp)/Ui"; reference:bugtraq,18475; classtype:web-application-attack; sid:100000503; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Nucleus CMS media.php remote file include"; flow:to_server,established; uricontent:"/media.php"; nocase; uricontent:"DIR_LIB="; nocase; pcre:"/DIR_LIB=(https?|ftp)/Ui"; reference:bugtraq,18475; classtype:web-application-attack; sid:100000504; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Nucleus CMS server.php remote file include"; flow:to_server,established; uricontent:"/server.php"; nocase; uricontent:"DIR_LIB="; nocase; pcre:"/DIR_LIB=(https?|ftp)/Ui"; reference:bugtraq,18475; classtype:web-application-attack; sid:100000505; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Nucleus CMS api_metaweblog.inc.php remote file include"; flow:to_server,established; uricontent:"/api_metaweblog.inc.php"; nocase; uricontent:"DIR_LIB="; nocase; pcre:"/DIR_LIB=(https?|ftp)/Ui"; reference:bugtraq,18475; classtype:web-application-attack; sid:100000506; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP FlashChat adminips.php remote file include"; flow:to_server,established; uricontent:"/adminips.php"; nocase; uricontent:"banned_file="; nocase; pcre:"/banned_file=(https?|ftp)/Ui"; reference:bugtraq,18480; classtype:web-application-attack; sid:100000507; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Wikkawiki wakka.php access"; flow:to_server,established; uricontent:"/wakka.php"; nocase; uricontent:"="; nocase;  reference:bugtraq,18481; classtype:web-application-activity; sid:100000508; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP RahnemaCo page.php remote file include"; flow:to_server,established; uricontent:"/page.php"; nocase; uricontent:"pageid="; nocase; pcre:"/pageid=(https?|ftp)/Ui"; reference:bugtraq,18490; classtype:web-application-attack; sid:100000509; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom rank.php SQL injection attempt"; flow:to_server,established; uricontent:"/rank.php"; nocase; uricontent:"MemberID="; nocase; pcre:"/MemberID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18497; classtype:web-application-attack; sid:100000510; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom message.php SQL injection attempt"; flow:to_server,established; uricontent:"/message.php"; nocase; uricontent:"UserID="; nocase; pcre:"/UserID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18497; classtype:web-application-attack; sid:100000511; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZoom lng.php SQL injection attempt"; flow:to_server,established; uricontent:"/lng.php"; nocase; uricontent:"QuranID="; nocase; pcre:"/QuranID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18497; classtype:web-application-attack; sid:100000512; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SAPHPLesson showcat.php SQL injection attempt"; flow:to_server,established; uricontent:"/showcat.php"; nocase; uricontent:"forumid="; nocase; pcre:"/forumid(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18501; classtype:web-application-attack; sid:100000513; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SAPHPLesson misc.php SQL injection attempt"; flow:to_server,established; uricontent:"/misc.php"; nocase; uricontent:"action="; nocase; pcre:"/action(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18501; classtype:web-application-attack; sid:100000514; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP CMS Faethon header.php xss attempt"; flow:to_server,established; uricontent:"data/header.php"; nocase; uricontent:"mainpath="; nocase; pcre:"/mainpath(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18505; classtype:web-application-attack; sid:100000515; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP CMS Faethon footer.php xss attempt"; flow:to_server,established; uricontent:"data/footer.php"; nocase; uricontent:"mainpath="; nocase; pcre:"/mainpath(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18505; classtype:web-application-attack; sid:100000516; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP e107 search.php xss attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"ep="; nocase; pcre:"/ep(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18508; classtype:web-application-attack; sid:100000517; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP Live Helper initiate.php remote file include"; flow:to_server,established; uricontent:"/initiate.php"; nocase; uricontent:"abs_path="; nocase; pcre:"/abs_path=(https?|ftp)/Ui"; reference:bugtraq,18509; classtype:web-application-attack; sid:100000518; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VUBB index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"user="; nocase; pcre:"/user(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18516; classtype:web-application-attack; sid:100000519; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Xarancms xaramcms_haupt.php SQL injection attempt"; flow:to_server,established; uricontent:"/xaramcms_haupt.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18520; classtype:web-application-attack; sid:100000520; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP TPL Design TplShop category.php SQL injection attempt"; flow:to_server,established; uricontent:"/category.php"; nocase; uricontent:"first_row="; nocase; pcre:"/first_row(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18524; classtype:web-application-attack; sid:100000521; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP The Edge eCommerce Shop productDetail.php xss attempt"; flow:to_server,established; uricontent:"/productDetail.php"; nocase; uricontent:"cart_id="; nocase; pcre:"/cart_id(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18528; classtype:web-application-attack; sid:100000522; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP CavoxCms index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"page="; nocase; pcre:"/page(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18533; classtype:web-application-attack; sid:100000523; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Micro CMS microcms-include.php remote file include"; flow:to_server,established; uricontent:"/microcms-include.php"; nocase; uricontent:"microcms_path="; nocase; pcre:"/microcms_path=(https?|ftp)/Ui"; reference:bugtraq,18537; classtype:web-application-attack; sid:100000524; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPMyDirectory offer-pix.php xss attempt"; flow:to_server,established; uricontent:"/offer-pix.php"; nocase; uricontent:"PIC="; nocase; pcre:"/PIC(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18539; classtype:web-application-attack; sid:100000525; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPMyDirectory index.php xss attempt"; flow:to_server,established; uricontent:"cp/index.php"; nocase; uricontent:"from="; nocase; pcre:"/from(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18539; classtype:web-application-attack; sid:100000526; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP AssoCIateD index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"menu="; nocase; pcre:"/menu(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18541; classtype:web-application-attack; sid:100000527; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPMyForum topic.php xss attempt"; flow:to_server,established; uricontent:"/topic.php"; nocase; uricontent:"highlight="; nocase; pcre:"/highlight(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18542; classtype:web-application-attack; sid:100000528; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP NC Linklist index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"cat="; nocase; pcre:"/cat(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18546; classtype:web-application-attack; sid:100000529; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP NC Linklist index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"view="; nocase; pcre:"/view(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18546; classtype:web-application-attack; sid:100000530; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP BtitTracker torrents.php SQL injection attempt"; flow:to_server,established; uricontent:"/torrents.php"; nocase; uricontent:"by="; nocase; pcre:"/by(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18549; classtype:web-application-attack; sid:100000531; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP BtitTracker torrents.php SQL injection attempt"; flow:to_server,established; uricontent:"/torrents.php"; nocase; uricontent:"order="; nocase; pcre:"/order(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18549; classtype:web-application-attack; sid:100000532; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VUBB functions.php SQL injection attempt"; flow:to_server,established; uricontent:"includes/functions.php"; nocase; uricontent:"email="; nocase; pcre:"/email(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18561; classtype:web-application-attack; sid:100000533; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VUBB english.php xss attempt"; flow:to_server,established; uricontent:"language/english.php"; nocase; uricontent:"user="; nocase; pcre:"/user(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18562; classtype:web-application-attack; sid:100000534; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP IMGallery galeria.php SQL injection attempt"; flow:to_server,established; uricontent:"/galeria.php"; nocase; uricontent:"start="; nocase; pcre:"/start(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18566; classtype:web-application-attack; sid:100000535; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP IMGallery galeria.php SQL injection attempt"; flow:to_server,established; uricontent:"/galeria.php"; nocase; uricontent:"sort="; nocase; pcre:"/sort(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18566; classtype:web-application-attack; sid:100000536; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP thinkWMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18567; classtype:web-application-attack; sid:100000537; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP thinkWMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"catid="; nocase; pcre:"/catid(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18567; classtype:web-application-attack; sid:100000538; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP thinkWMS printarticle.php SQL injection attempt"; flow:to_server,established; uricontent:"/printarticle.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18567; classtype:web-application-attack; sid:100000539; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Enterprise Groupware index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"module="; nocase; pcre:"/module(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18590; classtype:web-application-attack; sid:100000540; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Dating Agent picture.php SQL injection attempt"; flow:to_server,established; uricontent:"/picture.php"; nocase; uricontent:"pid="; nocase; pcre:"/pid(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18607; classtype:web-application-attack; sid:100000541; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Dating Agent mem.php SQL injection attempt"; flow:to_server,established; uricontent:"/mem.php"; nocase; uricontent:"mid="; nocase; pcre:"/mid(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18607; classtype:web-application-attack; sid:100000542; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Dating Agent search.php SQL injection attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"sex="; nocase; pcre:"/sex(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18607; classtype:web-application-attack; sid:100000543; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Dating Agent search.php SQL injection attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"relationship="; nocase; pcre:"/relationship(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18607; classtype:web-application-attack; sid:100000544; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP Blue Dragon CMS team_admin.php remote file include"; flow:to_server,established; uricontent:"root_includes/root_modules/team_admin.php"; nocase; uricontent:"DragonRootPath="; nocase; pcre:"/DragonRootPath=(https?|ftp)/Ui"; reference:bugtraq,18609; classtype:web-application-attack; sid:100000545; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP Blue Dragon CMS rss_admin.php remote file include"; flow:to_server,established; uricontent:"root_includes/root_modules/rss_admin.php"; nocase; uricontent:"DragonRootPath="; nocase; pcre:"/DragonRootPath=(https?|ftp)/Ui"; reference:bugtraq,18609; classtype:web-application-attack; sid:100000546; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP Blue Dragon CMS manual_admin.php remote file include"; flow:to_server,established; uricontent:"root_includes/root_modules/manual_admin.php"; nocase; uricontent:"DragonRootPath="; nocase; pcre:"/DragonRootPath=(https?|ftp)/Ui"; reference:bugtraq,18609; classtype:web-application-attack; sid:100000547; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP Blue Dragon CMS forum_admin.php remote file include"; flow:to_server,established; uricontent:"root_includes/root_modules/forum_admin.php"; nocase; uricontent:"DragonRootPath="; nocase; pcre:"/DragonRootPath=(https?|ftp)/Ui"; reference:bugtraq,18609; classtype:web-application-attack; sid:100000548; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Custom Datin Biz user_view.php xss attempt"; flow:to_server,established; uricontent:"/user_view.php"; nocase; uricontent:"u="; nocase; pcre:"/u(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18626; classtype:web-application-attack; sid:100000549; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Project Eros BBSEngine comment.php access"; flow:to_server,established; uricontent:"/comment.php"; nocase; uricontent:"="; nocase;  reference:bugtraq,18627; classtype:web-application-activity; sid:100000550; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Project Eros BBSEngine aolbonics.php access"; flow:to_server,established; uricontent:"/aolbonics.php"; nocase; uricontent:"="; nocase;  reference:bugtraq,18627; classtype:web-application-activity; sid:100000551; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SmartSiteCMS inc_foot.php remote file include"; flow:to_server,established; uricontent:"include/inc_foot.php"; nocase; uricontent:"root="; nocase; pcre:"/root=(https?|ftp)/Ui"; reference:bugtraq,18628; classtype:web-application-attack; sid:100000552; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPMySMS gateway.php remote file include"; flow:to_server,established; uricontent:"sms_config/gateway.php"; nocase; uricontent:"ROOT_PATH="; nocase; pcre:"/ROOT_PATH=(https?|ftp)/Ui"; reference:bugtraq,18633; classtype:web-application-attack; sid:100000553; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VebiMiau error.php xss attempt"; flow:to_server,established; uricontent:"/error.php"; nocase; uricontent:"tid="; nocase; pcre:"/tid(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18643; classtype:web-application-attack; sid:100000554; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VebiMiau error.php xss attempt"; flow:to_server,established; uricontent:"/error.php"; nocase; uricontent:"lid="; nocase; pcre:"/lid(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18643; classtype:web-application-attack; sid:100000555; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VebiMiau error.php xss attempt"; flow:to_server,established; uricontent:"/error.php"; nocase; uricontent:"sid="; nocase; pcre:"/sid(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18643; classtype:web-application-attack; sid:100000556; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VebiMiau index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"f_user="; nocase; pcre:"/f_user(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18643; classtype:web-application-attack; sid:100000557; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VebiMiau messages.php xss attempt"; flow:to_server,established; uricontent:"/messages.php"; nocase; uricontent:"pag="; nocase; pcre:"/pag(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18643; classtype:web-application-attack; sid:100000558; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Infinite Core Technologies ICT index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"post="; nocase; pcre:"/post(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18644; classtype:web-application-attack; sid:100000559; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP eNpaper1 root_header.php remote file include"; flow:to_server,established; uricontent:"/root_header.php"; nocase; uricontent:"ppath="; nocase; pcre:"/ppath=(https?|ftp)/Ui"; reference:bugtraq,18649; classtype:web-application-attack; sid:100000560; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP dotProject ui.class.php xss attempt"; flow:to_server,established; uricontent:"/ui.class.php"; nocase; uricontent:"login="; nocase; pcre:"/login(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18650; classtype:web-application-attack; sid:100000561; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt"; flow:to_server,established; uricontent:"/show.php"; nocase; uricontent:"sort="; nocase; pcre:"/sort(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18651; classtype:web-application-attack; sid:100000562; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt"; flow:to_server,established; uricontent:"/show.php"; nocase; uricontent:"page="; nocase; pcre:"/page(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18651; classtype:web-application-attack; sid:100000563; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt"; flow:to_server,established; uricontent:"/show.php"; nocase; uricontent:"search="; nocase; pcre:"/search(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18651; classtype:web-application-attack; sid:100000564; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt"; flow:to_server,established; uricontent:"/show.php"; nocase; uricontent:"action="; nocase; pcre:"/action(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18651; classtype:web-application-attack; sid:100000565; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP XennoBB messages.php xss attempt"; flow:to_server,established; uricontent:"/messages.php"; nocase; uricontent:"tid="; nocase; pcre:"/tid(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18652; classtype:web-application-attack; sid:100000566; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Qdig index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"pre_gallery="; nocase; pcre:"/pre_gallery(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18653; classtype:web-application-attack; sid:100000567; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Qdig index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"post_gallery="; nocase; pcre:"/post_gallery(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18653; classtype:web-application-attack; sid:100000568; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu app_change_email.php remote file include"; flow:to_server,established; uricontent:"admin/app_change_email.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000569; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu app_change_pwd.php remote file include"; flow:to_server,established; uricontent:"admin/app_change_pwd.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000570; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu app_mod_rewrite.php remote file include"; flow:to_server,established; uricontent:"admin/app_mod_rewrite.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000571; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu app_page_caching.php remote file include"; flow:to_server,established; uricontent:"admin/app_page_caching.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000572; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu app_setup.php remote file include"; flow:to_server,established; uricontent:"admin/app_setup.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000573; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_add.php remote file include"; flow:to_server,established; uricontent:"admin/cat_add.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000574; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_delete.php remote file include"; flow:to_server,established; uricontent:"admin/cat_delete.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000575; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_edit.php remote file include"; flow:to_server,established; uricontent:"admin/cat_edit.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000576; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_path_update.php remote file include"; flow:to_server,established; uricontent:"admin/cat_path_update.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000577; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_search.php remote file include"; flow:to_server,established; uricontent:"admin/cat_search.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000578; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_struc.php remote file include"; flow:to_server,established; uricontent:"admin/cat_struc.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000579; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_view.php remote file include"; flow:to_server,established; uricontent:"admin/cat_view.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000580; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_view_hidden.php remote file include"; flow:to_server,established; uricontent:"admin/cat_view_hidden.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000581; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_view_hierarchy.php remote file include"; flow:to_server,established; uricontent:"admin/cat_view_hierarchy.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000582; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu cat_view_registered_only.php remote file include"; flow:to_server,established; uricontent:"admin/cat_view_registered_only.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000583; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu checkurl_web.php remote file include"; flow:to_server,established; uricontent:"admin/checkurl_web.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000584; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu db_alter.php remote file include"; flow:to_server,established; uricontent:"admin/db_alter.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000585; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu db_alter_change.php remote file include"; flow:to_server,established; uricontent:"admin/db_alter_change.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000586; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu db_backup.php remote file include"; flow:to_server,established; uricontent:"admin/db_backup.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000587; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu db_export.php remote file include"; flow:to_server,established; uricontent:"admin/db_export.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000588; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu db_import.php remote file include"; flow:to_server,established; uricontent:"admin/db_import.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000589; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu editor_add.php remote file include"; flow:to_server,established; uricontent:"admin/editor_add.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000590; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu editor_delete.php remote file include"; flow:to_server,established; uricontent:"admin/editor_delete.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000591; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu editor_validate.php remote file include"; flow:to_server,established; uricontent:"admin/editor_validate.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000592; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu head.php remote file include"; flow:to_server,established; uricontent:"admin/head.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000593; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu index.php remote file include"; flow:to_server,established; uricontent:"admin/index.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000594; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_config.php remote file include"; flow:to_server,established; uricontent:"admin/inv_config.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000595; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_config_payment.php remote file include"; flow:to_server,established; uricontent:"admin/inv_config_payment.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000596; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_create.php remote file include"; flow:to_server,established; uricontent:"admin/inv_create.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000597; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_delete.php remote file include"; flow:to_server,established; uricontent:"admin/inv_delete.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000598; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_edit.php remote file include"; flow:to_server,established; uricontent:"admin/inv_edit.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000599; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_markpaid.php remote file include"; flow:to_server,established; uricontent:"admin/inv_markpaid.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000600; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_markunpaid.php remote file include"; flow:to_server,established; uricontent:"admin/inv_markunpaid.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000601; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_overdue.php remote file include"; flow:to_server,established; uricontent:"admin/inv_overdue.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000602; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_paid.php remote file include"; flow:to_server,established; uricontent:"admin/inv_paid.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000603; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_send.php remote file include"; flow:to_server,established; uricontent:"admin/inv_send.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000604; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu inv_unpaid.php remote file include"; flow:to_server,established; uricontent:"admin/inv_unpaid.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000605; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu lang_modify.php remote file include"; flow:to_server,established; uricontent:"admin/lang_modify.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000606; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_add.php remote file include"; flow:to_server,established; uricontent:"admin/link_add.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000607; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_bad.php remote file include"; flow:to_server,established; uricontent:"admin/link_bad.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000608; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_bad_delete.php remote file include"; flow:to_server,established; uricontent:"admin/link_bad_delete.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000609; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_checkurl.php remote file include"; flow:to_server,established; uricontent:"admin/link_checkurl.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000610; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_delete.php remote file include"; flow:to_server,established; uricontent:"admin/link_delete.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000611; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_duplicate.php remote file include"; flow:to_server,established; uricontent:"admin/link_duplicate.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000612; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_edit.php remote file include"; flow:to_server,established; uricontent:"admin/link_edit.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000613; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_premium_listing.php remote file include"; flow:to_server,established; uricontent:"admin/link_premium_listing.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000614; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_premium_sponsored.php remote file include"; flow:to_server,established; uricontent:"admin/link_premium_sponsored.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000615; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_search.php remote file include"; flow:to_server,established; uricontent:"admin/link_search.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000616; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_sponsored_listing.php remote file include"; flow:to_server,established; uricontent:"admin/link_sponsored_listing.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000617; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_validate.php remote file include"; flow:to_server,established; uricontent:"admin/link_validate.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000618; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_validate_edit.php remote file include"; flow:to_server,established; uricontent:"admin/link_validate_edit.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000619; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu link_view.php remote file include"; flow:to_server,established; uricontent:"admin/link_view.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000620; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu log_search.php remote file include"; flow:to_server,established; uricontent:"admin/log_search.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000621; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu mail_modify.php remote file include"; flow:to_server,established; uricontent:"admin/mail_modify.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000622; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu menu.php remote file include"; flow:to_server,established; uricontent:"admin/menu.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000623; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu message_create.php remote file include"; flow:to_server,established; uricontent:"admin/message_create.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000624; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu message_delete.php remote file include"; flow:to_server,established; uricontent:"admin/message_delete.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000625; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu message_edit.php remote file include"; flow:to_server,established; uricontent:"admin/message_edit.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000626; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu message_send.php remote file include"; flow:to_server,established; uricontent:"admin/message_send.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000627; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu message_subscriber.php remote file include"; flow:to_server,established; uricontent:"admin/message_subscriber.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000628; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu message_view.php remote file include"; flow:to_server,established; uricontent:"admin/message_view.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000629; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu review_validate.php remote file include"; flow:to_server,established; uricontent:"admin/review_validate.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000630; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu review_validate_edit.php remote file include"; flow:to_server,established; uricontent:"admin/review_validate_edit.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000631; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu summary.php remote file include"; flow:to_server,established; uricontent:"admin/summary.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000632; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_active.php remote file include"; flow:to_server,established; uricontent:"admin/template_active.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000633; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_add_custom.php remote file include"; flow:to_server,established; uricontent:"admin/template_add_custom.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000634; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_delete.php remote file include"; flow:to_server,established; uricontent:"admin/template_delete.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000635; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_delete_file.php remote file include"; flow:to_server,established; uricontent:"admin/template_delete_file.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000636; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_duplicate.php remote file include"; flow:to_server,established; uricontent:"admin/template_duplicate.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000637; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_export.php remote file include"; flow:to_server,established; uricontent:"admin/template_export.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000638; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_import.php remote file include"; flow:to_server,established; uricontent:"admin/template_import.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000639; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_manager.php remote file include"; flow:to_server,established; uricontent:"admin/template_manager.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000640; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_modify.php remote file include"; flow:to_server,established; uricontent:"admin/template_modify.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000641; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_modify_file.php remote file include"; flow:to_server,established; uricontent:"admin/template_modify_file.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000642; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu template_rename.php remote file include"; flow:to_server,established; uricontent:"admin/template_rename.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000643; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu user_add.php remote file include"; flow:to_server,established; uricontent:"admin/user_add.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000644; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu user_delete.php remote file include"; flow:to_server,established; uricontent:"admin/user_delete.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000645; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu user_edit.php remote file include"; flow:to_server,established; uricontent:"admin/user_edit.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000646; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu user_search.php remote file include"; flow:to_server,established; uricontent:"admin/user_search.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000647; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Indexu whos.php remote file include"; flow:to_server,established; uricontent:"admin/whos.php"; nocase; uricontent:"admin_template_path="; nocase; pcre:"/admin_template_path=(https?|ftp)/Ui"; reference:bugtraq,18477; classtype:web-application-attack; sid:100000648; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"comment="; nocase; pcre:"/comment(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000649; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"email="; nocase; pcre:"/email(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000650; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"homepage="; nocase; pcre:"/homepage(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000651; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000652; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"name="; nocase; pcre:"/name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000653; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"text="; nocase; pcre:"/text(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000654; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt"; flow:to_server,established; uricontent:"admin/guestbook.php"; nocase; uricontent:"comment="; nocase; pcre:"/comment(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000655; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt"; flow:to_server,established; uricontent:"admin/guestbook.php"; nocase; uricontent:"email="; nocase; pcre:"/email(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000656; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt"; flow:to_server,established; uricontent:"admin/guestbook.php"; nocase; uricontent:"homepage="; nocase; pcre:"/homepage(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000657; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt"; flow:to_server,established; uricontent:"admin/guestbook.php"; nocase; uricontent:"number="; nocase; pcre:"/number(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000658; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt"; flow:to_server,established; uricontent:"admin/guestbook.php"; nocase; uricontent:"name="; nocase; pcre:"/name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000659; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt"; flow:to_server,established; uricontent:"admin/guestbook.php"; nocase; uricontent:"text="; nocase; pcre:"/text(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000660; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt"; flow:to_server,established; uricontent:"admin/edit.php"; nocase; uricontent:"email="; nocase; pcre:"/email(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000661; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt"; flow:to_server,established; uricontent:"admin/edit.php"; nocase; uricontent:"homepage="; nocase; pcre:"/homepage(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000662; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt"; flow:to_server,established; uricontent:"admin/edit.php"; nocase; uricontent:"icq="; nocase; pcre:"/icq(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000663; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt"; flow:to_server,established; uricontent:"admin/edit.php"; nocase; uricontent:"name="; nocase; pcre:"/name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000664; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt"; flow:to_server,established; uricontent:"admin/edit.php"; nocase; uricontent:"text="; nocase; pcre:"/text(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18582; classtype:web-application-attack; sid:100000665; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia files.php remote file include"; flow:to_server,established; uricontent:"/files.php"; nocase; uricontent:"footer_prog="; nocase; pcre:"/footer_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000666; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia files.php remote file include"; flow:to_server,established; uricontent:"/files.php"; nocase; uricontent:"header_prog="; nocase; pcre:"/header_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000667; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia pheader.php remote file include"; flow:to_server,established; uricontent:"/pheader.php"; nocase; uricontent:"theme_root="; nocase; pcre:"/theme_root=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000668; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia headlines.php remote file include"; flow:to_server,established; uricontent:"/headlines.php"; nocase; uricontent:"header_prog="; nocase; pcre:"/header_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000669; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia web_statsConfig.php remote file include"; flow:to_server,established; uricontent:"/web_statsConfig.php"; nocase; uricontent:"mod_dir="; nocase; pcre:"/mod_dir=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000670; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia preload.php remote file include"; flow:to_server,established; uricontent:"/preload.php"; nocase; uricontent:"func_prog="; nocase; pcre:"/func_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000671; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia users.php remote file include"; flow:to_server,established; uricontent:"/users.php"; nocase; uricontent:"header_prog="; nocase; pcre:"/header_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000672; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia web_statsConfig.php remote file include"; flow:to_server,established; uricontent:"/web_statsConfig.php"; nocase; uricontent:"php_ext="; nocase; pcre:"/php_ext=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000673; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia footer.php remote file include"; flow:to_server,established; uricontent:"/footer.php"; nocase; uricontent:"theme_root="; nocase; pcre:"/theme_root=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000674; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia pfooter.php remote file include"; flow:to_server,established; uricontent:"/pfooter.php"; nocase; uricontent:"theme_root="; nocase; pcre:"/theme_root=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000675; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia missing.php remote file include"; flow:to_server,established; uricontent:"/missing.php"; nocase; uricontent:"header_prog="; nocase; pcre:"/header_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000676; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia topics.php remote file include"; flow:to_server,established; uricontent:"/topics.php"; nocase; uricontent:"header_prog="; nocase; pcre:"/header_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000677; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia header.php remote file include"; flow:to_server,established; uricontent:"/header.php"; nocase; uricontent:"mod_root="; nocase; pcre:"/mod_root=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000678; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"func_prog="; nocase; pcre:"/func_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000679; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia search.php remote file include"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"header_prog="; nocase; pcre:"/header_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000680; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia header.php remote file include"; flow:to_server,established; uricontent:"/header.php"; nocase; uricontent:"theme_root="; nocase; pcre:"/theme_root=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000681; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Harpia email.php remote file include"; flow:to_server,established; uricontent:"/email.php"; nocase; uricontent:"header_prog="; nocase; pcre:"/header_prog=(https?|ftp)/Ui"; reference:bugtraq,18614; classtype:web-application-attack; sid:100000682; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP cPanel select.html xss attempt"; flow:to_server,established; uricontent:"/select.html"; nocase; uricontent:"file="; nocase; pcre:"/file(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18655; classtype:web-application-attack; sid:100000683; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Horde index.php show XSS attempt"; flow:established,to_server; uricontent:"/services/help/index.php"; nocase; uricontent:"show="; nocase; uricontent:"URL=javascript"; nocase; reference:bugtraq,18845; classtype:web-application-attack; sid:100000703; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SmartSiteCMS comment.php remote file include"; flow:to_server,established; uricontent:"/comment.php"; nocase; uricontent:"root="; nocase; pcre:"/root=(https?|ftp)/Ui"; reference:bugtraq,18697; classtype:web-application-attack; sid:100000704; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SmartSiteCMS test.php remote file include"; flow:to_server,established; uricontent:"admin/test.php"; nocase; uricontent:"root="; nocase; pcre:"/root=(https?|ftp)/Ui"; reference:bugtraq,18697; classtype:web-application-attack; sid:100000705; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SmartSiteCMS index.php remote file include"; flow:to_server,established; uricontent:"admin/index.php"; nocase; uricontent:"root="; nocase; pcre:"/root=(https?|ftp)/Ui"; reference:bugtraq,18697; classtype:web-application-attack; sid:100000706; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SmartSiteCMS inc_adminfoot.php remote file include"; flow:to_server,established; uricontent:"admin/include/inc_adminfoot.php"; nocase; uricontent:"root="; nocase; pcre:"/root=(https?|ftp)/Ui"; reference:bugtraq,18697; classtype:web-application-attack; sid:100000707; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SmartSiteCMS comedit.php remote file include"; flow:to_server,established; uricontent:"admin/comedit.php"; nocase; uricontent:"root="; nocase; pcre:"/root=(https?|ftp)/Ui"; reference:bugtraq,18697; classtype:web-application-attack; sid:100000708; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SquirrelMail search.php xss attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"mailbox="; nocase; pcre:"/mailbox(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18700; classtype:web-application-attack; sid:100000709; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Xoops MyAds Module annonces-p-f.php SQL injection attempt"; flow:to_server,established; uricontent:"/annonces-p-f.php"; nocase; uricontent:"lid="; nocase; pcre:"/lid(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18718; classtype:web-application-attack; sid:100000710; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid raids.php remote file include"; flow:to_server,established; uricontent:"/raids.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000711; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid register.php remote file include"; flow:to_server,established; uricontent:"/register.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000712; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid roster.php remote file include"; flow:to_server,established; uricontent:"/roster.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000713; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid view.php remote file include"; flow:to_server,established; uricontent:"/view.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000714; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid logs.php remote file include"; flow:to_server,established; uricontent:"/logs.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000715; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid users.php remote file include"; flow:to_server,established; uricontent:"/users.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000716; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid configuration.php remote file include"; flow:to_server,established; uricontent:"/configuration.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000717; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid guilds.php remote file include"; flow:to_server,established; uricontent:"/guilds.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000718; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000719; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid locations.php remote file include"; flow:to_server,established; uricontent:"/locations.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000720; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid login.php remote file include"; flow:to_server,established; uricontent:"/login.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000721; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid lua_output.php remote file include"; flow:to_server,established; uricontent:"/lua_output.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000722; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid permissions.php remote file include"; flow:to_server,established; uricontent:"/permissions.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000723; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid profile.php remote file include"; flow:to_server,established; uricontent:"/profile.php"; nocase; uricontent:"phpraid_dir="; nocase; pcre:"/phpraid_dir=(https?|ftp)/Ui"; reference:bugtraq,18719; classtype:web-application-attack; sid:100000724; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPRaid view.php SQL injection attempt"; flow:to_server,established; uricontent:"/view.php"; nocase; uricontent:"raid_id="; nocase; pcre:"/raid_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18720; classtype:web-application-attack; sid:100000725; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Vincent-Leclercq News diver.php SQL injection attempt"; flow:to_server,established; uricontent:"/diver.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18729; classtype:web-application-attack; sid:100000726; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Softbiz Banner Exchange insertmember.php xss attempt"; flow:to_server,established; uricontent:"/insertmember.php"; nocase; uricontent:"city="; nocase; pcre:"/city(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18735; classtype:web-application-attack; sid:100000727; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog functions.inc remote file include"; flow:to_server,established; uricontent:"plugins/links/functions.inc"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000728; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog functions.inc remote file include"; flow:to_server,established; uricontent:"plugins/polls/functions.inc"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000729; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog BlackList.Examine.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/BlackList.Examine.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000730; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog DeleteComment.Action.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/DeleteComment.Action.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000731; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog EditIPofURL.Admin.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/EditIPofURL.Admin.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000732; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog MTBlackList.Examine.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/MTBlackList.Examine.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000733; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog MassDelete.Admin.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/MassDelete.Admin.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000734; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog MailAdmin.Action.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/MailAdmin.Action.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000735; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog MassDelTrackback.Admin.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/MassDelTrackback.Admin.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000736; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog EditHeader.Admin.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/EditHeader.Admin.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000737; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog EditIP.Admin.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/EditIP.Admin.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000738; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog IPofUrl.Examine.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/IPofUrl.Examine.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000739; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog Import.Admin.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/Import.Admin.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000740; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog LogView.Admin.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/LogView.Admin.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000741; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Geeklog functions.inc remote file include"; flow:to_server,established; uricontent:"plugins/staticpages/functions.inc"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000742; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Plume CMS dbinstall.php remote file include"; flow:to_server,established; uricontent:"/dbinstall.php"; nocase; uricontent:"_PX_config[manager_path]="; nocase; pcre:"/_PX_config\[manager_path\]=(https?|ftp)/Ui"; reference:bugtraq,18750; classtype:web-application-attack; sid:100000743; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyNewsGroups tree.php SQL injection attempt"; flow:to_server,established; uricontent:"/tree.php"; nocase; uricontent:"grp_id="; nocase; pcre:"/grp_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18757; classtype:web-application-attack; sid:100000744; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Diesel Joke Site category.php SQL injection attempt"; flow:to_server,established; uricontent:"/category.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18760; classtype:web-application-attack; sid:100000745; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Randshop header.inc.php remote file include"; flow:to_server,established; uricontent:"/header.inc.php"; nocase; uricontent:"dateiPfad="; nocase; pcre:"/dateiPfad=(https?|ftp)/Ui"; reference:bugtraq,18763; classtype:web-application-attack; sid:100000746; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Plume CMS index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"_PX_config[manager_path]="; nocase; pcre:"/_PX_config\[manager_path\]=(https?|ftp)/Ui"; reference:bugtraq,18780; classtype:web-application-attack; sid:100000747; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Plume CMS rss.php remote file include"; flow:to_server,established; uricontent:"/rss.php"; nocase; uricontent:"_PX_config[manager_path]="; nocase; pcre:"/_PX_config\[manager_path\]=(https?|ftp)/Ui"; reference:bugtraq,18780; classtype:web-application-attack; sid:100000748; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Plume CMS search.php remote file include"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"_PX_config[manager_path]="; nocase; pcre:"/_PX_config\[manager_path\]=(https?|ftp)/Ui"; reference:bugtraq,18780; classtype:web-application-attack; sid:100000749; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Free QBoard index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"qb_path="; nocase; pcre:"/qb_path=(https?|ftp)/Ui"; reference:bugtraq,18788; classtype:web-application-attack; sid:100000750; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Free QBoard about.php remote file include"; flow:to_server,established; uricontent:"/about.php"; nocase; uricontent:"qb_path="; nocase; pcre:"/qb_path=(https?|ftp)/Ui"; reference:bugtraq,18788; classtype:web-application-attack; sid:100000751; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Free QBoard contact.php remote file include"; flow:to_server,established; uricontent:"/contact.php"; nocase; uricontent:"qb_path="; nocase; pcre:"/qb_path=(https?|ftp)/Ui"; reference:bugtraq,18788; classtype:web-application-attack; sid:100000752; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Free QBoard delete.php remote file include"; flow:to_server,established; uricontent:"/delete.php"; nocase; uricontent:"qb_path="; nocase; pcre:"/qb_path=(https?|ftp)/Ui"; reference:bugtraq,18788; classtype:web-application-attack; sid:100000753; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Free QBoard faq.php remote file include"; flow:to_server,established; uricontent:"/faq.php"; nocase; uricontent:"qb_path="; nocase; pcre:"/qb_path=(https?|ftp)/Ui"; reference:bugtraq,18788; classtype:web-application-attack; sid:100000754; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Free QBoard features.php remote file include"; flow:to_server,established; uricontent:"/features.php"; nocase; uricontent:"qb_path="; nocase; pcre:"/qb_path=(https?|ftp)/Ui"; reference:bugtraq,18788; classtype:web-application-attack; sid:100000755; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Free QBoard history.php remote file include"; flow:to_server,established; uricontent:"/history.php"; nocase; uricontent:"qb_path="; nocase; pcre:"/qb_path=(https?|ftp)/Ui"; reference:bugtraq,18788; classtype:web-application-attack; sid:100000756; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt"; flow:to_server,established; uricontent:"/qtofm.php"; nocase; uricontent:"delete="; nocase; pcre:"/delete(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18791; classtype:web-application-attack; sid:100000757; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt"; flow:to_server,established; uricontent:"/qtofm.php"; nocase; uricontent:"pathext="; nocase; pcre:"/pathext(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18791; classtype:web-application-attack; sid:100000758; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt"; flow:to_server,established; uricontent:"/qtofm.php"; nocase; uricontent:"edit="; nocase; pcre:"/edit(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18791; classtype:web-application-attack; sid:100000759; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP The Banner Engine top.php xss attempt"; flow:to_server,established; uricontent:"/top.php"; nocase; uricontent:"text="; nocase; pcre:"/text(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18793; classtype:web-application-attack; sid:100000760; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPWebGallery comments.php xss attempt"; flow:to_server,established; uricontent:"/comments.php"; nocase; uricontent:"keyword="; nocase; pcre:"/keyword(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18798; classtype:web-application-attack; sid:100000761; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Randshop index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"incl="; nocase; pcre:"/incl=(https?|ftp)/Ui"; reference:bugtraq,18809; classtype:web-application-attack; sid:100000762; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Kamikaze-QSCM config.inc access"; flow:to_server,established; uricontent:"/config.inc"; nocase; uricontent:"="; nocase;  reference:bugtraq,18816; classtype:web-application-activity; sid:100000763; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyPHP CMS global_header.php remote file include"; flow:to_server,established; uricontent:"/global_header.php"; nocase; uricontent:"domain="; nocase; pcre:"/domain=(https?|ftp)/Ui"; reference:bugtraq,18834; classtype:web-application-attack; sid:100000764; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP LifeType index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"date="; nocase; pcre:"/date(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18835; classtype:web-application-attack; sid:100000765; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS thumb.php remote file include"; flow:to_server,established; uricontent:"/thumb.php"; nocase; uricontent:"gallery="; nocase; pcre:"/gallery=(https?|ftp)/Ui"; reference:bugtraq,18837; classtype:web-application-attack; sid:100000766; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"item="; nocase; pcre:"/item(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000767; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"blog="; nocase; pcre:"/blog(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000768; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"member="; nocase; pcre:"/member(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000769; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"typeface="; nocase; pcre:"/typeface(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000770; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"results="; nocase; pcre:"/results(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000771; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"DokiWiki="; nocase; pcre:"/DokiWiki(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000772; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"archives="; nocase; pcre:"/archives(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000773; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"category="; nocase; pcre:"/category(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000774; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"PHPSESSID="; nocase; pcre:"/PHPSESSID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000775; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"query="; nocase; pcre:"/query(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000776; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Blog CMS action.php SQL injection attempt"; flow:to_server,established; uricontent:"/action.php"; nocase; uricontent:"action="; nocase; pcre:"/action(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18839; classtype:web-application-attack; sid:100000777; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPMailList maillist.php xss attempt"; flow:to_server,established; uricontent:"/maillist.php"; nocase; uricontent:"email="; nocase; pcre:"/email(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18840; classtype:web-application-attack; sid:100000778; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Horde index.php xss attempt"; flow:to_server,established; uricontent:"services/help/index.php"; nocase; uricontent:"show="; nocase; pcre:"/show(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18845; classtype:web-application-attack; sid:100000779; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Horde problem.php xss attempt"; flow:to_server,established; uricontent:"services/problem.php"; nocase; uricontent:"name="; nocase; pcre:"/name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18845; classtype:web-application-attack; sid:100000780; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Horde go.php xss attempt"; flow:to_server,established; uricontent:"services/go.php"; nocase; uricontent:"untrusted="; nocase; pcre:"/untrusted(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18845; classtype:web-application-attack; sid:100000781; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Horde go.php xss attempt"; flow:to_server,established; uricontent:"services/go.php"; nocase; uricontent:"url="; nocase; pcre:"/url(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18845; classtype:web-application-attack; sid:100000782; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ATutor create_course.php xss attempt"; flow:to_server,established; uricontent:"/create_course.php"; nocase; uricontent:"show_courses="; nocase; pcre:"/show_courses(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18857; classtype:web-application-attack; sid:100000783; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ATutor create_course.php xss attempt"; flow:to_server,established; uricontent:"/create_course.php"; nocase; uricontent:"current_cat="; nocase; pcre:"/current_cat(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18857; classtype:web-application-attack; sid:100000784; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ATutor password_reminder.php xss attempt"; flow:to_server,established; uricontent:"/password_reminder.php"; nocase; uricontent:"forgot="; nocase; pcre:"/forgot(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18857; classtype:web-application-attack; sid:100000785; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ATutor browse.php xss attempt"; flow:to_server,established; uricontent:"/browse.php"; nocase; uricontent:"cat="; nocase; pcre:"/cat(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18857; classtype:web-application-attack; sid:100000786; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ATutor fix_content.php xss attempt"; flow:to_server,established; uricontent:"/fix_content.php"; nocase; uricontent:"submit="; nocase; pcre:"/submit(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18857; classtype:web-application-attack; sid:100000787; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP FreeWebshop search.php xss attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"page="; nocase; pcre:"/page(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18878; classtype:web-application-attack; sid:100000788; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP FreeWebshop details.php SQL injection attempt"; flow:to_server,established; uricontent:"/details.php"; nocase; uricontent:"prod="; nocase; pcre:"/prod(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18878; classtype:web-application-attack; sid:100000789; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot edit_new.php remote file include"; flow:to_server,established; uricontent:"/edit_new.php"; nocase; uricontent:"Paths[extensions_path]="; nocase; pcre:"/Paths\[extensions_path\]=(https?|ftp)/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000790; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot pv_core.php access"; flow:to_server,established; uricontent:"/pv_core.php"; nocase; uricontent:"="; nocase;  reference:bugtraq,18881; classtype:web-application-activity; sid:100000791; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot blogroll.php xss attempt"; flow:to_server,established; uricontent:"/blogroll.php"; nocase; uricontent:"fg="; nocase; pcre:"/fg(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000792; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot blogroll.php xss attempt"; flow:to_server,established; uricontent:"/blogroll.php"; nocase; uricontent:"line1="; nocase; pcre:"/line1(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000793; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot blogroll.php xss attempt"; flow:to_server,established; uricontent:"/blogroll.php"; nocase; uricontent:"line2="; nocase; pcre:"/line2(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000794; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot blogroll.php xss attempt"; flow:to_server,established; uricontent:"/blogroll.php"; nocase; uricontent:"bg="; nocase; pcre:"/bg(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000795; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot blogroll.php xss attempt"; flow:to_server,established; uricontent:"/blogroll.php"; nocase; uricontent:"c1="; nocase; pcre:"/c1(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000796; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot blogroll.php xss attempt"; flow:to_server,established; uricontent:"/blogroll.php"; nocase; uricontent:"c2="; nocase; pcre:"/c2(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000797; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot blogroll.php xss attempt"; flow:to_server,established; uricontent:"/blogroll.php"; nocase; uricontent:"c3="; nocase; pcre:"/c3(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000798; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot blogroll.php xss attempt"; flow:to_server,established; uricontent:"/blogroll.php"; nocase; uricontent:"c4="; nocase; pcre:"/c4(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000799; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot editor_menu.php xss attempt"; flow:to_server,established; uricontent:"/editor_menu.php"; nocase; uricontent:"name="; nocase; pcre:"/name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000800; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Pivot editor_menu.php xss attempt"; flow:to_server,established; uricontent:"/editor_menu.php"; nocase; uricontent:"js_name="; nocase; pcre:"/js_name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18881; classtype:web-application-attack; sid:100000801; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP BosClassifieds index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"insPath="; nocase; pcre:"/insPath=(https?|ftp)/Ui"; reference:bugtraq,18883; classtype:web-application-attack; sid:100000802; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP BosClassifieds recent.php remote file include"; flow:to_server,established; uricontent:"/recent.php"; nocase; uricontent:"insPath="; nocase; pcre:"/insPath=(https?|ftp)/Ui"; reference:bugtraq,18883; classtype:web-application-attack; sid:100000803; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP BosClassifieds account.php remote file include"; flow:to_server,established; uricontent:"/account.php"; nocase; uricontent:"insPath="; nocase; pcre:"/insPath=(https?|ftp)/Ui"; reference:bugtraq,18883; classtype:web-application-attack; sid:100000804; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP BosClassifieds classified.php remote file include"; flow:to_server,established; uricontent:"/classified.php"; nocase; uricontent:"insPath="; nocase; pcre:"/insPath=(https?|ftp)/Ui"; reference:bugtraq,18883; classtype:web-application-attack; sid:100000805; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP BosClassifieds search.php remote file include"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"insPath="; nocase; pcre:"/insPath=(https?|ftp)/Ui"; reference:bugtraq,18883; classtype:web-application-attack; sid:100000806; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP CommonSense search.php SQL injection attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"q="; nocase; pcre:"/q(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18893; classtype:web-application-attack; sid:100000807; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP AjaxPortal ajaxp.php SQL injection attempt"; flow:to_server,established; uricontent:"/ajaxp.php"; nocase; uricontent:"username="; nocase; pcre:"/username(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18897; classtype:web-application-attack; sid:100000808; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP RW Download stats.php remote file include"; flow:to_server,established; uricontent:"/stats.php"; nocase; uricontent:"root_path="; nocase; pcre:"/root_path=(https?|ftp)/Ui"; reference:bugtraq,18901; classtype:web-application-attack; sid:100000809; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPBB download.php remote file include"; flow:to_server,established; uricontent:"/download.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18914; classtype:web-application-attack; sid:100000810; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPBB attach_rules.php remote file include"; flow:to_server,established; uricontent:"/attach_rules.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18914; classtype:web-application-attack; sid:100000811; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SimpleBoard SBP index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"sbp="; nocase; pcre:"/sbp=(https?|ftp)/Ui"; reference:bugtraq,18917; classtype:web-application-attack; sid:100000812; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SimpleBoard SBP file_upload.php remote file include"; flow:to_server,established; uricontent:"/file_upload.php"; nocase; uricontent:"sbp="; nocase; pcre:"/sbp=(https?|ftp)/Ui"; reference:bugtraq,18917; classtype:web-application-attack; sid:100000813; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SimpleBoard SBP image_upload.php remote file include"; flow:to_server,established; uricontent:"/image_upload.php"; nocase; uricontent:"sbp="; nocase; pcre:"/sbp=(https?|ftp)/Ui"; reference:bugtraq,18917; classtype:web-application-attack; sid:100000814; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SimpleBoard SBP performs.php remote file include"; flow:to_server,established; uricontent:"/performs.php"; nocase; uricontent:"sbp="; nocase; pcre:"/sbp=(https?|ftp)/Ui"; reference:bugtraq,18917; classtype:web-application-attack; sid:100000815; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PC_CookBook pccookbook.php remote file include"; flow:to_server,established; uricontent:"/pccookbook.php"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=(https?|ftp)/Ui"; reference:bugtraq,18919; classtype:web-application-attack; sid:100000816; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SMF Forum smf.php remote file include"; flow:to_server,established; uricontent:"/smf.php"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=(https?|ftp)/Ui"; reference:bugtraq,18924; classtype:web-application-attack; sid:100000817; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Graffiti Forums topics.php SQL injection attempt"; flow:to_server,established; uricontent:"/topics.php"; nocase; uricontent:"f="; nocase; pcre:"/f(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18928; classtype:web-application-attack; sid:100000818; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP SaPHPLesson add.php SQL injection attempt"; flow:to_server,established; uricontent:"/add.php"; nocase; uricontent:"forumid="; nocase; pcre:"/forumid(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18934; classtype:web-application-attack; sid:100000820; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZooM sub-join.php SQL injection attempt"; flow:to_server,established; uricontent:"/sub-join.php"; nocase; uricontent:"UserID="; nocase; pcre:"/UserID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18937; classtype:web-application-attack; sid:100000821; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZooM reply.php SQL injection attempt"; flow:to_server,established; uricontent:"/reply.php"; nocase; uricontent:"UserID="; nocase; pcre:"/UserID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18937; classtype:web-application-attack; sid:100000822; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZooM ignore-pm.php SQL injection attempt"; flow:to_server,established; uricontent:"/ignore-pm.php"; nocase; uricontent:"UserID="; nocase; pcre:"/UserID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18937; classtype:web-application-attack; sid:100000823; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP VBZooM sendmail.php SQL injection attempt"; flow:to_server,established; uricontent:"/sendmail.php"; nocase; uricontent:"UserID="; nocase; pcre:"/UserID(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18937; classtype:web-application-attack; sid:100000824; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Phorum posting.php xss attempt"; flow:to_server,established; uricontent:"/posting.php"; nocase; uricontent:"mode="; nocase; pcre:"/mode(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18941; classtype:web-application-attack; sid:100000825; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Phorum search.php SQL injection attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"mode="; nocase; pcre:"/mode(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18941; classtype:web-application-attack; sid:100000826; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP HiveMail address.view.php xss attempt"; flow:to_server,established; uricontent:"/address.view.php"; nocase; uricontent:"email="; nocase; pcre:"/email(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18949; classtype:web-application-attack; sid:100000827; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP HiveMail address.view.php xss attempt"; flow:to_server,established; uricontent:"/address.view.php"; nocase; uricontent:"cond="; nocase; pcre:"/cond(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18949; classtype:web-application-attack; sid:100000828; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP HiveMail address.view.php xss attempt"; flow:to_server,established; uricontent:"/address.view.php"; nocase; uricontent:"name="; nocase; pcre:"/name(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18949; classtype:web-application-attack; sid:100000829; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP HiveMail index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"dayprune="; nocase; pcre:"/dayprune(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18949; classtype:web-application-attack; sid:100000830; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP HiveMail compose.email.php xss attempt"; flow:to_server,established; uricontent:"/compose.email.php"; nocase; uricontent:"data[to]="; nocase; pcre:"/data\[to\](=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18949; classtype:web-application-attack; sid:100000831; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP HiveMail read.markas.php xss attempt"; flow:to_server,established; uricontent:"/read.markas.php"; nocase; uricontent:"markas="; nocase; pcre:"/markas(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18949; classtype:web-application-attack; sid:100000832; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP HiveMail search.results.php SQL injection attempt"; flow:to_server,established; uricontent:"/search.results.php"; nocase; uricontent:"fields[]="; nocase; pcre:"/fields\[\](=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18949; classtype:web-application-attack; sid:100000833; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Lazarus codes-english.php xss attempt"; flow:to_server,established; uricontent:"/codes-english.php"; nocase; uricontent:"show="; nocase; pcre:"/show(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18956; classtype:web-application-attack; sid:100000834; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Lazarus picture.php xss attempt"; flow:to_server,established; uricontent:"/picture.php"; nocase; uricontent:"img="; nocase; pcre:"/img(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18956; classtype:web-application-attack; sid:100000835; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MiniBB com_minibb.php remote file include"; flow:to_server,established; uricontent:"/com_minibb.php"; nocase; uricontent:"absolute_path="; nocase; pcre:"/absolute_path=(https?|ftp)/Ui"; reference:bugtraq,18998; classtype:web-application-attack; sid:100000836; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MiniBB index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"absolute_path="; nocase; pcre:"/absolute_path=(https?|ftp)/Ui"; reference:bugtraq,18998; classtype:web-application-attack; sid:100000837; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PhotoCycle photocycle.php xss attempt"; flow:to_server,established; uricontent:"/photocycle.php"; nocase; uricontent:"phppage="; nocase; pcre:"/phppage(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18964; classtype:web-application-attack; sid:100000838; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP Event Calendar calendar.php remote file include"; flow:to_server,established; uricontent:"/calendar.php"; nocase; uricontent:"path_to_calendar="; nocase; pcre:"/path_to_calendar=(https?|ftp)/Ui"; reference:bugtraq,18965; classtype:web-application-attack; sid:100000839; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP FlatNuke index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"mod="; nocase; pcre:"/mod=(https?|ftp)/Ui"; reference:bugtraq,18966; classtype:web-application-attack; sid:100000840; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PerForms performs.php remote file include"; flow:to_server,established; uricontent:"/performs.php"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=(https?|ftp)/Ui"; reference:bugtraq,18968; classtype:web-application-attack; sid:100000841; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPBB 3 memberlist.php SQL injection attempt"; flow:to_server,established; uricontent:"/memberlist.php"; nocase; uricontent:"ip="; nocase; pcre:"/ip(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18969; classtype:web-application-attack; sid:100000842; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Koobi Pro index.php xss attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"showtopic="; nocase; pcre:"/showtopic(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18970; classtype:web-application-attack; sid:100000843; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Koobi Pro index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"showtopic="; nocase; pcre:"/showtopic(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18970; classtype:web-application-attack; sid:100000844; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Invision Power Board ipsclass.php SQL injection attempt"; flow:to_server,established; uricontent:"/ipsclass.php"; nocase; uricontent:"HTTP_CLIENT_IP="; nocase; pcre:"/HTTP_CLIENT_IP(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18984; classtype:web-application-attack; sid:100000845; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Subberz Lite user-func.php remote file include"; flow:to_server,established; uricontent:"/user-func.php"; nocase; uricontent:"myadmindir="; nocase; pcre:"/myadmindir=(https?|ftp)/i"; reference:bugtraq,18990; classtype:web-application-attack; sid:100000846; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Sitemap sitemap.xml.php remote file include"; flow:to_server,established; uricontent:"components/com_sitemap/sitemap.xml.php"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=(https?|ftp)/Ui"; reference:bugtraq,18991; classtype:web-application-attack; sid:100000847; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP IceWarp include.php remote file include"; flow:to_server,established; uricontent:"accounts/inc/include.php"; nocase; uricontent:"language="; nocase; pcre:"/language=(https?|ftp)/i"; reference:bugtraq,19007; classtype:web-application-attack; sid:100000849; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP IceWarp include.php remote file include"; flow:to_server,established; uricontent:"accounts/inc/include.php"; nocase; uricontent:"lang_settings="; nocase; pcre:"/lang_settings=(https?|ftp)/Ui"; reference:bugtraq,19007; classtype:web-application-attack; sid:100000850; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP IceWarp include.php remote file include"; flow:to_server,established; uricontent:"admin/inc/include.php"; nocase; uricontent:"language="; nocase; pcre:"/language=(https?|ftp)/Ui"; reference:bugtraq,19007; classtype:web-application-attack; sid:100000851; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP IceWarp include.php remote file include"; flow:to_server,established; uricontent:"admin/inc/include.php"; nocase; uricontent:"lang_settings="; nocase; pcre:"/lang_settings=(https?|ftp)/Ui"; reference:bugtraq,19007; classtype:web-application-attack; sid:100000852; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP IceWarp settings.html remote file include"; flow:to_server,established; uricontent:"mail/settings.html"; nocase; uricontent:"language="; nocase; pcre:"/language=(https?|ftp)/Ui"; reference:bugtraq,19007; classtype:web-application-attack; sid:100000853; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP ListMessenger listmessenger.php remote file include"; flow:to_server,established; uricontent:"/listmessenger.php"; nocase; uricontent:"lm_path="; nocase; pcre:"/lm_path=(https?|ftp)/Ui"; reference:bugtraq,19014; classtype:web-application-attack; sid:100000854; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt"; flow:to_server,established; uricontent:"/class.php"; nocase; uricontent:"name="; nocase; pcre:"/name(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,19019; classtype:web-application-attack; sid:100000855; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt"; flow:to_server,established; uricontent:"/class.php"; nocase; uricontent:"mail="; nocase; pcre:"/mail(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,19019; classtype:web-application-attack; sid:100000856; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt"; flow:to_server,established; uricontent:"/class.php"; nocase; uricontent:"ip="; nocase; pcre:"/ip(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,19019; classtype:web-application-attack; sid:100000857; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt"; flow:to_server,established; uricontent:"/class.php"; nocase; uricontent:"text="; nocase; pcre:"/text(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,19019; classtype:web-application-attack; sid:100000858; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt"; flow:to_server,established; uricontent:"/class.php"; nocase; uricontent:"hidemail="; nocase; pcre:"/hidemail(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,19019; classtype:web-application-attack; sid:100000859; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Francisco Charrua Photo-Gallery room.php SQL injection attempt"; flow:to_server,established; uricontent:"/room.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,19020; classtype:web-application-attack; sid:100000860; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP FlushCMS class.rich.php remote file include"; flow:to_server,established; uricontent:"Include/editor/rich_files/class.rich.php"; nocase; uricontent:"class_path="; nocase; pcre:"/class_path=(https?|ftp)/Ui"; reference:bugtraq,19023; classtype:web-application-attack; sid:100000861; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP FlushCMS class.rich.php remote file include"; flow:to_server,established; uricontent:"Include/editor/class.rich.php"; nocase; uricontent:"class_path="; nocase; pcre:"/class_path=(https?|ftp)/Ui"; reference:bugtraq,19023; classtype:web-application-attack; sid:100000862; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHPMyRing view_com.php SQL injection attempt"; flow:to_server,established; uricontent:"/view_com.php"; nocase; uricontent:"idsite="; nocase; pcre:"/idsite(=|\x3f)?\w*\x27/Ui"; reference:url,secunia.com/advisories/21451/; classtype:web-application-attack; sid:100000863; rev:1;)
+
+# Rules from <urleet@gmail.com>
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s01"; flow:to_server,established; uricontent:"/s01.php|3f|shopid|3d|"; nocase; pcre:"/s01.php\x3fshopid\x3d(https?|ftp)/Ui"; reference:url,www.powergap-shop.de; reference:url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html; classtype:web-application-attack; sid:100000865; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s02"; flow:to_server,established; uricontent:"/s02.php|3f|shopid|3d|"; nocase; pcre:"/s02.php\x3fshopid\x3d(https?|ftp)/Ui"; reference:url,www.powergap-shop.de; reference:url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html; classtype:web-application-attack; sid:100000866; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s03"; flow:to_server,established; uricontent:"/s03.php|3f|shopid|3d|"; nocase; pcre:"/s03.php\x3fshopid\x3d(https?|ftp)/Ui"; reference:url,www.powergap-shop.de; reference:url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html; classtype:web-application-attack; sid:100000867; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s04"; flow:to_server,established; uricontent:"/s04.php|3f|shopid|3d|"; nocase; pcre:"/s04.php\x3fshopid\x3d(https?|ftp)/Ui"; reference:url,www.powergap-shop.de; reference:url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html; classtype:web-application-attack; sid:100000868; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP powergap remote file Inclusion Exploit sid variant"; flow:to_server,established; uricontent:"/sid|3d|"; nocase; content:"|26|shopid|3d|"; nocase; within:20; reference:url,www.powergap-shop.de; reference:url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html; classtype:web-application-attack; sid:100000869; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP powergap remote file inclusion exploit sid variant 2"; flow:to_server,established; uricontent:"/sid|3d|"; nocase; pcre:"/sid\x3d(https?|ftp)/Ui"; reference:url,www.powergap-shop.de; reference:url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html; classtype:web-application-attack; sid:100000870; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP CubeCart XSS attack"; flow:to_server,established; uricontent:"/admin/filemanager/preview.php?file="; nocase; pcre:"/((1)?&(x|y)=)?/Ri"; reference:url,retrogod.altervista.org/cubecart_3011_adv.html; classtype:web-application-attack; sid:100000871; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP CubeCart XSS attack"; flow:to_server,established; uricontent:"/admin/login.php?email="; nocase; reference:url,retrogod.altervista.org/cubecart_3011_adv.html; classtype:web-application-attack; sid:100000872; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP discloser 0.0.4 Remote File Inclusion"; flow:to_server,established; uricontent:"/plugins/plugins.php?type="; nocase; pcre:"/type\x3d(https?|ftp)/Ui"; classtype:web-application-attack; sid:100000873; rev:2;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP Live Helper globals.php remote file include"; flow:to_server,established; uricontent:"/globals.php"; nocase; uricontent:"abs_path="; nocase; pcre:"/abs_path=(https?|ftp)/Ui"; reference:bugtraq,19349; classtype:web-application-attack; sid:100000882; rev:2;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Inlink remote file inclusion exploit"; flow:to_server,established; uricontent:"/includes/adodb/back/adodb-postgres7.inc.php"; nocase; reference:url,milw0rm.com/exploits/2295; classtype:web-application-attack; sid:100000883; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-MISC SimpleBlog Remote SQL Injection attempt"; flow:to_server,established; uricontent:"/default.asp"; nocase; content:"view=plink"; nocase; reference:url,milw0rm.com/exploits/2296; classtype:web-application-attack; sid:100000884; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP pHNews access attempt"; flow:to_server,established; uricontent:"/modules/commens.php"; nocase; content:"templates_dir"; nocase; content:"cmd="; nocase; reference:url,milw0rm.com/exploits/2298; classtype:web-application-attack; sid:100000885; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Proxima access attempt"; flow:to_server,established; uricontent:"/modules/Forums/bb_smilies.php"; nocase; content:"name="; nocase; content:"cmd="; nocase; reference:url,milw0rm.com/exploits/2299; classtype:web-application-attack; sid:100000886; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP pmwiki exploit attempt"; flow:to_server,established; content:"POST"; nocase; depth:4; content:"pmwiki.php"; nocase; distance:0; content:"n=PmWiki.BasicEditing"; nocase; distance:0; content:"action=edit"; nocase; distance:0; reference:url,milw0rm.com/exploits/2291; classtype:web-application-attack; sid:100000887; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP tikiwiki exploit attempt"; flow:to_server,established; content:"POST"; nocase; depth:4; content:"jhot.php"; nocase; distance:0; reference:url,milw0rm.com/exploits/2288; classtype:web-application-attack; sid:100000888; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP yappa-ng exploit attempt"; flow:to_server,established; uricontent:"/admin_modules/admin_module_deldir.inc.php"; nocase; content:"config"; nocase; reference:url,milw0rm.com/exploits/2292; classtype:web-application-attack; sid:100000889; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP UBB.threads remote file include"; flow:to_server,established; uricontent:"addpost_newpoll.php?"; nocase; uricontent:"thispath="; nocase; pcre:"/addpost_newpoll\x2Ephp\x3F[^\r\n]*thispath=(https?|ftp)/Ui"; classtype:web-application-attack; sid:100000906; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP phpMyWebmin change_preferences2 script remote file include"; flow:to_server,established; uricontent:"change_preferences.php?"; nocase; uricontent:"target="; nocase; pcre:"/target=(https?|ftp)/Ui"; reference:url,www.securityfocus.com/bid/20281/info; classtype:web-application-attack; sid:100000907; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP phpMyWebmin create_file script remote file include"; flow:to_server,established; uricontent:"create_file.php?"; nocase; uricontent:"target="; nocase; pcre:"/target=(https?|ftp)/Ui"; reference:url,www.securityfocus.com/bid/20281/info; classtype:web-application-attack; sid:100000908; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP phpMyWebmin upload_local script remote file include"; flow:to_server,established; uricontent:"upload_local.php?"; nocase; uricontent:"target="; nocase; pcre:"/target=(https?|ftp)/Ui"; reference:url,www.securityfocus.com/bid/20281/info; classtype:web-application-attack; sid:100000909; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP phpMyWebmin upload_multi script remote file include"; flow:to_server,established; uricontent:"upload_multi.php?"; nocase; uricontent:"target="; nocase; pcre:"/target=(https?|ftp)/Ui"; reference:url,www.securityfocus.com/bid/20281/info; classtype:web-application-attack; sid:100000910; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Dayfox Blog adminlog.php module remote file include"; flow:to_server,established; uricontent:"/edit/adminlog.php?"; nocase; uricontent:"slogin="; nocase; pcre:"/slogin=(https?|ftp)/Ui"; reference:url,www.securityfocus.com/archive/1/447500/30/0/threaded; classtype:web-application-attack; sid:100000911; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Dayfox Blog postblog.php module remote file include"; flow:to_server,established; uricontent:"/edit/postblog.php?"; nocase; uricontent:"slogin="; nocase; pcre:"/slogin=(https?|ftp)/Ui"; reference:url,www.securityfocus.com/archive/1/447500/30/0/threaded; classtype:web-application-attack; sid:100000912; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Dayfox Blog index.php module remote file include"; flow:to_server,established; uricontent:"/edit/index.php?"; nocase; uricontent:"slogin="; nocase; pcre:"/slogin=(https?|ftp)/Ui"; reference:url,www.securityfocus.com/archive/1/447500/30/0/threaded; classtype:web-application-attack; sid:100000913; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Dayfox Blog index2.php module remote file include"; flow:to_server,established; uricontent:"/edit/index2.php?"; nocase; uricontent:"slogin="; nocase; pcre:"/slogin=(https?|ftp)/Ui"; reference:url,www.securityfocus.com/archive/1/447500/30/0/threaded; classtype:web-application-attack; sid:100000914; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Somery Include.php remote file include"; flow:established,to_server; uricontent:"/include.php"; nocase; content:"skindir="; nocase; pcre:"/skindir=(https?|ftp)/Ui"; reference:bugtraq,19912; classtype:web-application-attack; sid:100000915; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MyBulletinBoard Functions_Post.php xss attempt"; flow:established,to_server; uricontent:"/functions_post.php?"; nocase; content:"script="; nocase; pcre:"/script(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,19770; classtype:web-application-attack; sid:100000916; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP-Dimension functions_kb.php remote file include attempt";flow:established,to_server; uricontent:"/includes/functions_kb.php?"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,20367; classtype:web-application-attack; sid:100000917; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PHP-Dimension themen_portal_mitte.php remote include attempt"; flow:established,to_server; uricontent:"/includes/themen_portal_mitte.php?"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,20367; classtype:web-application-attack; sid:100000918; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Segue CMS themesettings.inc.php remote file include attempt"; flow:established,to_server; uricontent:"themesettings.inc.php"; uricontent:"themesdir="; pcre:"/themesdir=(https?|ftp|\x2F)/Ui"; reference:bugtraq,20640; reference:cve,2006-5497; reference:url,osvdb.org/29904; reference:nessus,22922; reference:url,www.milw0rm.com/exploits/2600; classtype:web-application-attack; sid:100000919; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP MiniBB bb_func_txt.php pathToFiles variable remote file include"; flow:to_server,established; uricontent:"/bb_func_txt.php"; nocase; uricontent:"pathToFiles="; nocase; pcre:"/pathToFiles=(https?|ftp|\x2F)/Ui"; reference:bugtraq,20757; reference:url,osvdb.org/29971; reference:nessus,22926; classtype:web-application-attack; sid:100000920; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP PunBB register.php language variable remote file include"; flow:to_server,established; content:"register.php"; nocase; content:"language="; nocase; pcre:"/language=(\x2F|\x2E)/Ui"; reference:bugtraq,20786; reference:cve,2006-5735; reference:url,osvdb.org/30132; reference:nessus,22932; classtype:web-application-attack; sid:100000921; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Etomite CMS index.php id variable SQL injection"; flow:to_server,established; uricontent:"/etomite/index.php"; nocase; uricontent:"id="; nocase; pcre:"/id=[A-Za-z0-9]{1,}\'/Ui"; reference:bugtraq,21135; reference:url,osvdb.org/30442; reference:url,secunia.com/advisories/22885; classtype:web-application-attack; sid:100000922; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY-WEB-PHP ADP Forum Attempted Password Recon"; uricontent:"/users/admin.txt"; nocase; reference:url,www.milw0rm.com/exploits/3053; classtype:web-application-attack; sid:100000925; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY-WEB-PHP EasyNews PRO News Attempted Password Recon"; uricontent:"/newsboard/data/users.txt"; nocase; reference:url,www.milw0rm.com/exploits/3039; classtype:web-application-attack; sid:100000926; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Xoops module Articles SQL Injection Exploit"; flow:to_server,established; uricontent:"/modules/articles/index.php"; nocase; uricontent:"cat_id="; nocase; reference:url,www.securityfocus.com/archive/1/463916; classtype:web-application-attack; sid:100000929; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Drake CMS 404.php Local File Include Vulnerability"; flow:established,to_server; uricontent:"404.php?"; nocase; uricontent:"d_private="; nocase; reference:bugtraq,23215; classtype:web-application-attack; sid:100000930; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Softerra Time-Assistant remote include attempt";flow:established,to_server; uricontent:"/lib/timesheet.class.php?"; nocase; uricontent:"lib_dir="; nocase; pcre:"/lib_dir=(https?|ftp)/Ui"; classtype:web-application-attack; reference:bugtraq,23203; sid:100000931; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Softerra Time-Assistant remote include attempt";flow:established,to_server; uricontent:"/lib/timesheet.class.php?"; nocase; uricontent:"inc_dir="; nocase; pcre:"/inc_dir=(https?|ftp)/Ui"; classtype:web-application-attack; reference:bugtraq,23203; sid:100000932; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Aardvark button/settings_sql.php File Include Vulnerability"; flow:established,to_server; uricontent:"/button/settings_sql.php"; nocase; content:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; priority:3; reference:url,securityfocus.com/archive/1/464351; classtype:web-application-attack; sid:100000933; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Aardvark button/new_day.php File Include Vulnerability"; flow:established,to_server; uricontent:"/button/new_day.php"; nocase; content:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; priority:3; reference:url,securityfocus.com/archive/1/464351; classtype:web-application-attack; sid:100000934; rev:1;)
--- /dev/null
+++ b/rules/community-sip.rules
@@ -0,0 +1,19 @@
+# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# These rules are licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# $Id: community-sip.rules,v 1.5 2006/06/01 15:51:28 akirk Exp $
+
+#Rules submitted by Jiri Markl
+#Rule for alerting of INVITE flood attack:
+alert ip any any -> any 5060 (msg:"COMMUNITY SIP INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:100000158; rev:2;)
+#Rule for alerting of REGISTER flood attack:
+alert ip any any -> any 5060 (msg:"COMMUNITY SIP REGISTER message flooding"; content:"REGISTER"; depth:8; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:100000159; rev:2;)
+#Rule for alerting common TCP/UDP flood attack:
+alert ip any any -> any 5060 (msg:"COMMUNITY SIP TCP/IP message flooding directed to SIP proxy"; threshold: type both, track by_src, count 300, seconds 60; classtype:attempted-dos; sid:100000160; rev:2;)
+#Rule for alerting attack using unresolvable DNS names:
+alert udp $DNS_SERVERS 53 -> any any (msg:"COMMUNITY SIP DNS No such name treshold - Abnormaly high count of No such name responses"; content:"|83|"; offset:3; depth:1; threshold: type both, track by_dst, count 100, seconds 60; classtype:attempted-dos; sid:100000161; rev:2;)
+#Threshold rule for unauthorized responses:
+alert ip any any -> any 5060 (msg:"COMMUNITY SIP 401 Unauthorized Flood"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:100000162; rev:2;)
+alert ip any any -> any 5060 (msg:"COMMUNITY SIP 407 Proxy Authentication Required Flood"; content:"SIP/2.0 407 Proxy Authentication Required"; depth:42; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:100000163; rev:2;)
+#Rule submitted by rmkml
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"COMMUNITY EXPLOIT SIP UDP Softphone overflow attempt"; content:"|3B|branch|3D|"; content:"a|3D|"; pcre:"/^a\x3D[^\n]{1000,}/smi"; reference:bugtraq,16213; reference:cve,2006-0189; classtype:misc-attack; sid:100000223; rev:1;)
--- /dev/null
+++ b/rules/icmp-info.rules
@@ -0,0 +1,122 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: icmp-info.rules,v 1.23.2.1.2.1 2005/05/16 22:17:51 mwatchinski Exp $
+#--------------
+# ICMP-INFO
+#--------------
+#
+# Description:
+# These rules are standard ICMP traffic.  They include OS pings, as well
+# as normal routing done by ICMP.  There are a number of "catch all" rules
+# that will alert on unknown ICMP types.
+#
+# Potentially "BAD" ICMP rules are included in icmp.rules
+
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IRDP router advertisement"; itype:9; reference:arachnids,173; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:363; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IRDP router selection"; itype:10; reference:arachnids,174; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:364; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING *NIX"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32; classtype:misc-activity; sid:366; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING BSDtype"; itype:8; content:"|08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17|"; depth:32; reference:arachnids,152; classtype:misc-activity; sid:368; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING BayRS Router"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F|"; depth:32; reference:arachnids,438; reference:arachnids,444; classtype:misc-activity; sid:369; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING BeOS4.x"; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 08 09 0A 0B|"; depth:32; reference:arachnids,151; classtype:misc-activity; sid:370; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Cisco Type.x"; itype:8; content:"|AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD|"; depth:32; reference:arachnids,153; classtype:misc-activity; sid:371; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Delphi-Piette Windows"; itype:8; content:"Pinging from Del"; depth:32; reference:arachnids,155; classtype:misc-activity; sid:372; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Flowpoint2200 or Network Management Software"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10|"; depth:32; reference:arachnids,156; classtype:misc-activity; sid:373; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING IP NetMonitor Macintosh"; itype:8; content:"|A9| Sustainable So"; depth:32; reference:arachnids,157; classtype:misc-activity; sid:374; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING LINUX/*BSD"; dsize:8; id:13170; itype:8; reference:arachnids,447; classtype:misc-activity; sid:375; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Microsoft Windows"; itype:8; content:"0123456789abcdefghijklmnop"; depth:32; reference:arachnids,159; classtype:misc-activity; sid:376; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Network Toolbox 3 Windows"; itype:8; content:"================"; depth:32; reference:arachnids,161; classtype:misc-activity; sid:377; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Ping-O-MeterWindows"; itype:8; content:"OMeterObeseArmad"; depth:32; reference:arachnids,164; classtype:misc-activity; sid:378; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Pinger Windows"; itype:8; content:"Data|00 00 00 00 00 00 00 00 00 00 00 00|"; depth:32; reference:arachnids,163; classtype:misc-activity; sid:379; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Seer Windows"; itype:8; content:"|88 04|              "; depth:32; reference:arachnids,166; classtype:misc-activity; sid:380; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sun Solaris"; dsize:8; itype:8; reference:arachnids,448; classtype:misc-activity; sid:381; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Windows"; itype:8; content:"abcdefghijklmnop"; depth:16; reference:arachnids,169; classtype:misc-activity; sid:382; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute"; itype:8; ttl:1; reference:arachnids,118; classtype:attempted-recon; sid:385; rev:4;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING"; icode:0; itype:8; classtype:misc-activity; sid:384; rev:5;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Address Mask Reply"; icode:0; itype:18; classtype:misc-activity; sid:386; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Reply undefined code"; icode:>0; itype:18; classtype:misc-activity; sid:387; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Request"; icode:0; itype:17; classtype:misc-activity; sid:388; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Request undefined code"; icode:>0; itype:17; classtype:misc-activity; sid:389; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Alternate Host Address"; icode:0; itype:6; classtype:misc-activity; sid:390; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Alternate Host Address undefined code"; icode:>0; itype:6; classtype:misc-activity; sid:391; rev:8;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Datagram Conversion Error"; icode:0; itype:31; classtype:misc-activity; sid:392; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Datagram Conversion Error undefined code"; icode:>0; itype:31; classtype:misc-activity; sid:393; rev:8;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Destination Host Unknown"; icode:7; itype:3; classtype:misc-activity; sid:394; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Destination Network Unknown"; icode:6; itype:3; classtype:misc-activity; sid:395; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Fragmentation Needed and DF bit was set"; icode:4; itype:3; classtype:misc-activity; sid:396; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Host Precedence Violation"; icode:14; itype:3; classtype:misc-activity; sid:397; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Host Unreachable for Type of Service"; icode:12; itype:3; classtype:misc-activity; sid:398; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Host Unreachable"; icode:1; itype:3; classtype:misc-activity; sid:399; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Network Unreachable for Type of Service"; icode:11; itype:3; classtype:misc-activity; sid:400; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Network Unreachable"; icode:0; itype:3; classtype:misc-activity; sid:401; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Port Unreachable"; icode:3; itype:3; classtype:misc-activity; sid:402; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Precedence Cutoff in effect"; icode:15; itype:3; classtype:misc-activity; sid:403; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Protocol Unreachable"; icode:2; itype:3; classtype:misc-activity; sid:404; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Source Host Isolated"; icode:8; itype:3; classtype:misc-activity; sid:405; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Source Route Failed"; icode:5; itype:3; classtype:misc-activity; sid:406; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable cndefined code"; icode:>15; itype:3; classtype:misc-activity; sid:407; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply"; icode:0; itype:0; classtype:misc-activity; sid:408; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply undefined code"; icode:>0; itype:0; classtype:misc-activity; sid:409; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Fragment Reassembly Time Exceeded"; icode:1; itype:11; classtype:misc-activity; sid:410; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 I-Am-Here"; icode:0; itype:34; classtype:misc-activity; sid:411; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 I-Am-Here undefined code"; icode:>0; itype:34; classtype:misc-activity; sid:412; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 Where-Are-You"; icode:0; itype:33; classtype:misc-activity; sid:413; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 Where-Are-You undefined code"; icode:>0; itype:33; classtype:misc-activity; sid:414; rev:7;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Information Reply"; icode:0; itype:16; classtype:misc-activity; sid:415; rev:5;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Information Reply undefined code"; icode:>0; itype:16; classtype:misc-activity; sid:416; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Information Request"; icode:0; itype:15; classtype:misc-activity; sid:417; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Information Request undefined code"; icode:>0; itype:15; classtype:misc-activity; sid:418; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Host Redirect"; icode:0; itype:32; classtype:misc-activity; sid:419; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Host Redirect undefined code"; icode:>0; itype:32; classtype:misc-activity; sid:420; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Reply"; icode:0; itype:36; classtype:misc-activity; sid:421; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Reply undefined code"; icode:>0; itype:36; classtype:misc-activity; sid:422; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Request"; icode:0; itype:35; classtype:misc-activity; sid:423; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Request undefined code"; icode:>0; itype:35; classtype:misc-activity; sid:424; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem Bad Length"; icode:2; itype:12; classtype:misc-activity; sid:425; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem Missing a Required Option"; icode:1; itype:12; classtype:misc-activity; sid:426; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem Unspecified Error"; icode:0; itype:12; classtype:misc-activity; sid:427; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem undefined Code"; icode:>2; itype:12; classtype:misc-activity; sid:428; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Reserved"; icode:0; itype:40; classtype:misc-activity; sid:429; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Unknown Security Parameters Index"; icode:1; itype:40; classtype:misc-activity; sid:430; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Valid Security Parameters, But Authentication Failed"; icode:2; itype:40; classtype:misc-activity; sid:431; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Valid Security Parameters, But Decryption Failed"; icode:3; itype:40; classtype:misc-activity; sid:432; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris undefined code!"; icode:>3; itype:40; classtype:misc-activity; sid:433; rev:8;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Redirect for TOS and Host"; icode:3; itype:5; classtype:misc-activity; sid:436; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Redirect for TOS and Network"; icode:2; itype:5; classtype:misc-activity; sid:437; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Redirect undefined code"; icode:>3; itype:5; classtype:misc-activity; sid:438; rev:9;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Reserved for Security Type 19"; icode:0; itype:19; classtype:misc-activity; sid:439; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Reserved for Security Type 19 undefined code"; icode:>0; itype:19; classtype:misc-activity; sid:440; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Router Advertisement"; icode:0; itype:9; reference:arachnids,173; classtype:misc-activity; sid:441; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Router Selection"; icode:0; itype:10; reference:arachnids,174; classtype:misc-activity; sid:443; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP SKIP"; icode:0; itype:39; classtype:misc-activity; sid:445; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP SKIP undefined code"; icode:>0; itype:39; classtype:misc-activity; sid:446; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench undefined code"; icode:>0; itype:4; classtype:misc-activity; sid:448; rev:7;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Time-To-Live Exceeded in Transit"; icode:0; itype:11; classtype:misc-activity; sid:449; rev:6;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Time-To-Live Exceeded in Transit undefined code"; icode:>1; itype:11; classtype:misc-activity; sid:450; rev:8;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Reply"; icode:0; itype:14; classtype:misc-activity; sid:451; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Reply undefined code"; icode:>0; itype:14; classtype:misc-activity; sid:452; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Request"; icode:0; itype:13; classtype:misc-activity; sid:453; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Request undefined code"; icode:>0; itype:13; classtype:misc-activity; sid:454; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute"; icode:0; itype:30; classtype:misc-activity; sid:456; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute undefined code"; icode:>0; itype:30; classtype:misc-activity; sid:457; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 1"; icode:0; itype:1; classtype:misc-activity; sid:458; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 1 undefined code"; itype:1; classtype:misc-activity; sid:459; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 2"; icode:0; itype:2; classtype:misc-activity; sid:460; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 2 undefined code"; itype:2; classtype:misc-activity; sid:461; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 7"; icode:0; itype:7; classtype:misc-activity; sid:462; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 7 undefined code"; itype:7; classtype:misc-activity; sid:463; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING undefined code"; icode:>0; itype:8; classtype:misc-activity; sid:365; rev:8;)
--- /dev/null
+++ b/rules/snmp.rules
@@ -0,0 +1,39 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: snmp.rules,v 1.17.2.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $
+# ---------------
+# SNMP RULES
+# ---------------
+#
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP missing community string attempt"; content:"|04 00|"; depth:15; offset:5; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:1893; rev:4;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP null community string attempt"; content:"|04 01 00|"; depth:15; offset:5; reference:bugtraq,2112; reference:bugtraq,8974; reference:cve,1999-0517; classtype:misc-attack; sid:1892; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"SNMP community string buffer overflow attempt"; content:"|02 01 00 04 82 01 00|"; offset:4; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1409; rev:10;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"SNMP community string buffer overflow attempt with evasion"; content:" |04 82 01 00|"; depth:5; offset:7; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1422; rev:10;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP public access udp"; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1411; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP public access tcp"; flow:to_server,established; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1412; rev:13;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP private access udp"; content:"private"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1413; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP private access tcp"; flow:to_server,established; content:"private"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1414; rev:11;)
+alert udp any any -> 255.255.255.255 161 (msg:"SNMP Broadcast request"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1415; rev:9;)
+alert udp any any -> 255.255.255.255 162 (msg:"SNMP broadcast trap"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1416; rev:9;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1417; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1418; rev:11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP trap udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1419; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP trap tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1420; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"SNMP AgentX/tcp request"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1421; rev:11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP PROTOS test-suite-req-app attempt"; content:"0&|02 01 00 04 06|public|A0 19 02 01 00 02 01 00 02 01 00|0|0E|0|0C 06 08|+|06 01 02 01 01 05 00 05 00|"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1426; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP PROTOS test-suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|06|"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1427; rev:4;)
--- /dev/null
+++ b/rules/sql.rules
@@ -0,0 +1,78 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: sql.rules,v 1.28.2.3.2.4 2005/07/22 19:19:54 mwatchinski Exp $
+#----------
+# SQL RULES
+#----------
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:676; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_password password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; classtype:attempted-user; sid:677; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|"; nocase; classtype:attempted-user; sid:678; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_adduser database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:679; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; offset:32; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:708; rev:10;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; offset:32; nocase; reference:bugtraq,3733; reference:cve,2001-0542; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:1386; rev:10;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t|00|"; offset:32; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:702; rev:10;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; offset:32; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:703; rev:10;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_cmdshell program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; offset:32; nocase; classtype:attempted-user; sid:681; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_reg* registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; depth:32; offset:32; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:689; rev:11;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; offset:32; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:690; rev:9;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; classtype:shellcode-detect; sid:692; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:attempted-user; sid:694; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; offset:32; nocase; reference:bugtraq,1204; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:695; rev:9;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; offset:32; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:696; rev:10;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; offset:32; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:697; rev:10;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; offset:32; nocase; reference:bugtraq,2042; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:698; rev:10;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; offset:32; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:700; rev:10;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; nocase; classtype:attempted-user; sid:673; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t"; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:674; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:675; rev:9;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:682; rev:10;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_password - password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; classtype:attempted-user; sid:683; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|r|00|t|00|"; nocase; classtype:attempted-user; sid:684; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_adduser - database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; nocase; classtype:attempted-user; sid:685; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_reg* - registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:686; rev:10;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_cmdshell - program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:687; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; classtype:shellcode-detect; sid:691; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:shellcode-detect; sid:693; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:699; rev:9;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:701; rev:9;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; nocase; reference:bugtraq,1204; reference:cve,2001-0542; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:704; rev:9;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:705; rev:9;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:706; rev:9;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:707; rev:10;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; nocase; reference:bugtraq,3733; reference:cve,2001-0542; reference:nessus,11217; classtype:attempted-user; sid:1387; rev:9;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 445 (msg:"MS-SQL xp_cmdshell program execution 445"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:1759; rev:5;)
+alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"MS-SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:688; rev:10;)
+alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"MS-SQL/SMB sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; offset:83; reference:bugtraq,4797; reference:cve,2000-1209; classtype:attempted-user; sid:680; rev:9;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2003; rev:8;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"MS-SQL Worm propagation attempt OUTBOUND"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2004; rev:7;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL ping attempt"; content:"|02|"; depth:1; reference:nessus,10674; classtype:misc-activity; sid:2049; rev:4;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL version overflow attempt"; flowbits:isnotset,ms_sql_seen_dns; dsize:>100; content:"|04|"; depth:1; reference:bugtraq,5310; reference:cve,2002-0649; reference:nessus,10674; classtype:misc-activity; sid:2050; rev:8;)
+alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"MS-SQL probe response overflow attempt"; content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3B|"; distance:0; isdataat:512,relative; content:!"|3B|"; within:512; reference:bugtraq,9407; reference:cve,2003-0903; reference:url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx; classtype:attempted-user; sid:2329; rev:6;)
+# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 4 requests"; content:"|00 04|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3446; rev:3;)
+# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 9 requests"; content:"|00 09|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3451; rev:3;)
+alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"MS-SQL sa brute force failed login unicode attempt"; flow:from_server,established; content:"L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:3273; rev:3;)
+# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 5 requests"; content:"|00 05|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3447; rev:3;)
+# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 2 requests"; content:"|00 02|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3444; rev:3;)
+# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 1 requests"; content:"|00 01|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3443; rev:3;)
+alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"MS-SQL sa brute force failed login attempt"; flow:from_server,established; content:"Login failed for user 'sa'"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:3152; rev:3;)
+# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 10 requests"; content:"|00 0A|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3452; rev:3;)
+# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 6 requests"; content:"|00 06|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3448; rev:3;)
+# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 3 requests"; content:"|00 03|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3445; rev:3;)
+# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 8 requests"; content:"|00 08|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3450; rev:3;)
+# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 7 requests"; content:"|00 07|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3449; rev:3;)
--- /dev/null
+++ b/rules/p2p.rules
@@ -0,0 +1,43 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: p2p.rules,v 1.17.2.3.2.3 2005/06/15 23:02:34 mwatchinski Exp $
+#-------------
+# P2P RULES
+#-------------
+# These signatures look for usage of P2P protocols, which are usually
+# against corporate policy
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster login"; flow:to_server,established; content:"|00 02 00|"; depth:3; offset:1; classtype:policy-violation; sid:549; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster new user login"; flow:to_server,established; content:"|00 06 00|"; depth:3; offset:1; classtype:policy-violation; sid:550; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"P2P napster download attempt"; flow:to_server,established; content:"|00 CB 00|"; depth:3; offset:1; classtype:policy-violation; sid:551; rev:7;)
+alert tcp $EXTERNAL_NET 8888 -> $HOME_NET any (msg:"P2P napster upload request"; flow:from_server,established; content:"|00|_|02|"; depth:3; offset:1; classtype:policy-violation; sid:552; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA"; depth:8; classtype:policy-violation; sid:1432; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; classtype:policy-violation; sid:556; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; classtype:policy-violation; sid:557; rev:6;)
+alert tcp $HOME_NET any <> $EXTERNAL_NET 6699 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:561; rev:6;)
+alert tcp $HOME_NET any <> $EXTERNAL_NET 7777 (msg:"P2P Napster Client Data"; flow:to_server,established; content:".mp3"; nocase; classtype:policy-violation; sid:562; rev:5;)
+alert tcp $HOME_NET any <> $EXTERNAL_NET 6666 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:563; rev:6;)
+alert tcp $HOME_NET any <> $EXTERNAL_NET 5555 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:564; rev:7;)
+alert tcp $HOME_NET any <> $EXTERNAL_NET 8875 (msg:"P2P Napster Server Login"; flow:established; content:"anon@napster.com"; classtype:policy-violation; sid:565; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"P2P Fastrack kazaa/morpheus GET request"; flow:to_server,established; content:"GET "; depth:4; reference:url,www.kazaa.com; reference:url,www.musiccity.com/technology.htm; classtype:policy-violation; sid:1383; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Fastrack kazaa/morpheus traffic"; flow:to_server,established; content:"GET"; depth:3; content:"UserAgent|3A| KazaaClient"; reference:url,www.kazaa.com; classtype:policy-violation; sid:1699; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P BitTorrent announce request"; flow:to_server,established; content:"GET"; depth:4; content:"/announce"; distance:1; content:"info_hash="; offset:4; content:"event=started"; offset:4; classtype:policy-violation; sid:2180; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 6881:6889 (msg:"P2P BitTorrent transfer"; flow:to_server,established; content:"|13|BitTorrent protocol"; depth:20; classtype:policy-violation; sid:2181; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 4242 (msg:"P2P eDonkey transfer"; flow:to_server,established; content:"|E3|"; depth:1; reference:url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html; classtype:policy-violation; sid:2586; rev:2;)
+alert tcp $HOME_NET 4711 -> $EXTERNAL_NET any (msg:"P2P eDonkey server response"; flow:established,from_server; content:"Server|3A| eMule"; reference:url,www.emule-project.net; classtype:policy-violation; sid:2587; rev:2;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 41170 (msg:"P2P Manolito Search Query"; content:"|01 02 00 14|"; depth:4; offset:16; reference:url,openlito.sourceforge.net; reference:url,www.blubster.com; classtype:policy-violation; sid:3459; rev:3;)
--- /dev/null
+++ b/rules/gen-msg.map
@@ -0,0 +1,175 @@
+# $Id: gen-msg.map,v 1.16.2.2.2.2 2005/04/22 22:11:53 jhewlett Exp $
+# GENERATORS -> msg map
+# Format: generatorid || alertid || MSG
+
+1 || 1 || snort general alert
+2 || 1 || tag: Tagged Packet
+100 || 1 || spp_portscan: Portscan Detected
+100 || 2 || spp_portscan: Portscan Status
+100 || 3 || spp_portscan: Portscan Ended
+101 || 1 || spp_minfrag: minfrag alert
+102 || 1 || http_decode: Unicode Attack
+102 || 2 || http_decode: CGI NULL Byte Attack
+102 || 3 || http_decode: large method attempted
+102 || 4 || http_decode: missing uri
+102 || 5 || http_decode: double encoding detected
+102 || 6 || http_decode: illegal hex values detected
+102 || 7 || http_decode: overlong character detected
+103 || 1 || spp_defrag: Fragmentation Overflow Detected
+103 || 2 || spp_defrag: Stale Fragments Discarded
+104 || 1 || spp_anomsensor: SPADE Anomaly Threshold Exceeded
+104 || 2 || spp_anomsensor: SPADE Anomaly Threshold Adjusted
+105 || 1 || spp_bo: Back Orifice Traffic Detected
+105 || 2 || spp_bo: Back Orifice Client Traffic Detected
+105 || 3 || spp_bo: Back Orifice Server Traffic Detected
+106 || 1 || spp_rpc_decode: Fragmented RPC Records
+106 || 2 || spp_rpc_decode: Multiple Records in one packet
+106 || 3 || spp_rpc_decode: Large RPC Record Fragment
+106 || 4 || spp_rpc_decode: Incomplete RPC segment
+110 || 1 || spp_unidecode: CGI NULL Attack
+110 || 2 || spp_unidecode: Directory Traversal
+110 || 3 || spp_unidecode: Unknown Mapping
+110 || 4 || spp_unidecode: Invalid Mapping
+111 || 1 || spp_stream4: Stealth Activity Detected
+111 || 2 || spp_stream4: Evasive Reset Packet
+111 || 3 || spp_stream4: Retransmission
+111 || 4 || spp_stream4: Window Violation
+111 || 5 || spp_stream4: Data on SYN Packet
+111 || 6 || spp_stream4: Full XMAS Stealth Scan
+111 || 7 || spp_stream4: SAPU Stealth Scan
+111 || 8 || spp_stream4: FIN Stealth Scan
+111 || 9 || spp_stream4: NULL Stealth Scan
+111 || 10 || spp_stream4: NMAP XMAS Stealth Scan
+111 || 11 || spp_stream4: VECNA Stealth Scan
+111 || 12 || spp_stream4: NMAP Fingerprint Stateful Detection
+111 || 13 || spp_stream4: SYN FIN Stealth Scan
+111 || 14 || spp_stream4: TCP forward overlap detected
+111 || 15 || spp_stream4: TTL Evasion attempt
+111 || 16 || spp_stream4: Evasive retransmitited data attempt
+111 || 17 || spp_stream4: Evasive retransmitited data with the data split attempt
+111 || 18 || spp_stream4: Multiple acked
+111 || 19 || spp_stream4: Shifting to Emegency Session Mode
+111 || 20 || spp_stream4: Shifting to Suspend Mode
+111 || 21 || spp_stream4: TCP Timestamp option has value of zero
+111 || 22 || spp_stream4: Too many overlapping TCP packets
+111 || 23 || spp_stream4: Packet in established TCP stream missing ACK
+112 || 1 || spp_arpspoof: Directed ARP Request
+112 || 2 || spp_arpspoof: Etherframe ARP Mismatch SRC
+112 || 3 || spp_arpspoof: Etherframe ARP Mismatch DST
+112 || 4 || spp_arpspoof: ARP Cache Overwrite Attack
+113 || 1 || spp_frag2: Oversized Frag
+113 || 2 || spp_frag2: Teardrop/Fragmentation Overlap Attack
+113 || 3 || spp_frag2: TTL evasion detected
+113 || 4 || spp_frag2: overlap detected
+113 || 5 || spp_frag2: Duplicate first fragments
+113 || 6 || spp_frag2: memcap exceeded
+113 || 7 || spp_frag2: Out of order fragments
+113 || 8 || spp_frag2: IP Options on Fragmented Packet
+113 || 9 || spp_frag2: Shifting to Emegency Session Mode
+113 || 10 || spp_frag2: Shifting to Suspend Mode
+114 || 1 || spp_fnord: Possible Mutated GENERIC NOP Sled detected
+114 || 2 || spp_fnord: Possible Mutated IA32 NOP Sled detected
+114 || 3 || spp_fnord: Possible Mutated HPPA NOP Sled detected
+114 || 4 || spp_fnord: Possible Mutated SPARC NOP Sled detected
+115 || 1 || spp_asn1: Indefinite ASN.1 length encoding
+115 || 2 || spp_asn1: Invalid ASN.1 length encoding
+115 || 3 || spp_asn1: ASN.1 oversized item, possible overflow
+115 || 4 || spp_asn1: ASN.1 spec violation, possible overflow
+115 || 5 || spp_asn1: ASN.1 Attack: Datum length > packet length
+116 || 1 || snort_decoder: Not IPv4 datagram!
+116 || 2 || snort_decoder: WARNING: Not IPv4 datagram!
+116 || 3 || snort_decoder: WARNING: hlen < IP_HEADER_LEN!
+116 || 4 || snort_decoder: Bad IPv4 Options
+116 || 5 || snort_decoder: Truncated IPv4 Options
+116 || 45 || snort_decoder: TCP packet len is smaller than 20 bytes!
+116 || 46 || snort_decoder: TCP Data Offset is less than 5!
+116 || 47 || snort_decoder: TCP Data Offset is longer than payload!
+116 || 54 || snort_decoder: Tcp Options found with bad lengths
+116 || 55 || snort_decoder: Truncated Tcp Options
+116 || 56 || snort_decoder: T/TCP Detected
+116 || 57 || snort_decoder: Obsolete TCP options
+116 || 58 || snort_decoder: Experimental TCP options
+116 || 95 || snort_decoder: Truncated UDP Header!
+116 || 96 || snort_decoder: Invalid UDP header, length field < 8
+116 || 97 || snort_decoder: Short UDP packet, length field > payload length
+116 || 105 || snort_decoder: ICMP Header Truncated!
+116 || 106 || snort_decoder: ICMP Timestamp Header Truncated!
+116 || 107 || snort_decoder: ICMP Address Header Truncated!
+116 || 108 || snort_decoder: Unknown Datagram decoding problem!
+116 || 109 || snort_decoder: Truncated ARP Packet!
+116 || 110 || snort_decoder: Truncated EAP Header!
+116 || 111 || snort_decoder: EAP Key Truncated!
+116 || 112 || snort_decoder: EAP Header Truncated!
+116 || 120 || snort_decoder: WARNING: Bad PPPOE frame detected!
+116 || 130 || snort_decoder: WARNING: Bad VLAN Frame!
+116 || 131 || snort_decoder: WARNING: Bad LLC header!
+116 || 132 || snort_decoder: WARNING: Bad Extra LLC Info!
+116 || 133 || snort_decoder: WARNING: Bad 802.11 LLC header!
+116 || 134 || snort_decoder: WARNING: Bad 802.11 Extra LLC Info!
+116 || 140 || snort_decoder: WARNING: Bad Token Ring Header!
+116 || 141 || snort_decoder: WARNING: Bad Token Ring ETHLLC Header!
+116 || 142 || snort_decoder: WARNING: Bad Token Ring MRLEN Header!
+116 || 143 || snort_decoder: WARNING: Bad Token Ring MR Header!
+116 || 150 || snort_decoder: Bad Traffic Loopback IP!
+116 || 151 || snort_decoder: Bad Traffic Same Src/Dst IP!
+117 || 1 || spp_portscan2: Portscan detected!
+118 || 1 || spp_conversation: Bad IP protocol!
+119 || 1 || http_inspect: ASCII ENCODING
+119 || 2 || http_inspect: DOUBLE DECODING ATTACK
+119 || 3 || http_inspect: U ENCODING
+119 || 4 || http_inspect: BARE BYTE UNICODE ENCODING
+119 || 5 || http_inspect: BASE36 ENCODING
+119 || 6 || http_inspect: UTF-8 ENCODING
+119 || 7 || http_inspect: IIS UNICODE CODEPOINT ENCODING
+119 || 8 || http_inspect: MULTI_SLASH ENCODING
+119 || 9 || http_inspect: IIS BACKSLASH EVASION
+119 || 10 || http_inspect: SELF DIRECTORY TRAVERSAL
+119 || 11 || http_inspect: DIRECTORY TRAVERSAL
+119 || 12 || http_inspect: APACHE WHITESPACE (TAB)
+119 || 13 || http_inspect: NON-RFC HTTP DELIMITER
+119 || 14 || http_inspect: NON-RFC DEFINED CHAR
+119 || 15 || http_inspect: OVERSIZE REQUEST-URI DIRECTORY
+119 || 16 || http_inspect: OVERSIZE CHUNK ENCODING
+119 || 17 || http_inspect: UNAUTHORIZED PROXY USE DETECTED
+119 || 18 || http_inspect: WEBROOT DIRECTORY TRAVERSAL
+120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT
+121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded
+121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded
+121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded
+121 || 4 || flow-portscan: Sliding Scale Talker Limit Exceeded
+122 || 1 || portscan: TCP Portscan
+122 || 2 || portscan: TCP Decoy Portscan
+122 || 3 || portscan: TCP Portsweep
+122 || 4 || portscan: TCP Distributed Portscan
+122 || 5 || portscan: TCP Filtered Portscan
+122 || 6 || portscan: TCP Filtered Decoy Portscan
+122 || 7 || portscan: TCP Filtered Portsweep
+122 || 8 || portscan: TCP Filtered Distributed Portscan
+122 || 9 || portscan: IP Protocol Scan
+122 || 10 || portscan: IP Decoy Protocol Scan
+122 || 11 || portscan: IP Protocol Sweep
+122 || 12 || portscan: IP Distributed Protocol Scan
+122 || 13 || portscan: IP Filtered Protocol Scan
+122 || 14 || portscan: IP Filtered Decoy Protocol Scan
+122 || 15 || portscan: IP Filtered Protocol Sweep
+122 || 16 || portscan: IP Filtered Distributed Protocol Scan
+122 || 17 || portscan: UDP Portscan
+122 || 18 || portscan: UDP Decoy Portscan
+122 || 19 || portscan: UDP Portsweep
+122 || 20 || portscan: UDP Distributed Portscan
+122 || 21 || portscan: UDP Filtered Portscan
+122 || 22 || portscan: UDP Filtered Decoy Portscan
+122 || 23 || portscan: UDP Filtered Portsweep
+122 || 24 || portscan: UDP Filtered Distributed Portscan
+122 || 25 || portscan: ICMP Sweep
+122 || 26 || portscan: ICMP Filtered Sweep
+122 || 27 || portscan: Open Port
+123 || 1 || frag3: IP Options on fragmented packet
+123 || 2 || frag3: Teardrop attack
+123 || 3 || frag3: Short fragment, possible DoS attempt
+123 || 4 || frag3: Fragment packet ends after defragmented packet
+123 || 5 || frag3: Zero-byte fragment
+123 || 6 || frag3: Bad fragment size, packet size is negative
+123 || 7 || frag3: Bad fragment size, packet size is greater than 65536
+123 || 8 || frag3: Fragmentation overlap
+124 || 1 || xlink2state: X-Link2State length greater than 1024
--- /dev/null
+++ b/rules/multimedia.rules
@@ -0,0 +1,36 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: multimedia.rules,v 1.13.2.1.2.1 2005/05/16 22:17:51 mwatchinski Exp $
+#-------------
+# MULTIMEDIA RULES
+#-------------
+# These signatures look for people using streaming multimedia technologies.
+# Using streaming media may be a violation of corporate policies.
+
+
+alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media download"; flow:from_server,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s*(?=[av])(video\/x\-ms\-(w[vm]x|asf)|a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/smi"; classtype:policy-violation; sid:1437; rev:6;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MULTIMEDIA Quicktime User Agent access"; flow:to_server,established; content:"User-Agent|3A| Quicktime"; nocase; classtype:policy-violation; sid:1436; rev:5;)
+alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Shoutcast playlist redirection"; flow:from_server,established; content:"Content-type|3A| audio/x-scpls"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1439; rev:5;)
+alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Icecast playlist redirection"; flow:from_server,established; content:"Content-type|3A| audio/x-mpegurl"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1440; rev:5;)
+alert tcp $HOME_NET any -> 64.245.58.0/23 any (msg:"MULTIMEDIA audio galaxy keepalive"; flow:established; content:"E_|00 03 05|"; depth:5; classtype:misc-activity; sid:1428; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .ram playlist download attempt"; flow:to_server,established; uricontent:".ram"; nocase; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2419; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rmp playlist download attempt"; flow:to_server,established; uricontent:".rmp"; nocase; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2420; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .smi playlist download attempt"; flow:to_server,established; uricontent:".smi"; nocase; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2421; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rt playlist download attempt"; flow:to_server,established; uricontent:".rt"; nocase; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2422; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rp playlist download attempt"; flow:to_server,established; uricontent:".rp"; nocase; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2423; rev:3;)
--- /dev/null
+++ b/rules/community-sid-msg.map
@@ -0,0 +1,837 @@
+# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# This file is licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# Id SID -> MSG map
+
+100000100 || COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Flowbit || cve,2004-0629 || bugtraq,10947
+100000101 || COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Exploit || cve,2004-0629 || bugtraq,10947
+100000102 || COMMUNITY GAME Halocon Denial of Service Empty UDP Packet || bugtraq,12281
+100000103 || COMMUNITY GAME Breed Game Server Denial of Service Empty UDP Packet || bugtraq,12262
+100000104 || COMMUNITY GAME Amp II 3D Game Server Denial of Service Empty UDP Packet || bugtraq,12192
+100000105 || COMMUNITY INAPPROPRIATE lolita sex
+100000106 || COMMUNITY SQL-INJECTION Microsoft BizTalk Server 2002 rawdocdata.asp || bugtraq,7470 || cve,2003-0118 || url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx
+100000107 || COMMUNITY SQL-INJECTION Microsoft BizTalk Server 2002 RawCustomSearchField.asp || bugtraq,7470 || cve,2003-0118 || url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx
+100000108 || COMMUNITY SQL-INJECTION OpenBB board.php || bugtraq,7404
+100000109 || COMMUNITY SQL-INJECTION OpenBB member.php || bugtraq,7404
+100000110 || COMMUNITY VIRUS Dabber PORT overflow attempt port 5554 || MCAFEE,125300
+100000111 || COMMUNITY VIRUS Dabber PORT overflow attempt port 1023 || MCAFEE,125300
+100000112 || COMMUNITY WEB-CGI Readfile.tcl Access || bugtraq,7426
+100000113 || COMMUNITY WEB-CGI HappyMall Command Execution member_html.cgi || bugtraq,7530 || cve,2003-0243
+100000114 || COMMUNITY WEB-CGI HappyMall Command Execution normal_html.cgi || bugtraq,7530 || cve,2003-0243
+100000115 || COMMUNITY WEB-CGI PHP-Nuke Web_Links Path Disclosure Null CID || bugtraq,7589
+100000116 || COMMUNITY WEB-CGI PHP-Nuke Web_Links Path Disclosure Non-Numeric CID || bugtraq,7589
+100000117 || COMMUNITY WEB-CGI VBulliten Remote Command Execution Attempt || bugtraq,12542
+100000118 || COMMUNITY WEB-CLIENT Internet Explorer URLMON.DLL Content-Type Overflow Attempt || bugtraq,7419 || cve,2003-0113 || url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx
+100000119 || COMMUNITY WEB-CLIENT Internet Explorer URLMON.DLL Content-Encoding Overflow Attempt || bugtraq,7419 || cve,2003-0113 || url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx
+100000121 || COMMUNITY WEB-MISC Test Script Access
+100000122 || COMMUNITY WEB-MISC mod_jrun overflow attempt || bugtraq,11245 || cve,2004-0646
+100000123 || COMMUNITY INAPPROPRIATE preteen sex
+100000124 || COMMUNITY INAPPROPRIATE girls gone wild
+100000125 || COMMUNITY MISC Sentinel License Manager overflow attempt || cve,CAN-2005-0353 || bugtraq,12742
+100000126 || COMMUNITY MISC GoodTech Telnet Server Buffer Overflow Attempt || cve,2005-0768 || url,unsecure.altervista.org/security/goodtechtelnet.htm
+100000127 || COMMUNITY WEB-CGI Stadtaus.com PHP Form Mail Remote Script Include Attack formmail.inc.php || bugtraq,12735
+100000128 || COMMUNITY WEB-CGI Stadtaus.com PHP Form Mail Remote Script Include Attack download_center_lite.inc.php || bugtraq,12735
+100000129 || COMMUNITY WEB-MISC Cisco IOS HTTP Router Management Service Infinite Loop DoS || bugtraq,10014 || url,www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml
+100000130 || COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS || bugtraq,12778
+100000131 || COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS - Floppy Access || bugtraq,12778
+100000132 || COMMUNITY WEB-MISC Proxy Server Access
+100000133 || COMMUNITY WEB-DoS Xeneo Server Question Mark GET Request || bugtraq,7398 || url,www.northernsolutions.com/support/index.php?view=support&cmd=releasenotes&productid=1
+100000134 || COMMUNITY DOS Tcpdump rsvp attack || cve,2005-1280 || cve,2005-1281 || bugtraq,13391
+100000135 || COMMUNITY IMAP GNU Mailutils request tag format string vulnerability || cve,CAN-2005-1523 || bugtraq,13764
+100000136 || COMMUNITY IMAP GNU imapd search format string attempt || url,www.osvdb.org/displayvuln.php?osvdb_id=19306 || cve,2005-2878
+100000137 || COMMUNITY MISC BAD-SSL tcp detect
+100000138 || COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt localhost || cve,2005-2678
+100000139 || COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt loopback IP || cve,2005-2678
+100000140 || COMMUNITY WEB-MISC MaxDB Web Tool Remote Stack Overflow || cve,2005-0684 || url,www.idefense.com/application/poi/display?id=234&type=vulnerabilities
+100000141 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jsp directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252
+100000142 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jpg directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252
+100000143 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .gif directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252
+100000144 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .wav directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252
+100000145 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .css directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252
+100000146 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .htm directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252
+100000148 || COMMUNITY WEB-MISC Barracuda img.pl attempt || bugtraq,14712 || bugtraq,14710 || cve,2005-2848
+100000149 || COMMUNITY WEB-MISC Jboss % attempt || bugtraq,13985 || cve,2005-2006 || url,www.osvdb.org/displayvuln.php?osvdb_id=17403
+100000150 || COMMUNITY WEB-MISC HTTP Transfer-Content Request Smuggling attempt || bugtraq,13873 || bugtraq,14106 || cve,2005-2088 || cve,2005-2089 || cve,2005-2090 || cve,2005-2091 || cve,2005-2092 || cve,2005-2093 || cve,2005-2094 || url,www.osvdb.org/displayvuln.php?osvdb_id=17738 || nessus,18337
+100000151 || COMMUNITY WEB-PHP piranha default passwd attempt || bugtraq,1148 || cve,2000-0248 || nessus,10381
+100000152 || COMMUNITY IMAP MDaemon authentication protocol decode
+100000153 || COMMUNITY IMAP MDaemon authentication multiple packet overflow attempt || bugtraq,14317
+100000154 || COMMUNITY IMAP MDaemon authentication okay protocol decode
+100000155 || COMMUNITY IMAP MDaemon authentication overflow single packet attempt || bugtraq,14317
+100000156 || COMMUNITY WEB-CGI Twiki shell command execution || bugtraq,14834 || cve,2005-2877 || url,twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev
+100000157 || COMMUNITY WEB-CGI ATutor password_reminder.php SQL injection attempt || bugtraq,14831
+100000158 || COMMUNITY SIP INVITE message flooding
+100000159 || COMMUNITY SIP REGISTER message flooding
+100000160 || COMMUNITY SIP TCP/IP message flooding directed to SIP proxy
+100000161 || COMMUNITY SIP DNS No such name treshold - Abnormaly high count of No such name responses
+100000162 || COMMUNITY SIP 401 Unauthorized Flood
+100000163 || COMMUNITY SIP 407 Proxy Authentication Required Flood
+100000164 || COMMUNITY ICMP Linux DoS sctp Exploit || nessus,19777
+100000165 || COMMUNITY EXPLOIT Sentinel LM exploit || bugtraq,12742 || cve,2005-0353 || url,www.osvdb.org/displayvuln.php?osvdb_id=14605 || nessus,17326
+100000166 || COMMUNITY ORACLE TNS Listener shutdown via iSQLPlus attempt || bugtraq,15032 || url,www.red-database-security.com/advisory/oracle_isqlplus_shutdown.html
+100000167 || COMMUNITY SMTP Hydra Activity Detected || url,www.thc.org/releases.php
+100000168 || COMMUNITY WEB-ATTACKS Hydra Activity Detected || url,www.thc.org/releases.php
+100000169 || COMMUNITY WEB-ATTACKS Amap fingerprint attempt || url,www.thc.org/releases.php
+100000170 || COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Host Parameter || bugtraq,15081 || url,www.osvdb.org/displayvuln.php?osvdb_id=19926
+100000171 || COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Accept Parameter || bugtraq,15081 || url,www.osvdb.org/displayvuln.php?osvdb_id=19926
+100000172 || COMMUNITY NNTP Lynx overflow attempt || cve,2005-3120 || bugtraq,15117 || url,www.osvdb.org/displayvuln.php?osvdb_id=20019 || nessus,20035
+100000173 || COMMUNITY WEB-IIS RSA WebAgent Redirect Overflow attempt
+100000174 || COMMUNITY WEB-IIS RSA WebAgent access || cve,2005-1118 || bugtraq,13168
+100000175 || COMMUNITY DOS Ethereal slimp overflow attempt || cve,2005-3243 || url,www.ethereal.com/docs/release-notes/ethereal-0.10.13.html
+100000176 || COMMUNITY EXPLOIT HPUX LPD overflow attempt || cve,2005-3277 || bugtraq,15136
+100000177 || COMMUNITY WEB-MISC Linksys apply.cgi overflow attempt || bugtraq,14822 || cve,2005-2799 || nessus,20096 || url,www.osvdb.org/displayvuln.php?osvdb_id=19389
+100000178 || COMMUNITY WEB-MISC Hasbani-WindWeb GET DoS attempt || bugtraq,15225 || nessus,20097
+100000179 || COMMUNITY WEB-MISC SMC TRACE access || url,www.kb.cert.org/vuls/id/867593
+100000180 || COMMUNITY EXPLOIT SIP UDP spoof attempt || bugtraq,14174 || cve,2005-2182 || url,www.osvdb.org/displayvuln.php?osvdb_id=17838
+100000181 || COMMUNITY GAME FlatFrag game dos exploit || bugtraq,15287 || cve,2005-3492
+100000182 || COMMUNITY GAME Battle Carry attempt || cve,2005-3493 || bugtraq,15282
+100000183 || COMMUNITY WEB-ATTACKS SAP WAS syscmd access || url,www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf
+100000184 || COMMUNITY WEB-MISC JBoss JMXInvokerServlet access || url,online.securityfocus.com/archive/1/415707
+100000185 || COMMUNITY WEB-MISC apache directory list attempt || bugtraq,3009 || cve,2001-0731
+100000186 || COMMUNITY WEB-PHP phpinfo access || bugtraq,5789 || cve,2002-1149 || url,www.osvdb.org/displayvuln.php?osvdb_id=3356
+100000187 || COMMUNITY WEB-PHP XSS attempt
+100000188 || COMMUNITY WEB-PHP Vubb Path attempt || cve,2005-3513 || url,marc.theaimsgroup.com/?l=bugtraq&m=113087965608496&w=2
+100000189 || COMMUNITY MISC streaming RTSP - realplayer || url,www.rtsp.org
+100000190 || COMMUNITY MISC streaming Windows Mediaplayer || url,www.microsoft.com
+100000191 || COMMUNITY SMTP Gnu Mailman utf8 attachement access || bugtraq,15408 || cve,2005-3573 || url,www.osvdb.org/displayvuln.php?osvdb_id=20819
+100000192 || COMMUNITY SQL-INJECTION WIZZ ForumTopicDetails Sql Injection attempt || bugtraq,15410 || url,www.osvdb.org/displayvuln.php?osvdb_id=20846
+100000193 || COMMUNITY SQL-INJECTION WIZZ ForumAuthDetails Sql Injection attempt || bugtraq,15410 || url,www.osvdb.org/displayvuln.php?osvdb_id=20845
+100000194 || COMMUNITY SQL-INJECTION WIZZ ForumReply Sql Injection attempt || bugtraq,15410 || url,www.osvdb.org/displayvuln.php?osvdb_id=20847
+100000195 || COMMUNITY WEB-PHP _SERVER HTTP_ACCEPT_LANGUAGE access || bugtraq,15414 || cve,2005-3347
+100000196 || COMMUNITY IMAP Qualcomm WorldMail SELECT dot dot attempt || cve,2005-3189 || bugtraq,15488
+100000197 || COMMUNITY ICMP undefined code
+100000198 || COMMUNITY MISC Ntp fingerprint detect || url,www.arhont.com/ViewPage7422.html?siteNodeId=3&languageId=1&contentId=-1
+100000199 || COMMUNITY MISC Novell eDirectory iMonitor access || bugtraq,14548 || cve,2005-2551 || nessus,19248 || url,www.osvdb.org/displayvuln.php?osvdb_id=18703
+100000200 || COMMUNITY WEB-MISC Symantec Brightmail Antispam default login attempt || nessus,19598 || url,securityresponse.symantec.com/avcenter/security/Content/2005.05.31a.html
+100000201 || COMMUNITY WEB-PHP CuteNews flood.db.php access || bugtraq,14869 || cve,2005-3010 || nessus,19756 || url,www.osvdb.org/displayvuln.php?osvdb_id=19478
+100000202 || COMMUNITY WEB-PHP DeluxeBB topic.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19404
+100000203 || COMMUNITY WEB-PHP DeluxeBB misc.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19405
+100000204 || COMMUNITY WEB-PHP DeluxeBB pm.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19407
+100000205 || COMMUNITY WEB-PHP DeluxeBB forums.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19406
+100000206 || COMMUNITY WEB-PHP DeluxeBB newpost.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19408
+100000207 || COMMUNITY IMAP GNU Mailutils imap4d hex attempt || cve,2005-2878 || bugtraq,14794 || nessus,19605 || url,www.osvdb.org/displayvuln.php?osvdb_id=19306
+100000208 || COMMUNITY MISC Tunneling IP over DNS with NSTX || url,nstx.dereference.de/nstx/ || url,slashdot.org/articles/00/09/10/2230242.shtml
+100000209 || COMMUNITY WEB-MISC FtpLocate flsearch.pl possible command execution attempt || bugtraq,14367 || cve,2005-2420 || nessus,19300 || url,www.osvdb.org/displayvuln.php?osvdb_id=18305
+100000210 || COMMUNITY WEB-MISC generic cmd pipe after = attempt
+100000211 || COMMUNITY WEB-PHP Gallery g2_itemId access || bugtraq,15108 || cve,2005-0222 || nessus,20015 || url,www.osvdb.org/displayvuln.php?osvdb_id=13034
+100000212 || COMMUNITY WEB-PHP Gallery g2_return access || bugtraq,15108 || cve,2005-0222 || nessus,20015 || url,www.osvdb.org/displayvuln.php?osvdb_id=13034
+100000213 || COMMUNITY WEB-PHP Gallery g2_view access || bugtraq,15108 || cve,2005-0222 || nessus,20015 || url,www.osvdb.org/displayvuln.php?osvdb_id=13034
+100000214 || COMMUNITY WEB-PHP Gallery g2_subView access || bugtraq,15108 || cve,2005-0222 || nessus,20015 || url,www.osvdb.org/displayvuln.php?osvdb_id=13034
+100000215 || COMMUNITY DOS Trend Micro ServerProtect EarthAgent attempt || cve,2005-1928 || url,www.idefense.com/application/poi/display?id=356&type=vulnerabilities
+100000216 || COMMUNITY WEB-MISC Trend Micro ServerProtect isaNVWRequest.dll access || cve,2005-1929 || url,www.idefense.com/application/poi/display?id=353&type=vulnerabilities
+100000217 || COMMUNITY WEB-MISC man2web cmd exec attempt || cve,2005-2812 || bugtraq,14747 || nessus,19591
+100000218 || COMMUNITY WEB-PHP MailGust SQL Injection email attempt || bugtraq,14933 || cve,2005-3063 || nessus,19947
+100000219 || COMMUNITY SMTP MIME-Type ms-tnef access || bugtraq,16197 || cve,2006-0002 || url,www.microsoft.com/technet/security/bulletin/MS06-003.mspx
+100000220 || COMMUNITY WEB-PHP PHP-Nuke admin_styles.php phpbb_root_path access || url,www.autistici.org/anacron-group-italy/file/txt/sile002adv.txt || url,www.osvdb.org/displayvuln.php?osvdb_id=16244
+100000221 || COMMUNITY WEB-PHP AppServ main.php appserv_root param access || url,www.osvdb.org/displayvuln.php?osvdb_id=22228
+100000222 || COMMUNITY MISC TFTP32 Get Format string attempt || url,www.securityfocus.com/archive/1/422405/30/0/threaded || url,www.critical.lt/?vulnerabilities/200
+100000223 || COMMUNITY EXPLOIT SIP UDP Softphone overflow attempt || bugtraq,16213 || cve,2006-0189
+100000224 || COMMUNITY SMTP Mozilla filename overflow attempt || bugtraq,16271
+100000225 || COMMUNITY WEB-MISC ASPSurvey Login_Validate.asp Password param access || cve,2006-0192
+100000226 || COMMUNITY VIRUS Possible BlackWorm or Nymex infected host || url,www.microsoft.com/security/encyclopedia/details.aspx?name=Win32%2fMywife.E%40mm || url,cme.mitre.org/data/list.html#24 || url,isc.sans.org/blackworm
+100000227 || COMMUNITY MISC SNMP trap Format String detected || bugtraq,16267 || cve,2006-0250 || url,www.osvdb.org/displayvuln.php?osvdb_id=22493
+100000228 || COMMUNITY WEB-CLIENT Winamp PlayList buffer overflow attempt || bugtraq,16410 || cve,2006-0476 || url,www.frsirt.com/english/advisories/2006/0361
+100000229 || COMMUNITY MISC Lotus Domino LDAP attack || bugtraq,16523 || cve,2006-0580 || url,lists.immunitysec.com/pipermail/dailydave/2006-February/002896.html
+100000230 || COMMUNITY MISC Jabber/Google Talk Outgoing Traffic || url,www.google.com/talk/
+100000231 || COMMUNITY MISC Jabber/Google Talk Outgoing Auth || url,www.google.com/talk/
+100000232 || COMMUNITY MISC Google Talk Logon || url,www.google.com/talk/
+100000233 || COMMUNITY MISC Jabber/Google Talk Outoing Message || url,www.google.com/talk/
+100000234 || COMMUNITY MISC Jabber/Google Talk Log Out || url,www.google.com/talk/
+100000235 || COMMUNITY MISC Jabber/Google Talk Logon Success || url,www.google.com/talk/
+100000236 || COMMUNITY MISC Jabber/Google Talk Incoming Message || url,www.google.com/talk/
+100000237 || COMMUNITY WEB-MISC Proxy Bypass Via Google Translation Same To And From Language || url,www.boingboing.net/2006/02/22/argonne_national_lab.html
+100000238 || COMMUNITY WEB-CLIENT IE mulitple event handler heap overflow attempt || bugtraq,17131 || cve,2006-1245 || url,www.microsoft.com/technet/security/Bulletin/MS06-013.mspx
+100000239 || COMMUNITY WEB-CLIENT IE createTextRange overflow attempt || bugtraq,17196 || cve,2006-1359 || url,www.microsoft.com/technet/security/Bulletin/MS06-013.mspx
+100000240 || COMMUNITY BOT IRC Traffic Detected By Nick Change
+100000241 || COMMUNITY BOT Internal IRC server detected
+100000242 || COMMUNITY BOT Agobot/PhatBot bot.about command
+100000243 || COMMUNITY BOT Agobot/PhatBot bot.die command
+100000244 || COMMUNITY BOT Agobot/PhatBot bot.dns command
+100000245 || COMMUNITY BOT Agobot/PhatBot bot.execute command
+100000246 || COMMUNITY BOT Agobot/PhatBot bot.id command
+100000247 || COMMUNITY BOT Agobot/PhatBot bot.nick command
+100000248 || COMMUNITY BOT Agobot/PhatBot bot.open command
+100000249 || COMMUNITY BOT Agobot/PhatBot bot.remove command
+100000250 || COMMUNITY BOT Agobot/PhatBot bot.removeallbut command
+100000251 || COMMUNITY BOT Agobot/PhatBot bot.rndnick command
+100000252 || COMMUNITY BOT Agobot/PhatBot bot.status command
+100000253 || COMMUNITY BOT Agobot/PhatBot bot.sysinfo command
+100000254 || COMMUNITY BOT Agobot/PhatBot bot.longuptime command
+100000255 || COMMUNITY BOT Agobot/PhatBot bot.highspeed command
+100000256 || COMMUNITY BOT Agobot/PhatBot bot.quit command
+100000257 || COMMUNITY BOT Agobot/PhatBot bot.flushdns command
+100000258 || COMMUNITY BOT Agobot/PhatBot bot.secure command
+100000259 || COMMUNITY BOT Agobot/PhatBot bot.unsecure command
+100000260 || COMMUNITY BOT Agobot/PhatBot bot.command command
+100000261 || COMMUNITY BOT SDBot killthread command
+100000262 || COMMUNITY BOT SDBot cdkey command
+100000263 || COMMUNITY BOT SDBot getcdkey command
+100000264 || COMMUNITY BOT SDBot rndnick command
+100000265 || COMMUNITY BOT SDBot c_rndnick command
+100000266 || COMMUNITY BOT SDBot c_nick command
+100000267 || COMMUNITY BOT SpyBot stopspy  command
+100000268 || COMMUNITY BOT SpyBot redirectspy  command
+100000269 || COMMUNITY BOT SpyBot loadclones command
+100000270 || COMMUNITY BOT SpyBot killclones command
+100000271 || COMMUNITY BOT SpyBot rawclones  command
+100000272 || COMMUNITY BOT GTBot ver command
+100000273 || COMMUNITY BOT GTBot info command
+100000274 || COMMUNITY BOT GTBot scan command
+100000275 || COMMUNITY BOT GTBot portscan command
+100000276 || COMMUNITY BOT GTBot stopscan command
+100000277 || COMMUNITY BOT GTBot packet command
+100000278 || COMMUNITY BOT GTBot bnc command
+100000279 || COMMUNITY SMTP Incoming WAB attachment || cve,2006-0014 || url,www.microsoft.com/technet/security/bulletin/MS06-016.mspx
+100000281 || COMMUNITY MISC Connect Direct Server - Session Terminated Invalid Credentials
+100000282 || COMMUNITY VIRUS Nugache connect
+100000283 || COMMUNITY VIRUS Nugache data || url,securityresponse.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html
+100000284 || COMMUNITY WEB-CLIENT RealMedia invalid chunk size heap overflow attempt || bugtraq,17202 || cve,2005-2922 || url,service.real.com/realplayer/security/03162006_player/en/
+100000285 || COMMUNITY WEB-PHP ldap_var.inc.php remote file include attempt || bugtraq,17915
+100000286 || COMMUNITY WEB-PHP X Poll admin access || url,marc.theaimsgroup.com/?l=bugtraq&m=114710173409997&w=2
+100000287 || COMMUNITY WEB-PHP Claroline ldap.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000288 || COMMUNITY WEB-PHP Claroline atutor.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000289 || COMMUNITY WEB-PHP Claroline db-generic.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000290 || COMMUNITY WEB-PHP Claroline docebo.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000291 || COMMUNITY WEB-PHP Claroline dokeos.1.6.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000292 || COMMUNITY WEB-PHP Claroline dokeos.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000293 || COMMUNITY WEB-PHP Claroline ganesha.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000294 || COMMUNITY WEB-PHP Claroline mambo.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000295 || COMMUNITY WEB-PHP Claroline moodle.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000296 || COMMUNITY WEB-PHP Claroline phpnuke.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000297 || COMMUNITY WEB-PHP Claroline postnuke.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000298 || COMMUNITY WEB-PHP Claroline spip.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000299 || COMMUNITY WEB-PHP Claroline event/init_event_manager.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000300 || COMMUNITY WEB-PHP Claroline export_exe_tracking.class.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000301 || COMMUNITY SMTP McAfee WebShield SMTP bounce message format string attempt || bugtraq,16742 || cve,2006-0559
+100000302 || COMMUNITY WEB-MISC DeviceSelection.asp sRedirectUrl parameter access || bugtraq,17964
+100000303 || COMMUNITY WEB-MISC DeviceSelection.asp sCancelURL parameter access || bugtraq,17964
+100000304 || COMMUNITY WEB-PHP Gphoto index.php rep parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2
+100000305 || COMMUNITY WEB-PHP Gphoto index.php image parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2
+100000306 || COMMUNITY WEB-PHP Gphoto diapho.php rep parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2
+100000307 || COMMUNITY WEB-PHP Gphoto diapho.php image parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2
+100000308 || COMMUNITY WEB-PHP Gphoto affich.php rep parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2
+100000309 || COMMUNITY WEB-PHP Gphoto affich.php image parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2
+100000310 || COMMUNITY VIRUS Ginwui.B command server dns query attempt - scfzf.xicp.net || url,vil.nai.com/vil/content/v_139545.htm
+100000311 || COMMUNITY VIRUS Ginwui.B command server dns query attempt - localhosts.3322.org || url,vil.nai.com/vil/content/v_139545.htm
+100000312 || COMMUNITY VIRUS Ginwui.B POST attempt || url,vil.nai.com/vil/content/v_139545.htm
+100000313 || COMMUNITY WEB-MISC 3Com Network Supervisor directory traversal || bugtraq,14715 || cve,2005-2020
+100000314 || COMMUNITY WEB-MISC MediaWiki parser script insertion attempt || cve,2006-2611
+100000315 || COMMUNITY WEB-MISC HTTP PUT Request || url,infosecpotpourri.blogspot.com/2006/06/http-put-defacement-attempts.html
+100000316 || COMMUNITY WEB-MISC HTTP PUT Request Successful || url,infosecpotpourri.blogspot.com/2006/06/http-put-defacement-attempts.html
+100000317 || COMMUNITY WEB-MISC phpBazar classified_right.php remote file include || bugtraq,18052
+100000318 || COMMUNITY WEB-MISC phpBazar admin.php unauthorized administrative access || bugtraq,18053 || cve,2006-2527
+100000319 || COMMUNITY WEB-MISC ActualScripts direct.php remote file include || bugtraq,17597
+100000320 || COMMUNITY WEB-MISC ScozNet ScozNews functions.php remote file include || bugtraq,18027
+100000321 || COMMUNITY WEB-MISC ScozNet ScozNews help.php remote file include || bugtraq,18027
+100000322 || COMMUNITY WEB-MISC ScozNet ScozNews mail.php remote file include || bugtraq,18027
+100000323 || COMMUNITY WEB-MISC ScozNet ScozNews news.php remote file include || bugtraq,18027
+100000324 || COMMUNITY WEB-MISC ScozNet ScozNews template.php remote file include || bugtraq,18027
+100000325 || COMMUNITY WEB-MISC ScozNet ScozNews admin_cats.php remote file include || bugtraq,18027
+100000326 || COMMUNITY WEB-MISC ScozNet ScozNews admin_edit.php remote file include || bugtraq,18027
+100000327 || COMMUNITY WEB-MISC ScozNet ScozNews admin_import.php remote file include || bugtraq,18027
+100000328 || COMMUNITY WEB-MISC ScozNet ScozNews admin_templates.php remote file include || bugtraq,18027
+100000329 || COMMUNITY WEB-MISC Invision Power Board class_post.php remote file include || bugtraq,18040
+100000330 || COMMUNITY WEB-MISC Invision Power Board moderate.php remote file include || bugtraq,18040
+100000331 || COMMUNITY WEB-MISC ZixForum settings.asp access || bugtraq,18043
+100000332 || COMMUNITY WEB-MISC Artmedic Newsletter log.php access || bugtraq,18047
+100000333 || COMMUNITY WEB-MISC Artmedic Newsletter log.php access || bugtraq,18047
+100000334 || COMMUNITY WEB-MISC CaLogic Calendars reconfig.php remote file include || bugtraq,18076
+100000335 || COMMUNITY WEB-MISC CaLogic Calendars srxclr.php remote file include || bugtraq,18076
+100000336 || COMMUNITY WEB-MISC phpMyDirectory footer.php remote file include || cve,2006-2521
+100000337 || COMMUNITY WEB-MISC phpMyDirectory defaults_setup.php remote file include || cve,2006-2521
+100000338 || COMMUNITY WEB-MISC phpMyDirectory header.php remote file include || cve,2006-2521
+100000339 || COMMUNITY WEB-MISC V-Webmail core.php remote file include || url,secunia.com/advisories/20297/
+100000340 || COMMUNITY WEB-MISC V-Webmail pop3.php remote file include || url,secunia.com/advisories/20297/
+100000341 || COMMUNITY WEB-MISC DoceboLMS help.php remote file include || bugtraq,18110
+100000342 || COMMUNITY WEB-MISC DoceboLMS business.php remote file include || bugtraq,18110
+100000343 || COMMUNITY WEB-MISC DoceboLMS credits.php remote file include || bugtraq,18110
+100000344 || COMMUNITY WEB-MISC SocketMail index.php remote file include || url,secunia.com/advisories/20273/
+100000345 || COMMUNITY WEB-MISC SocketMail inc-common.php remote file include || url,secunia.com/advisories/20273/
+100000346 || COMMUNITY WEB-MISC Plume CMS prepend.php remote file include || bugtraq,16662
+100000347 || COMMUNITY WEB-MISC Ezupload Pro form.php remote file include || bugtraq,18135
+100000348 || COMMUNITY WEB-MISC Ezupload Pro customize.php remote file include || bugtraq,18135
+100000349 || COMMUNITY WEB-MISC Ezupload Pro initialize.php remote file include || bugtraq,18135
+100000350 || COMMUNITY WEB-MISC UBBThreads ubbt.inc.php remote file include || url,www.nukedx.com/?viewdoc=40
+100000351 || COMMUNITY WEB-MISC UBBThreads config[cookieprefix] remote file include || url,www.nukedx.com/?viewdoc=40
+100000352 || COMMUNITY WEB-MISC Blend Portal blend_common.php remote file include || bugtraq,18153 || url,www.nukedx.com/?viewdoc=41
+100000353 || COMMUNITY WEB-MISC tinyBB footers.php remote file include || bugtraq,18147
+100000354 || COMMUNITY WEB-MISC phpBB-Amod lang_activity.php remote file include || bugtraq,18155
+100000355 || COMMUNITY WEB-MISC eSyndiCat cron.php remote file include || url,secunia.com/advisories/20218/
+100000356 || COMMUNITY WEB-MISC BASE base_qry_common.php remote file include || url,secunia.com/advisories/20300/
+100000357 || COMMUNITY WEB-MISC BASE base_stat_common.php remote file include || url,secunia.com/advisories/20300/
+100000358 || COMMUNITY WEB-MISC BASE base_include.inc.php remote file include || url,secunia.com/advisories/20300/
+100000359 || COMMUNITY WEB-MISC Fastpublish CMS drucken.php remote file include || bugtraq,18163
+100000360 || COMMUNITY WEB-MISC Fastpublish CMS drucken2.php remote file include || bugtraq,18163
+100000361 || COMMUNITY WEB-MISC Fastpublish CMS email_an_benutzer.php remote file include || bugtraq,18163
+100000362 || COMMUNITY WEB-MISC Fastpublish CMS rechnung.php remote file include || bugtraq,18163
+100000363 || COMMUNITY WEB-MISC Fastpublish CMS search.php remote file include || bugtraq,18163
+100000364 || COMMUNITY WEB-MISC Fastpublish CMS admin.php remote file include || bugtraq,18163
+100000365 || COMMUNITY WEB-MISC phpNuke index.php remote file include || bugtraq,18186
+100000366 || COMMUNITY WEB-MISC phpNuke admin_ug_auth.php remote file include || bugtraq,18186
+100000367 || COMMUNITY WEB-MISC phpNuke admin_board.php remote file include || bugtraq,18186
+100000368 || COMMUNITY WEB-MISC phpNuke admin_disallow.php remote file include || bugtraq,18186
+100000369 || COMMUNITY WEB-MISC phpNuke admin_forumauth.php remote file include || bugtraq,18186
+100000370 || COMMUNITY WEB-MISC phpNuke admin_groups.php remote file include || bugtraq,18186
+100000371 || COMMUNITY WEB-MISC phpNuke admin_ranks.php remote file include || bugtraq,18186
+100000372 || COMMUNITY WEB-MISC phpNuke admin_styles.php remote file include || bugtraq,18186
+100000373 || COMMUNITY WEB-MISC phpNuke admin_user_ban.php remote file include || bugtraq,18186
+100000374 || COMMUNITY WEB-MISC phpNuke admin_words.php remote file include || bugtraq,18186
+100000375 || COMMUNITY WEB-MISC phpNuke admin_avatar.php remote file include || bugtraq,18186
+100000376 || COMMUNITY WEB-MISC phpNuke admin_db_utilities.php remote file include || bugtraq,18186
+100000377 || COMMUNITY WEB-MISC phpNuke admin_forum_prune.php remote file include || bugtraq,18186
+100000378 || COMMUNITY WEB-MISC phpNuke admin_forums.php remote file include || bugtraq,18186
+100000379 || COMMUNITY WEB-MISC phpNuke admin_mass_email.php remote file include || bugtraq,18186
+100000380 || COMMUNITY WEB-MISC phpNuke admin_smilies.php remote file include || bugtraq,18186
+100000381 || COMMUNITY DELETED phpNuke admin_ug_auth.php remote file include || bugtraq,18186
+100000382 || COMMUNITY WEB-MISC phpNuke admin_users.php remote file include || bugtraq,18186
+100000383 || COMMUNITY WEB-MISC OsTicket open_form.php remote file include || bugtraq,18190
+100000384 || COMMUNITY WEB-MISC Ottoman index.php remote file include || bugtraq,18208
+100000385 || COMMUNITY WEB-MISC Ottoman error.php remote file include || bugtraq,18208
+100000386 || COMMUNITY WEB-MISC Ottoman main_class.php remote file include || bugtraq,18208
+100000387 || COMMUNITY WEB-MISC Ovidentia index.php remote file include || bugtraq,18232
+100000388 || COMMUNITY WEB-MISC Ovidentia topman.php remote file include || bugtraq,18232
+100000389 || COMMUNITY WEB-MISC Ovidentia approb.php remote file include || bugtraq,18232
+100000390 || COMMUNITY WEB-MISC Ovidentia vacadmb.php remote file include || bugtraq,18232
+100000391 || COMMUNITY WEB-MISC Ovidentia vacadma.php remote file include || bugtraq,18232
+100000392 || COMMUNITY WEB-MISC Ovidentia vacadm.php remote file include || bugtraq,18232
+100000393 || COMMUNITY WEB-MISC Ovidentia start.php remote file include || bugtraq,18232
+100000394 || COMMUNITY WEB-MISC Ovidentia search.php remote file include || bugtraq,18232
+100000395 || COMMUNITY WEB-MISC Ovidentia posts.php remote file include || bugtraq,18232
+100000396 || COMMUNITY WEB-MISC Ovidentia options.php remote file include || bugtraq,18232
+100000397 || COMMUNITY WEB-MISC Ovidentia login.php remote file include || bugtraq,18232
+100000398 || COMMUNITY WEB-MISC Ovidentia frchart.php remote file include || bugtraq,18232
+100000399 || COMMUNITY WEB-MISC Ovidentia flbchart.php remote file include || bugtraq,18232
+100000400 || COMMUNITY WEB-MISC Ovidentia fileman.php remote file include || bugtraq,18232
+100000401 || COMMUNITY WEB-MISC Ovidentia faq.php remote file include || bugtraq,18232
+100000402 || COMMUNITY WEB-MISC Ovidentia event.php remote file include || bugtraq,18232
+100000403 || COMMUNITY WEB-MISC Ovidentia directory.php remote file include || bugtraq,18232
+100000404 || COMMUNITY WEB-MISC Ovidentia articles.php remote file include || bugtraq,18232
+100000405 || COMMUNITY WEB-MISC Ovidentia artedit.php remote file include || bugtraq,18232
+100000406 || COMMUNITY WEB-MISC Ovidentia approb.php remote file include || bugtraq,18232
+100000407 || COMMUNITY WEB-MISC Ovidentia calday.php remote file include || bugtraq,18232
+100000408 || COMMUNITY WEB-MISC AssoCIateD cache_mngt.php remote file include || bugtraq,18220
+100000409 || COMMUNITY WEB-MISC AssoCIateD gallery_functions.php remote file include || bugtraq,18220
+100000410 || COMMUNITY WEB-MISC REDAXO index.inc.php remote file include || bugtraq,18229
+100000411 || COMMUNITY WEB-MISC REDAXO index.inc.php remote file include || bugtraq,18229
+100000412 || COMMUNITY WEB-MISC REDAXO index.inc.php remote file include || bugtraq,18229
+100000413 || COMMUNITY WEB-MISC REDAXO index.inc.php remote file include || bugtraq,18229
+100000414 || COMMUNITY WEB-MISC REDAXO community.inc.php remote file include || bugtraq,18229
+100000415 || COMMUNITY WEB-MISC Bytehoard server.php remote file include || bugtraq,18234
+100000416 || COMMUNITY WEB-MISC MyBloggie admin.php remote file include || bugtraq,18241
+100000417 || COMMUNITY WEB-MISC MyBloggie scode.php remote file include || bugtraq,18241
+100000418 || COMMUNITY WEB-MISC Ashwebstudio Ashnews ashheadlines.php remote file include || bugtraq,18248
+100000419 || COMMUNITY WEB-MISC Ashwebstudio Ashnews ashnews.php remote file include || bugtraq,18248
+100000420 || COMMUNITY WEB-MISC Informium common-menu.php remote file include || bugtraq,18249
+100000421 || COMMUNITY WEB-MISC Igloo wiki.php remote file include || bugtraq,18250
+100000422 || COMMUNITY WEB-MISC phpBB template.php remote file include || bugtraq,18255
+100000423 || COMMUNITY WEB-MISC DotWidget CMS index.php remote file include || bugtraq,18258
+100000424 || COMMUNITY WEB-MISC DotWidget CMS feedback.php remote file include || bugtraq,18258
+100000425 || COMMUNITY WEB-MISC DotWidget CMS printfriendly.php remote file include || bugtraq,18258
+100000426 || COMMUNITY WEB-MISC DotClear prepend.php remote file include || bugtraq,18259
+100000427 || COMMUNITY WEB-MISC JBoss jmx-console html adaptor access || url,jboss.org/wiki/Wiki.jsp?page=JMXConsole
+100000428 || COMMUNITY WEB-MISC JBoss RMI class download service directory listing attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2
+100000429 || COMMUNITY WEB-MISC JBoss web-console access || url,www.jboss.org/wiki/Wiki.jsp?page=WebConsole
+100000430 || COMMUNITY WEB-MISC BlueShoes Bs_Faq.class.php remote file include || bugtraq,18261
+100000431 || COMMUNITY WEB-MISC BlueShoes fileBrowserInner.php remote file include || bugtraq,18261
+100000432 || COMMUNITY WEB-MISC BlueShoes file.php remote file include || bugtraq,18261
+100000433 || COMMUNITY WEB-MISC BlueShoes viewer.php remote file include || bugtraq,18261
+100000434 || COMMUNITY WEB-MISC BlueShoes Bs_ImageArchive.class.php remote file include || bugtraq,18261
+100000435 || COMMUNITY WEB-MISC BlueShoes Bs_Ml_User.class.php remote file include || bugtraq,18261
+100000436 || COMMUNITY WEB-MISC BlueShoes Bs_Wse_Profile.class.php remote file include || bugtraq,18261
+100000437 || COMMUNITY WEB-MISC CS-Cart class.cs_phpmailer.php remote file include || bugtraq,18263
+100000438 || COMMUNITY WEB-MISC Claroline mambo.inc.php remote file include || bugtraq,18265
+100000439 || COMMUNITY WEB-MISC Claroline postnuke.inc.php remote file include || bugtraq,18265
+100000440 || COMMUNITY WEB-MISC CyBoards common.php remote file include || bugtraq,18272
+100000441 || COMMUNITY WEB-MISC Wikiwig wk_lang.php remote file include || bugtraq,18291
+100000442 || COMMUNITY WEB-MISC MiraksGalerie pcltar.lib.php remote file include || bugtraq,18313
+100000443 || COMMUNITY WEB-MISC MiraksGalerie galimage.lib.php remote file include || bugtraq,18313
+100000444 || COMMUNITY WEB-MISC MiraksGalerie galsecurity.lib.php remote file include || bugtraq,18313
+100000445 || COMMUNITY WEB-PHP Particle Gallery Viewimage PHP Variable Injection Attempt || bugtraq,18270
+100000446 || COMMUNITY WEB-PHP Particle Wiki PHP SQL Injection attempt || bugtraq,18273
+100000447 || COMMUNITY WEB-CLIENT Mozilla Firefox DOMNodeRemoved attack attempt || bugtraq,18228 || cve,2006-2779
+100000448 || COMMUNITY WEB-MISC OfficeFlow default.asp xss attempt || bugtraq,18367
+100000449 || COMMUNITY WEB-MISC OfficeFlow files.asp MSSQL injection attempt || bugtraq,18367
+100000450 || COMMUNITY WEB-MISC VanillaSoft Helpdesk default.asp xss attempt || bugtraq,18368
+100000451 || COMMUNITY WEB-MISC KAPhotoservice album.asp xss attempt || bugtraq,18379
+100000452 || COMMUNITY WEB-MISC KAPhotoservice album.asp xss attempt || bugtraq,18379
+100000453 || COMMUNITY WEB-MISC KAPhotoservice edtalbum.asp xss attempt || bugtraq,18379
+100000454 || COMMUNITY WEB-MISC KAPhotoservice edtalbum.asp xss attempt || bugtraq,18379
+100000455 || COMMUNITY WEB-MISC Axent Forum viewposts.cfm xss attempt || bugtraq,18473
+100000456 || COMMUNITY WEB-MISC SSPwiz index.cfm xss attempt || bugtraq,18482
+100000457 || COMMUNITY WEB-MISC ASP Stats pages.asp MSSQL injection attempt || bugtraq,18512
+100000458 || COMMUNITY WEB-MISC DPVision Tradingeye Shop details.cfm xss attempt || bugtraq,18526
+100000459 || COMMUNITY WEB-MISC WeBBoA yeni_host.asp MSSQL injection attempt || bugtraq,18564
+100000460 || COMMUNITY WEB-MISC AZureus index.tmpl xss attempt || bugtraq,18596
+100000461 || COMMUNITY WEB-MISC Open WebMail openwebmail-read.pl xss attempt || bugtraq,18598
+100000462 || COMMUNITY WEB-MISC Open WebMail openwebmail-read.pl xss attempt || bugtraq,18598
+100000463 || COMMUNITY WEB-PHP Joomla joomla.php remote file include || bugtraq,18363
+100000464 || COMMUNITY WEB-PHP LoveCompass AEPartner design.inc.php remote file include || bugtraq,18370
+100000465 || COMMUNITY WEB-PHP Empris sql_fcnsOLD.php remote file include || bugtraq,18371
+100000466 || COMMUNITY WEB-PHP Free QBoard post.php remote file include || bugtraq,18373
+100000467 || COMMUNITY WEB-PHP WebprojectDB nav.php remote file include || bugtraq,18378
+100000468 || COMMUNITY WEB-PHP WebprojectDB lang.php remote file include || bugtraq,18378
+100000469 || COMMUNITY WEB-PHP iFoto index.php xss attempt || bugtraq,18391
+100000470 || COMMUNITY WEB-PHP Foing manage_songs.php remote file include || bugtraq,18392
+100000471 || COMMUNITY WEB-PHP VBZoom show.php SQL injection attempt || bugtraq,18403
+100000472 || COMMUNITY WEB-PHP VBZoom show.php SQL injection attempt || bugtraq,18403
+100000473 || COMMUNITY WEB-PHP VBZoom language.php SQL injection attempt || bugtraq,18403
+100000474 || COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt || bugtraq,18403
+100000475 || COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt || bugtraq,18403
+100000476 || COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt || bugtraq,18403
+100000477 || COMMUNITY WEB-PHP VBZoom subject.php SQL injection attempt || bugtraq,18403
+100000478 || COMMUNITY WEB-PHP aWebNews visview.php remote file include || bugtraq,18406
+100000479 || COMMUNITY WEB-PHP CzarNews headlines.php remote file include || bugtraq,18411
+100000480 || COMMUNITY WEB-PHP Somery team.php remote file include || bugtraq,18412
+100000481 || COMMUNITY WEB-PHP Hinton Design PHPHG signed.php remote file include || bugtraq,18413
+100000482 || COMMUNITY WEB-PHP BoastMachine vote.php remote file include || bugtraq,18415
+100000483 || COMMUNITY WEB-PHP Wheatblog view_links.php remote file include || bugtraq,18416
+100000484 || COMMUNITY WEB-PHP Confixx ftp_index.php xss attempt || bugtraq,18426
+100000485 || COMMUNITY WEB-PHP RahnemaCo page.php remote file include || bugtraq,18435
+100000486 || COMMUNITY WEB-PHP PhpBlueDragon CMS template.php remote file include || bugtraq,18440
+100000487 || COMMUNITY WEB-PHP ISPConfig server.inc.php remote file include || bugtraq,18441
+100000488 || COMMUNITY WEB-PHP ISPConfig app.inc.php remote file include || bugtraq,18441
+100000489 || COMMUNITY WEB-PHP ISPConfig login.php remote file include || bugtraq,18441
+100000490 || COMMUNITY WEB-PHP ISPConfig trylogin.php remote file include || bugtraq,18441
+100000491 || COMMUNITY WEB-PHP DeluxeBB posting.php remote file include || bugtraq,18455
+100000492 || COMMUNITY WEB-PHP DeluxeBB newpm.php remote file include || bugtraq,18455
+100000493 || COMMUNITY WEB-PHP DeluxeBB postreply.php remote file include || bugtraq,18455
+100000494 || COMMUNITY WEB-PHP Zeroboard write_ok.php xss attempt || bugtraq,18458
+100000495 || COMMUNITY WEB-PHP Zeroboard write_ok.php xss attempt || bugtraq,18458
+100000496 || COMMUNITY WEB-PHP Chipmailer index.php SQL injection attempt || bugtraq,18463
+100000497 || COMMUNITY WEB-PHP Calendarix cal_event.php SQL injection attempt || bugtraq,18469
+100000498 || COMMUNITY WEB-PHP Calendarix cal_popup.php SQL injection attempt || bugtraq,18469
+100000499 || COMMUNITY WEB-PHP PictureDis thumstbl.php remote file include || bugtraq,18471
+100000500 || COMMUNITY WEB-PHP PictureDis wpfiles.php remote file include || bugtraq,18471
+100000501 || COMMUNITY WEB-PHP PictureDis wallpapr.php remote file include || bugtraq,18471
+100000502 || COMMUNITY WEB-PHP Ji-Takz tag.class.php remote file include || bugtraq,18474
+100000503 || COMMUNITY WEB-PHP Nucleus CMS action.php remote file include || bugtraq,18475
+100000504 || COMMUNITY WEB-PHP Nucleus CMS media.php remote file include || bugtraq,18475
+100000505 || COMMUNITY WEB-PHP Nucleus CMS server.php remote file include || bugtraq,18475
+100000506 || COMMUNITY WEB-PHP Nucleus CMS api_metaweblog.inc.php remote file include || bugtraq,18475
+100000507 || COMMUNITY WEB-PHP FlashChat adminips.php remote file include || bugtraq,18480
+100000508 || COMMUNITY WEB-PHP Wikkawiki wakka.php access || bugtraq,18481
+100000509 || COMMUNITY WEB-PHP RahnemaCo page.php remote file include || bugtraq,18490
+100000510 || COMMUNITY WEB-PHP VBZoom rank.php SQL injection attempt || bugtraq,18497
+100000511 || COMMUNITY WEB-PHP VBZoom message.php SQL injection attempt || bugtraq,18497
+100000512 || COMMUNITY WEB-PHP VBZoom lng.php SQL injection attempt || bugtraq,18497
+100000513 || COMMUNITY WEB-PHP SAPHPLesson showcat.php SQL injection attempt || bugtraq,18501
+100000514 || COMMUNITY WEB-PHP SAPHPLesson misc.php SQL injection attempt || bugtraq,18501
+100000515 || COMMUNITY WEB-PHP CMS Faethon header.php xss attempt || bugtraq,18505
+100000516 || COMMUNITY WEB-PHP CMS Faethon footer.php xss attempt || bugtraq,18505
+100000517 || COMMUNITY WEB-PHP e107 search.php xss attempt || bugtraq,18508
+100000518 || COMMUNITY WEB-PHP PHP Live Helper initiate.php remote file include || bugtraq,18509
+100000519 || COMMUNITY WEB-PHP VUBB index.php SQL injection attempt || bugtraq,18516
+100000520 || COMMUNITY WEB-PHP Xarancms xaramcms_haupt.php SQL injection attempt || bugtraq,18520
+100000521 || COMMUNITY WEB-PHP TPL Design TplShop category.php SQL injection attempt || bugtraq,18524
+100000522 || COMMUNITY WEB-PHP The Edge eCommerce Shop productDetail.php xss attempt || bugtraq,18528
+100000523 || COMMUNITY WEB-PHP CavoxCms index.php SQL injection attempt || bugtraq,18533
+100000524 || COMMUNITY WEB-PHP Micro CMS microcms-include.php remote file include || bugtraq,18537
+100000525 || COMMUNITY WEB-PHP PHPMyDirectory offer-pix.php xss attempt || bugtraq,18539
+100000526 || COMMUNITY WEB-PHP PHPMyDirectory index.php xss attempt || bugtraq,18539
+100000527 || COMMUNITY WEB-PHP AssoCIateD index.php xss attempt || bugtraq,18541
+100000528 || COMMUNITY WEB-PHP PHPMyForum topic.php xss attempt || bugtraq,18542
+100000529 || COMMUNITY WEB-PHP NC Linklist index.php xss attempt || bugtraq,18546
+100000530 || COMMUNITY WEB-PHP NC Linklist index.php xss attempt || bugtraq,18546
+100000531 || COMMUNITY WEB-PHP BtitTracker torrents.php SQL injection attempt || bugtraq,18549
+100000532 || COMMUNITY WEB-PHP BtitTracker torrents.php SQL injection attempt || bugtraq,18549
+100000533 || COMMUNITY WEB-PHP VUBB functions.php SQL injection attempt || bugtraq,18561
+100000534 || COMMUNITY WEB-PHP VUBB english.php xss attempt || bugtraq,18562
+100000535 || COMMUNITY WEB-PHP IMGallery galeria.php SQL injection attempt || bugtraq,18566
+100000536 || COMMUNITY WEB-PHP IMGallery galeria.php SQL injection attempt || bugtraq,18566
+100000537 || COMMUNITY WEB-PHP thinkWMS index.php SQL injection attempt || bugtraq,18567
+100000538 || COMMUNITY WEB-PHP thinkWMS index.php SQL injection attempt || bugtraq,18567
+100000539 || COMMUNITY WEB-PHP thinkWMS printarticle.php SQL injection attempt || bugtraq,18567
+100000540 || COMMUNITY WEB-PHP Enterprise Groupware index.php xss attempt || bugtraq,18590
+100000541 || COMMUNITY WEB-PHP Dating Agent picture.php SQL injection attempt || bugtraq,18607
+100000542 || COMMUNITY WEB-PHP Dating Agent mem.php SQL injection attempt || bugtraq,18607
+100000543 || COMMUNITY WEB-PHP Dating Agent search.php SQL injection attempt || bugtraq,18607
+100000544 || COMMUNITY WEB-PHP Dating Agent search.php SQL injection attempt || bugtraq,18607
+100000545 || COMMUNITY WEB-PHP PHP Blue Dragon CMS team_admin.php remote file include || bugtraq,18609
+100000546 || COMMUNITY WEB-PHP PHP Blue Dragon CMS rss_admin.php remote file include || bugtraq,18609
+100000547 || COMMUNITY WEB-PHP PHP Blue Dragon CMS manual_admin.php remote file include || bugtraq,18609
+100000548 || COMMUNITY WEB-PHP PHP Blue Dragon CMS forum_admin.php remote file include || bugtraq,18609
+100000549 || COMMUNITY WEB-PHP Custom Datin Biz user_view.php xss attempt || bugtraq,18626
+100000550 || COMMUNITY WEB-PHP Project Eros BBSEngine comment.php access || bugtraq,18627
+100000551 || COMMUNITY WEB-PHP Project Eros BBSEngine aolbonics.php access || bugtraq,18627
+100000552 || COMMUNITY WEB-PHP SmartSiteCMS inc_foot.php remote file include || bugtraq,18628
+100000553 || COMMUNITY WEB-PHP PHPMySMS gateway.php remote file include || bugtraq,18633
+100000554 || COMMUNITY WEB-PHP VebiMiau error.php xss attempt || bugtraq,18643
+100000555 || COMMUNITY WEB-PHP VebiMiau error.php xss attempt || bugtraq,18643
+100000556 || COMMUNITY WEB-PHP VebiMiau error.php xss attempt || bugtraq,18643
+100000557 || COMMUNITY WEB-PHP VebiMiau index.php xss attempt || bugtraq,18643
+100000558 || COMMUNITY WEB-PHP VebiMiau messages.php xss attempt || bugtraq,18643
+100000559 || COMMUNITY WEB-PHP Infinite Core Technologies ICT index.php SQL injection attempt || bugtraq,18644
+100000560 || COMMUNITY WEB-PHP eNpaper1 root_header.php remote file include || bugtraq,18649
+100000561 || COMMUNITY WEB-PHP dotProject ui.class.php xss attempt || bugtraq,18650
+100000562 || COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt || bugtraq,18651
+100000563 || COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt || bugtraq,18651
+100000564 || COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt || bugtraq,18651
+100000565 || COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt || bugtraq,18651
+100000566 || COMMUNITY WEB-PHP XennoBB messages.php xss attempt || bugtraq,18652
+100000567 || COMMUNITY WEB-PHP Qdig index.php xss attempt || bugtraq,18653
+100000568 || COMMUNITY WEB-PHP Qdig index.php xss attempt || bugtraq,18653
+100000569 || COMMUNITY WEB-PHP Indexu app_change_email.php remote file include || bugtraq,18477
+100000570 || COMMUNITY WEB-PHP Indexu app_change_pwd.php remote file include || bugtraq,18477
+100000571 || COMMUNITY WEB-PHP Indexu app_mod_rewrite.php remote file include || bugtraq,18477
+100000572 || COMMUNITY WEB-PHP Indexu app_page_caching.php remote file include || bugtraq,18477
+100000573 || COMMUNITY WEB-PHP Indexu app_setup.php remote file include || bugtraq,18477
+100000574 || COMMUNITY WEB-PHP Indexu cat_add.php remote file include || bugtraq,18477
+100000575 || COMMUNITY WEB-PHP Indexu cat_delete.php remote file include || bugtraq,18477
+100000576 || COMMUNITY WEB-PHP Indexu cat_edit.php remote file include || bugtraq,18477
+100000577 || COMMUNITY WEB-PHP Indexu cat_path_update.php remote file include || bugtraq,18477
+100000578 || COMMUNITY WEB-PHP Indexu cat_search.php remote file include || bugtraq,18477
+100000579 || COMMUNITY WEB-PHP Indexu cat_struc.php remote file include || bugtraq,18477
+100000580 || COMMUNITY WEB-PHP Indexu cat_view.php remote file include || bugtraq,18477
+100000581 || COMMUNITY WEB-PHP Indexu cat_view_hidden.php remote file include || bugtraq,18477
+100000582 || COMMUNITY WEB-PHP Indexu cat_view_hierarchy.php remote file include || bugtraq,18477
+100000583 || COMMUNITY WEB-PHP Indexu cat_view_registered_only.php remote file include || bugtraq,18477
+100000584 || COMMUNITY WEB-PHP Indexu checkurl_web.php remote file include || bugtraq,18477
+100000585 || COMMUNITY WEB-PHP Indexu db_alter.php remote file include || bugtraq,18477
+100000586 || COMMUNITY WEB-PHP Indexu db_alter_change.php remote file include || bugtraq,18477
+100000587 || COMMUNITY WEB-PHP Indexu db_backup.php remote file include || bugtraq,18477
+100000588 || COMMUNITY WEB-PHP Indexu db_export.php remote file include || bugtraq,18477
+100000589 || COMMUNITY WEB-PHP Indexu db_import.php remote file include || bugtraq,18477
+100000590 || COMMUNITY WEB-PHP Indexu editor_add.php remote file include || bugtraq,18477
+100000591 || COMMUNITY WEB-PHP Indexu editor_delete.php remote file include || bugtraq,18477
+100000592 || COMMUNITY WEB-PHP Indexu editor_validate.php remote file include || bugtraq,18477
+100000593 || COMMUNITY WEB-PHP Indexu head.php remote file include || bugtraq,18477
+100000594 || COMMUNITY WEB-PHP Indexu index.php remote file include || bugtraq,18477
+100000595 || COMMUNITY WEB-PHP Indexu inv_config.php remote file include || bugtraq,18477
+100000596 || COMMUNITY WEB-PHP Indexu inv_config_payment.php remote file include || bugtraq,18477
+100000597 || COMMUNITY WEB-PHP Indexu inv_create.php remote file include || bugtraq,18477
+100000598 || COMMUNITY WEB-PHP Indexu inv_delete.php remote file include || bugtraq,18477
+100000599 || COMMUNITY WEB-PHP Indexu inv_edit.php remote file include || bugtraq,18477
+100000600 || COMMUNITY WEB-PHP Indexu inv_markpaid.php remote file include || bugtraq,18477
+100000601 || COMMUNITY WEB-PHP Indexu inv_markunpaid.php remote file include || bugtraq,18477
+100000602 || COMMUNITY WEB-PHP Indexu inv_overdue.php remote file include || bugtraq,18477
+100000603 || COMMUNITY WEB-PHP Indexu inv_paid.php remote file include || bugtraq,18477
+100000604 || COMMUNITY WEB-PHP Indexu inv_send.php remote file include || bugtraq,18477
+100000605 || COMMUNITY WEB-PHP Indexu inv_unpaid.php remote file include || bugtraq,18477
+100000606 || COMMUNITY WEB-PHP Indexu lang_modify.php remote file include || bugtraq,18477
+100000607 || COMMUNITY WEB-PHP Indexu link_add.php remote file include || bugtraq,18477
+100000608 || COMMUNITY WEB-PHP Indexu link_bad.php remote file include || bugtraq,18477
+100000609 || COMMUNITY WEB-PHP Indexu link_bad_delete.php remote file include || bugtraq,18477
+100000610 || COMMUNITY WEB-PHP Indexu link_checkurl.php remote file include || bugtraq,18477
+100000611 || COMMUNITY WEB-PHP Indexu link_delete.php remote file include || bugtraq,18477
+100000612 || COMMUNITY WEB-PHP Indexu link_duplicate.php remote file include || bugtraq,18477
+100000613 || COMMUNITY WEB-PHP Indexu link_edit.php remote file include || bugtraq,18477
+100000614 || COMMUNITY WEB-PHP Indexu link_premium_listing.php remote file include || bugtraq,18477
+100000615 || COMMUNITY WEB-PHP Indexu link_premium_sponsored.php remote file include || bugtraq,18477
+100000616 || COMMUNITY WEB-PHP Indexu link_search.php remote file include || bugtraq,18477
+100000617 || COMMUNITY WEB-PHP Indexu link_sponsored_listing.php remote file include || bugtraq,18477
+100000618 || COMMUNITY WEB-PHP Indexu link_validate.php remote file include || bugtraq,18477
+100000619 || COMMUNITY WEB-PHP Indexu link_validate_edit.php remote file include || bugtraq,18477
+100000620 || COMMUNITY WEB-PHP Indexu link_view.php remote file include || bugtraq,18477
+100000621 || COMMUNITY WEB-PHP Indexu log_search.php remote file include || bugtraq,18477
+100000622 || COMMUNITY WEB-PHP Indexu mail_modify.php remote file include || bugtraq,18477
+100000623 || COMMUNITY WEB-PHP Indexu menu.php remote file include || bugtraq,18477
+100000624 || COMMUNITY WEB-PHP Indexu message_create.php remote file include || bugtraq,18477
+100000625 || COMMUNITY WEB-PHP Indexu message_delete.php remote file include || bugtraq,18477
+100000626 || COMMUNITY WEB-PHP Indexu message_edit.php remote file include || bugtraq,18477
+100000627 || COMMUNITY WEB-PHP Indexu message_send.php remote file include || bugtraq,18477
+100000628 || COMMUNITY WEB-PHP Indexu message_subscriber.php remote file include || bugtraq,18477
+100000629 || COMMUNITY WEB-PHP Indexu message_view.php remote file include || bugtraq,18477
+100000630 || COMMUNITY WEB-PHP Indexu review_validate.php remote file include || bugtraq,18477
+100000631 || COMMUNITY WEB-PHP Indexu review_validate_edit.php remote file include || bugtraq,18477
+100000632 || COMMUNITY WEB-PHP Indexu summary.php remote file include || bugtraq,18477
+100000633 || COMMUNITY WEB-PHP Indexu template_active.php remote file include || bugtraq,18477
+100000634 || COMMUNITY WEB-PHP Indexu template_add_custom.php remote file include || bugtraq,18477
+100000635 || COMMUNITY WEB-PHP Indexu template_delete.php remote file include || bugtraq,18477
+100000636 || COMMUNITY WEB-PHP Indexu template_delete_file.php remote file include || bugtraq,18477
+100000637 || COMMUNITY WEB-PHP Indexu template_duplicate.php remote file include || bugtraq,18477
+100000638 || COMMUNITY WEB-PHP Indexu template_export.php remote file include || bugtraq,18477
+100000639 || COMMUNITY WEB-PHP Indexu template_import.php remote file include || bugtraq,18477
+100000640 || COMMUNITY WEB-PHP Indexu template_manager.php remote file include || bugtraq,18477
+100000641 || COMMUNITY WEB-PHP Indexu template_modify.php remote file include || bugtraq,18477
+100000642 || COMMUNITY WEB-PHP Indexu template_modify_file.php remote file include || bugtraq,18477
+100000643 || COMMUNITY WEB-PHP Indexu template_rename.php remote file include || bugtraq,18477
+100000644 || COMMUNITY WEB-PHP Indexu user_add.php remote file include || bugtraq,18477
+100000645 || COMMUNITY WEB-PHP Indexu user_delete.php remote file include || bugtraq,18477
+100000646 || COMMUNITY WEB-PHP Indexu user_edit.php remote file include || bugtraq,18477
+100000647 || COMMUNITY WEB-PHP Indexu user_search.php remote file include || bugtraq,18477
+100000648 || COMMUNITY WEB-PHP Indexu whos.php remote file include || bugtraq,18477
+100000649 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582
+100000650 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582
+100000651 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582
+100000652 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582
+100000653 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582
+100000654 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582
+100000655 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582
+100000656 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582
+100000657 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582
+100000658 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582
+100000659 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582
+100000660 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582
+100000661 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582
+100000662 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582
+100000663 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582
+100000664 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582
+100000665 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582
+100000666 || COMMUNITY WEB-PHP Harpia files.php remote file include || bugtraq,18614
+100000667 || COMMUNITY WEB-PHP Harpia files.php remote file include || bugtraq,18614
+100000668 || COMMUNITY WEB-PHP Harpia pheader.php remote file include || bugtraq,18614
+100000669 || COMMUNITY WEB-PHP Harpia headlines.php remote file include || bugtraq,18614
+100000670 || COMMUNITY WEB-PHP Harpia web_statsConfig.php remote file include || bugtraq,18614
+100000671 || COMMUNITY WEB-PHP Harpia preload.php remote file include || bugtraq,18614
+100000672 || COMMUNITY WEB-PHP Harpia users.php remote file include || bugtraq,18614
+100000673 || COMMUNITY WEB-PHP Harpia web_statsConfig.php remote file include || bugtraq,18614
+100000674 || COMMUNITY WEB-PHP Harpia footer.php remote file include || bugtraq,18614
+100000675 || COMMUNITY WEB-PHP Harpia pfooter.php remote file include || bugtraq,18614
+100000676 || COMMUNITY WEB-PHP Harpia missing.php remote file include || bugtraq,18614
+100000677 || COMMUNITY WEB-PHP Harpia topics.php remote file include || bugtraq,18614
+100000678 || COMMUNITY WEB-PHP Harpia header.php remote file include || bugtraq,18614
+100000679 || COMMUNITY WEB-PHP Harpia index.php remote file include || bugtraq,18614
+100000680 || COMMUNITY WEB-PHP Harpia search.php remote file include || bugtraq,18614
+100000681 || COMMUNITY WEB-PHP Harpia header.php remote file include || bugtraq,18614
+100000682 || COMMUNITY WEB-PHP Harpia email.php remote file include || bugtraq,18614
+100000683 || COMMUNITY WEB-PHP cPanel select.html xss attempt || bugtraq,18655
+100000684 || COMMUNITY VIRUS OutBound Dremn Trojan Beacon || url,symantec.com/avcenter/venc/data/trojan.dremn.html
+100000685 || COMMUNITY VIRUS Answering Dremn Trojan Server || url,symantec.com/avcenter/venc/data/trojan.dremn.html
+100000686 || COMMUNITY DOS EnergyMech parse_notice vulnerability - inbound || bugtraq,18664
+100000687 || COMMUNITY DOS EnergyMech parse_notice vulnerability - outbound || bugtraq,18664
+100000688 || COMMUNITY POLICY Ajax Remote Desktop Connection || url,www.peterdamen.com/ajaxrd/
+100000689 || COMMUNITY SMTP Mytob MAIL FROM Attempt || url,www.symantec.com/avcenter/venc/data/w32.mytob@mm.html
+100000690 || COMMUNITY SQL-INJECTION BXCP Sql Injection attempt || bugtraq,18765 || url,www.milw0rm.com/exploits/1975
+100000691 || COMMUNITY SQL-INJECTION Diesel Joke Script Sql Injection attempt || bugtraq,18760
+100000692 || COMMUNITY WEB-CLIENT midi file download attempt || bugtraq,18507
+100000693 || COMMUNITY WEB-CLIENT winamp midi file header overflow attempt || bugtraq,18507
+100000694 || COMMUNITY WEB-MISC VCard PRO gbrowse.php SQL injection attempt || bugtraq,18699
+100000695 || COMMUNITY WEB-MISC VCard PRO rating.php SQL injection attempt || bugtraq,18699
+100000696 || COMMUNITY WEB-MISC VCard PRO create.php SQL injection attempt || bugtraq,18699
+100000697 || COMMUNITY WEB-MISC VCard PRO search.php SQL injection attempt || bugtraq,18699
+100000698 || COMMUNITY WEB-MISC BXCP index.php SQL injection attempt || bugtraq,18765
+100000699 || COMMUNITY WEB-MISC Vincent Leclercq News diver.php xss attempt || bugtraq,18775
+100000700 || COMMUNITY WEB-MISC Vincent Leclercq News diver.php xss attempt || bugtraq,18775
+100000701 || COMMUNITY WEB-MISC WordPress index.php SQL injection attempt || bugtraq,18779
+100000702 || COMMUNITY WEB-MISC Webvizyon SayfalaAltList.asp MSSQL injection attempt || bugtraq,18899
+100000703 || COMMUNITY WEB-PHP Horde index.php show XSS attempt || bugtraq,18845
+100000704 || COMMUNITY WEB-PHP SmartSiteCMS comment.php remote file include || bugtraq,18697
+100000705 || COMMUNITY WEB-PHP SmartSiteCMS test.php remote file include || bugtraq,18697
+100000706 || COMMUNITY WEB-PHP SmartSiteCMS index.php remote file include || bugtraq,18697
+100000707 || COMMUNITY WEB-PHP SmartSiteCMS inc_adminfoot.php remote file include || bugtraq,18697
+100000708 || COMMUNITY WEB-PHP SmartSiteCMS comedit.php remote file include || bugtraq,18697
+100000709 || COMMUNITY WEB-PHP SquirrelMail search.php xss attempt || bugtraq,18700
+100000710 || COMMUNITY WEB-PHP Xoops MyAds Module annonces-p-f.php SQL injection attempt || bugtraq,18718
+100000711 || COMMUNITY WEB-PHP PHPRaid raids.php remote file include || bugtraq,18719
+100000712 || COMMUNITY WEB-PHP PHPRaid register.php remote file include || bugtraq,18719
+100000713 || COMMUNITY WEB-PHP PHPRaid roster.php remote file include || bugtraq,18719
+100000714 || COMMUNITY WEB-PHP PHPRaid view.php remote file include || bugtraq,18719
+100000715 || COMMUNITY WEB-PHP PHPRaid logs.php remote file include || bugtraq,18719
+100000716 || COMMUNITY WEB-PHP PHPRaid users.php remote file include || bugtraq,18719
+100000717 || COMMUNITY WEB-PHP PHPRaid configuration.php remote file include || bugtraq,18719
+100000718 || COMMUNITY WEB-PHP PHPRaid guilds.php remote file include || bugtraq,18719
+100000719 || COMMUNITY WEB-PHP PHPRaid index.php remote file include || bugtraq,18719
+100000720 || COMMUNITY WEB-PHP PHPRaid locations.php remote file include || bugtraq,18719
+100000721 || COMMUNITY WEB-PHP PHPRaid login.php remote file include || bugtraq,18719
+100000722 || COMMUNITY WEB-PHP PHPRaid lua_output.php remote file include || bugtraq,18719
+100000723 || COMMUNITY WEB-PHP PHPRaid permissions.php remote file include || bugtraq,18719
+100000724 || COMMUNITY WEB-PHP PHPRaid profile.php remote file include || bugtraq,18719
+100000725 || COMMUNITY WEB-PHP PHPRaid view.php SQL injection attempt || bugtraq,18720
+100000726 || COMMUNITY WEB-PHP Vincent-Leclercq News diver.php SQL injection attempt || bugtraq,18729
+100000727 || COMMUNITY WEB-PHP Softbiz Banner Exchange insertmember.php xss attempt || bugtraq,18735
+100000728 || COMMUNITY WEB-PHP Geeklog functions.inc remote file include || bugtraq,18740
+100000729 || COMMUNITY WEB-PHP Geeklog functions.inc remote file include || bugtraq,18740
+100000730 || COMMUNITY WEB-PHP Geeklog BlackList.Examine.class.php remote file include || bugtraq,18740
+100000731 || COMMUNITY WEB-PHP Geeklog DeleteComment.Action.class.php remote file include || bugtraq,18740
+100000732 || COMMUNITY WEB-PHP Geeklog EditIPofURL.Admin.class.php remote file include || bugtraq,18740
+100000733 || COMMUNITY WEB-PHP Geeklog MTBlackList.Examine.class.php remote file include || bugtraq,18740
+100000734 || COMMUNITY WEB-PHP Geeklog MassDelete.Admin.class.php remote file include || bugtraq,18740
+100000735 || COMMUNITY WEB-PHP Geeklog MailAdmin.Action.class.php remote file include || bugtraq,18740
+100000736 || COMMUNITY WEB-PHP Geeklog MassDelTrackback.Admin.class.php remote file include || bugtraq,18740
+100000737 || COMMUNITY WEB-PHP Geeklog EditHeader.Admin.class.php remote file include || bugtraq,18740
+100000738 || COMMUNITY WEB-PHP Geeklog EditIP.Admin.class.php remote file include || bugtraq,18740
+100000739 || COMMUNITY WEB-PHP Geeklog IPofUrl.Examine.class.php remote file include || bugtraq,18740
+100000740 || COMMUNITY WEB-PHP Geeklog Import.Admin.class.php remote file include || bugtraq,18740
+100000741 || COMMUNITY WEB-PHP Geeklog LogView.Admin.class.php remote file include || bugtraq,18740
+100000742 || COMMUNITY WEB-PHP Geeklog functions.inc remote file include || bugtraq,18740
+100000743 || COMMUNITY WEB-PHP Plume CMS dbinstall.php remote file include || bugtraq,18750
+100000744 || COMMUNITY WEB-PHP MyNewsGroups tree.php SQL injection attempt || bugtraq,18757
+100000745 || COMMUNITY WEB-PHP Diesel Joke Site category.php SQL injection attempt || bugtraq,18760
+100000746 || COMMUNITY WEB-PHP Randshop header.inc.php remote file include || bugtraq,18763
+100000747 || COMMUNITY WEB-PHP Plume CMS index.php remote file include || bugtraq,18780
+100000748 || COMMUNITY WEB-PHP Plume CMS rss.php remote file include || bugtraq,18780
+100000749 || COMMUNITY WEB-PHP Plume CMS search.php remote file include || bugtraq,18780
+100000750 || COMMUNITY WEB-PHP Free QBoard index.php remote file include || bugtraq,18788
+100000751 || COMMUNITY WEB-PHP Free QBoard about.php remote file include || bugtraq,18788
+100000752 || COMMUNITY WEB-PHP Free QBoard contact.php remote file include || bugtraq,18788
+100000753 || COMMUNITY WEB-PHP Free QBoard delete.php remote file include || bugtraq,18788
+100000754 || COMMUNITY WEB-PHP Free QBoard faq.php remote file include || bugtraq,18788
+100000755 || COMMUNITY WEB-PHP Free QBoard features.php remote file include || bugtraq,18788
+100000756 || COMMUNITY WEB-PHP Free QBoard history.php remote file include || bugtraq,18788
+100000757 || COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt || bugtraq,18791
+100000758 || COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt || bugtraq,18791
+100000759 || COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt || bugtraq,18791
+100000760 || COMMUNITY WEB-PHP The Banner Engine top.php xss attempt || bugtraq,18793
+100000761 || COMMUNITY WEB-PHP PHPWebGallery comments.php xss attempt || bugtraq,18798
+100000762 || COMMUNITY WEB-PHP Randshop index.php remote file include || bugtraq,18809
+100000763 || COMMUNITY WEB-PHP Kamikaze-QSCM config.inc access || bugtraq,18816
+100000764 || COMMUNITY WEB-PHP MyPHP CMS global_header.php remote file include || bugtraq,18834
+100000765 || COMMUNITY WEB-PHP LifeType index.php SQL injection attempt || bugtraq,18835
+100000766 || COMMUNITY WEB-PHP Blog CMS thumb.php remote file include || bugtraq,18837
+100000767 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839
+100000768 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839
+100000769 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839
+100000770 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839
+100000771 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839
+100000772 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839
+100000773 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839
+100000774 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839
+100000775 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839
+100000776 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839
+100000777 || COMMUNITY WEB-PHP Blog CMS action.php SQL injection attempt || bugtraq,18839
+100000778 || COMMUNITY WEB-PHP PHPMailList maillist.php xss attempt || bugtraq,18840
+100000779 || COMMUNITY WEB-PHP Horde index.php xss attempt || bugtraq,18845
+100000780 || COMMUNITY WEB-PHP Horde problem.php xss attempt || bugtraq,18845
+100000781 || COMMUNITY WEB-PHP Horde go.php xss attempt || bugtraq,18845
+100000782 || COMMUNITY WEB-PHP Horde go.php xss attempt || bugtraq,18845
+100000783 || COMMUNITY WEB-PHP ATutor create_course.php xss attempt || bugtraq,18857
+100000784 || COMMUNITY WEB-PHP ATutor create_course.php xss attempt || bugtraq,18857
+100000785 || COMMUNITY WEB-PHP ATutor password_reminder.php xss attempt || bugtraq,18857
+100000786 || COMMUNITY WEB-PHP ATutor browse.php xss attempt || bugtraq,18857
+100000787 || COMMUNITY WEB-PHP ATutor fix_content.php xss attempt || bugtraq,18857
+100000788 || COMMUNITY WEB-PHP FreeWebshop search.php xss attempt || bugtraq,18878
+100000789 || COMMUNITY WEB-PHP FreeWebshop details.php SQL injection attempt || bugtraq,18878
+100000790 || COMMUNITY WEB-PHP Pivot edit_new.php remote file include || bugtraq,18881
+100000791 || COMMUNITY WEB-PHP Pivot pv_core.php access || bugtraq,18881
+100000792 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881
+100000793 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881
+100000794 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881
+100000795 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881
+100000796 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881
+100000797 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881
+100000798 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881
+100000799 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881
+100000800 || COMMUNITY WEB-PHP Pivot editor_menu.php xss attempt || bugtraq,18881
+100000801 || COMMUNITY WEB-PHP Pivot editor_menu.php xss attempt || bugtraq,18881
+100000802 || COMMUNITY WEB-PHP BosClassifieds index.php remote file include || bugtraq,18883
+100000803 || COMMUNITY WEB-PHP BosClassifieds recent.php remote file include || bugtraq,18883
+100000804 || COMMUNITY WEB-PHP BosClassifieds account.php remote file include || bugtraq,18883
+100000805 || COMMUNITY WEB-PHP BosClassifieds classified.php remote file include || bugtraq,18883
+100000806 || COMMUNITY WEB-PHP BosClassifieds search.php remote file include || bugtraq,18883
+100000807 || COMMUNITY WEB-PHP CommonSense search.php SQL injection attempt || bugtraq,18893
+100000808 || COMMUNITY WEB-PHP AjaxPortal ajaxp.php SQL injection attempt || bugtraq,18897
+100000809 || COMMUNITY WEB-PHP RW Download stats.php remote file include || bugtraq,18901
+100000810 || COMMUNITY WEB-PHP PHPBB download.php remote file include || bugtraq,18914
+100000811 || COMMUNITY WEB-PHP PHPBB attach_rules.php remote file include || bugtraq,18914
+100000812 || COMMUNITY WEB-PHP SimpleBoard SBP index.php remote file include || bugtraq,18917
+100000813 || COMMUNITY WEB-PHP SimpleBoard SBP file_upload.php remote file include || bugtraq,18917
+100000814 || COMMUNITY WEB-PHP SimpleBoard SBP image_upload.php remote file include || bugtraq,18917
+100000815 || COMMUNITY WEB-PHP SimpleBoard SBP performs.php remote file include || bugtraq,18917
+100000816 || COMMUNITY WEB-PHP PC_CookBook pccookbook.php remote file include || bugtraq,18919
+100000817 || COMMUNITY WEB-PHP SMF Forum smf.php remote file include || bugtraq,18924
+100000818 || COMMUNITY WEB-PHP Graffiti Forums topics.php SQL injection attempt || bugtraq,18928
+100000819 || COMMUNITY DELETED PhpWebGallery XSS attempt
+100000820 || COMMUNITY WEB-PHP SaPHPLesson add.php SQL injection attempt || bugtraq,18934
+100000821 || COMMUNITY WEB-PHP VBZooM sub-join.php SQL injection attempt || bugtraq,18937
+100000822 || COMMUNITY WEB-PHP VBZooM reply.php SQL injection attempt || bugtraq,18937
+100000823 || COMMUNITY WEB-PHP VBZooM ignore-pm.php SQL injection attempt || bugtraq,18937
+100000824 || COMMUNITY WEB-PHP VBZooM sendmail.php SQL injection attempt || bugtraq,18937
+100000825 || COMMUNITY WEB-PHP Phorum posting.php xss attempt || bugtraq,18941
+100000826 || COMMUNITY WEB-PHP Phorum search.php SQL injection attempt || bugtraq,18941
+100000827 || COMMUNITY WEB-PHP HiveMail address.view.php xss attempt || bugtraq,18949
+100000828 || COMMUNITY WEB-PHP HiveMail address.view.php xss attempt || bugtraq,18949
+100000829 || COMMUNITY WEB-PHP HiveMail address.view.php xss attempt || bugtraq,18949
+100000830 || COMMUNITY WEB-PHP HiveMail index.php xss attempt || bugtraq,18949
+100000831 || COMMUNITY WEB-PHP HiveMail compose.email.php xss attempt || bugtraq,18949
+100000832 || COMMUNITY WEB-PHP HiveMail read.markas.php xss attempt || bugtraq,18949
+100000833 || COMMUNITY WEB-PHP HiveMail search.results.php SQL injection attempt || bugtraq,18949
+100000834 || COMMUNITY WEB-PHP Lazarus codes-english.php xss attempt || bugtraq,18956
+100000835 || COMMUNITY WEB-PHP Lazarus picture.php xss attempt || bugtraq,18956
+100000836 || COMMUNITY WEB-PHP MiniBB com_minibb.php remote file include || bugtraq,18998
+100000837 || COMMUNITY WEB-PHP MiniBB index.php remote file include || bugtraq,18998
+100000838 || COMMUNITY WEB-PHP PhotoCycle photocycle.php xss attempt || bugtraq,18964
+100000839 || COMMUNITY WEB-PHP PHP Event Calendar calendar.php remote file include || bugtraq,18965
+100000840 || COMMUNITY WEB-PHP FlatNuke index.php remote file include || bugtraq,18966
+100000841 || COMMUNITY WEB-PHP PerForms performs.php remote file include || bugtraq,18968
+100000842 || COMMUNITY WEB-PHP PHPBB 3 memberlist.php SQL injection attempt || bugtraq,18969
+100000843 || COMMUNITY WEB-PHP Koobi Pro index.php xss attempt || bugtraq,18970
+100000844 || COMMUNITY WEB-PHP Koobi Pro index.php SQL injection attempt || bugtraq,18970
+100000845 || COMMUNITY WEB-PHP Invision Power Board ipsclass.php SQL injection attempt || bugtraq,18984
+100000846 || COMMUNITY WEB-PHP Subberz Lite user-func.php remote file include || bugtraq,18990
+100000847 || COMMUNITY WEB-PHP Sitemap sitemap.xml.php remote file include || bugtraq,18991
+100000848 || COMMUNITY DELETED PhpWebGallery XSS attempt || bugtraq,18798
+100000849 || COMMUNITY WEB-PHP IceWarp include.php remote file include || bugtraq,19007
+100000850 || COMMUNITY WEB-PHP IceWarp include.php remote file include || bugtraq,19007
+100000851 || COMMUNITY WEB-PHP IceWarp include.php remote file include || bugtraq,19007
+100000852 || COMMUNITY WEB-PHP IceWarp include.php remote file include || bugtraq,19007
+100000853 || COMMUNITY WEB-PHP IceWarp settings.html remote file include || bugtraq,19007
+100000854 || COMMUNITY WEB-PHP ListMessenger listmessenger.php remote file include || bugtraq,19014
+100000855 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019
+100000856 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019
+100000857 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019
+100000858 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019
+100000859 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019
+100000860 || COMMUNITY WEB-PHP Francisco Charrua Photo-Gallery room.php SQL injection attempt || bugtraq,19020
+100000861 || COMMUNITY WEB-PHP FlushCMS class.rich.php remote file include || bugtraq,19023
+100000862 || COMMUNITY WEB-PHP FlushCMS class.rich.php remote file include || bugtraq,19023
+100000863 || COMMUNITY WEB-PHP PHPMyRing view_com.php SQL injection attempt || url,secunia.com/advisories/21451/
+100000864 || COMMUNITY WEB-CLIENT tsuserex.dll COM Object Instantiation Vulnerability || url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=14
+100000865 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s01 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html
+100000866 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s02 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html
+100000867 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s03 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html
+100000868 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s04 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html
+100000869 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit sid variant || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html
+100000870 || COMMUNITY WEB-PHP powergap remote file inclusion exploit sid variant 2 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html
+100000871 || COMMUNITY WEB-PHP CubeCart XSS attack || url,retrogod.altervista.org/cubecart_3011_adv.html
+100000872 || COMMUNITY WEB-PHP CubeCart XSS attack || url,retrogod.altervista.org/cubecart_3011_adv.html
+100000873 || COMMUNITY WEB-PHP discloser 0.0.4 Remote File Inclusion
+100000874 || COMMUNITY MISC DLR-TOR Directory server response || url,tor.eff.org
+100000875 || COMMUNITY MISC DLR-TOR Client Traffic || url,tor.eff.org
+100000876 || COMMUNITY MISC Google Talk Version Check
+100000877 || COMMUNITY MISC Google Talk Startup
+100000878 || COMMUNITY WEB-CGI Roller Weblog XSS exploit || bugtraq,20045
+100000879 || COMMUNITY WEB-CGI Roller Weblog XSS exploit || bugtraq,20045
+100000880 || COMMUNITY WEB-CGI Roller Weblog XSS exploit || bugtraq,20045
+100000881 || COMMUNITY WEB-CLIENT ImageMagick SGI ZSIZE Header Information Overflow Attempt || bugtraq,19507 || cve,2006-4144
+100000882 || COMMUNITY WEB-PHP PHP Live Helper globals.php remote file include || bugtraq,19349
+100000883 || COMMUNITY WEB-PHP Inlink remote file inclusion exploit || url,milw0rm.com/exploits/2295
+100000884 || COMMUNITY WEB-MISC SimpleBlog Remote SQL Injection attempt || url,milw0rm.com/exploits/2296
+100000885 || COMMUNITY WEB-PHP pHNews access attempt || url,milw0rm.com/exploits/2298
+100000886 || COMMUNITY WEB-PHP Proxima access attempt || url,milw0rm.com/exploits/2299
+100000887 || COMMUNITY WEB-PHP pmwiki exploit attempt || url,milw0rm.com/exploits/2291
+100000888 || COMMUNITY WEB-PHP tikiwiki exploit attempt || url,milw0rm.com/exploits/2288
+100000889 || COMMUNITY WEB-PHP yappa-ng exploit attempt || url,milw0rm.com/exploits/2292
+100000890 || COMMUNITY WEB-MISC Webmin null char attempt || bugtraq,19820 || nessus,22300
+100000891 || COMMUNITY WEB-MISC Usermin null char attempt || bugtraq,19820 || nessus,22300
+100000892 || COMMUNITY MISC Q.931 Invalid Call Reference Length Buffer Overflow || url,www.ethereal.com/news/item_20050504_01.html || url,www.elook.org/internet/126.html
+100000893 || COMMUNITY POLICY Weather Channel Desktop App Installer
+100000894 || COMMUNITY POLICY Weather Channel Desktop App
+100000895 || COMMUNITY WEB-MISC Blojsom Weblog blog-category-description xss attempt || url,www.kb.cert.org/vuls/id/425861
+100000896 || COMMUNITY WEB-MISC Blojsom Weblog blog-entry-title xss attempt || url,www.kb.cert.org/vuls/id/425861
+100000897 || COMMUNITY WEB-MISC Blojsom Weblog rss-enclosure-url xss attempt || url,www.kb.cert.org/vuls/id/425861
+100000898 || COMMUNITY WEB-MISC Blojsom Weblog technorati-tags xss attempt || url,www.kb.cert.org/vuls/id/425861
+100000899 || COMMUNITY WEB-MISC Blojsom Weblog blog-category-name xss attempt || url,www.kb.cert.org/vuls/id/425861
+100000900 || COMMUNITY BOT Mytob IRC DCC file transfer request || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99
+100000901 || COMMUNITY BOT Mytob IRC DCC chat request || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99
+100000902 || COMMUNITY BOT Mytob IRC channel join || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99
+100000903 || COMMUNITY BOT Mytob IRC dns request || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99
+100000904 || COMMUNITY BOT Mytob IRC dns response || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99
+100000905 || COMMUNITY BOT Mytob IRC nick change || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99
+100000906 || COMMUNITY WEB-PHP UBB.threads remote file include
+100000907 || COMMUNITY WEB-PHP phpMyWebmin change_preferences2 script remote file include || url,www.securityfocus.com/bid/20281/info
+100000908 || COMMUNITY WEB-PHP phpMyWebmin create_file script remote file include || url,www.securityfocus.com/bid/20281/info
+100000909 || COMMUNITY WEB-PHP phpMyWebmin upload_local script remote file include || url,www.securityfocus.com/bid/20281/info
+100000910 || COMMUNITY WEB-PHP phpMyWebmin upload_multi script remote file include || url,www.securityfocus.com/bid/20281/info
+100000911 || COMMUNITY WEB-PHP Dayfox Blog adminlog.php module remote file include || url,www.securityfocus.com/archive/1/447500/30/0/threaded
+100000912 || COMMUNITY WEB-PHP Dayfox Blog postblog.php module remote file include || url,www.securityfocus.com/archive/1/447500/30/0/threaded
+100000913 || COMMUNITY WEB-PHP Dayfox Blog index.php module remote file include || url,www.securityfocus.com/archive/1/447500/30/0/threaded
+100000914 || COMMUNITY WEB-PHP Dayfox Blog index2.php module remote file include || url,www.securityfocus.com/archive/1/447500/30/0/threaded
+100000915 || COMMUNITY WEB-PHP Somery Include.php remote file include || bugtraq,19912
+100000916 || COMMUNITY WEB-PHP MyBulletinBoard Functions_Post.php xss attempt || bugtraq,19770
+100000917 || COMMUNITY WEB-PHP PHP-Dimension functions_kb.php remote file include attempt || bugtraq,20367
+100000918 || COMMUNITY WEB-PHP PHP-Dimension themen_portal_mitte.php remote include attempt || bugtraq,20367
+100000919 || COMMUNITY WEB-PHP Segue CMS themesettings.inc.php remote file include attempt || bugtraq,20640 || cve,2006-5497 || url,osvdb.org/29904 || nessus,22922 || url,www.milw0rm.com/exploits/2600
+100000920 || COMMUNITY WEB-PHP MiniBB bb_func_txt.php pathToFiles variable remote file include || bugtraq,20757 || url,osvdb.org/29971 || nessus,22926
+100000921 || COMMUNITY WEB-PHP PunBB register.php language variable remote file include || bugtraq,20786 || cve,2006-5735 || url,osvdb.org/30132 || nessus,22932
+100000922 || COMMUNITY WEB-PHP Etomite CMS index.php id variable SQL injection || bugtraq,21135 || url,osvdb.org/30442 || url,secunia.com/advisories/22885
+100000923 || COMMUNITY DOS Single-Byte UDP Flood
+100000924 || COMMUNITY POLICY Google SafeSearch off
+100000925 || COMMUNITY-WEB-PHP ADP Forum Attempted Password Recon || url,www.milw0rm.com/exploits/3053
+100000926 || COMMUNITY-WEB-PHP EasyNews PRO News Attempted Password Recon || url,www.milw0rm.com/exploits/3039
+100000927 || COMMUNITY MISC Microsoft Messenger phishing attempt - corrupted registry || url,www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx
+100000928 || COMMUNITY EXPLOIT LANDesk Management Suite Alerting Service buffer overflow || bugtraq,23483 || cve,2007-1674
+100000929 || COMMUNITY WEB-PHP Xoops module Articles SQL Injection Exploit || url,www.securityfocus.com/archive/1/463916
+100000930 || COMMUNITY WEB-PHP Drake CMS 404.php Local File Include Vulnerability || bugtraq,23215
+100000931 || COMMUNITY WEB-PHP Softerra Time-Assistant remote include attempt || bugtraq,23203
+100000932 || COMMUNITY WEB-PHP Softerra Time-Assistant remote include attempt || bugtraq,23203
+100000933 || COMMUNITY WEB-PHP Aardvark button/settings_sql.php File Include Vulnerability || url,securityfocus.com/archive/1/464351
+100000934 || COMMUNITY WEB-PHP Aardvark button/new_day.php File Include Vulnerability || url,securityfocus.com/archive/1/464351
--- /dev/null
+++ b/rules/nntp.rules
@@ -0,0 +1,35 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: nntp.rules,v 1.12.2.4.2.1 2005/05/16 22:17:51 mwatchinski Exp $
+#----------
+# NNTP RULES
+#----------
+
+alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"NNTP return code buffer overflow attempt"; flow:to_server,established,no_stream; content:"200"; isdataat:64,relative; pcre:"/^200\s[^\n]{64}/smi"; reference:bugtraq,4900; reference:cve,2002-0909; classtype:protocol-command-decode; sid:1792; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP AUTHINFO USER overflow attempt"; flow:to_server,established; content:"AUTHINFO"; nocase; content:"USER"; distance:0; nocase; isdataat:200,relative; pcre:"/^AUTHINFO\s+USER\s[^\n]{200}/smi"; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-admin; sid:1538; rev:13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP sendsys overflow attempt"; flow:to_server,established; content:"sendsys"; nocase; pcre:"/^sendsys\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2424; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP senduuname overflow attempt"; flow:to_server,established; content:"senduuname"; nocase; pcre:"/^senduuname\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2425; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP version overflow attempt"; flow:to_server,established; content:"version"; nocase; pcre:"/^version\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2426; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP checkgroups overflow attempt"; flow:to_server,established; content:"checkgroups"; nocase; pcre:"/^checkgroups\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2427; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP ihave overflow attempt"; flow:to_server,established; content:"ihave"; nocase; pcre:"/^ihave\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2428; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP sendme overflow attempt"; flow:to_server,established; content:"sendme"; nocase; pcre:"/^sendme\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2429; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP newgroup overflow attempt"; flow:to_server,established; content:"newgroup"; nocase; pcre:"/^newgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2430; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP rmgroup overflow attempt"; flow:to_server,established; content:"rmgroup"; nocase; pcre:"/^rmgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2431; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP article post without path attempt"; flow:to_server,established; content:"takethis"; nocase; pcre:!"/^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si"; classtype:attempted-admin; sid:2432; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP XPAT pattern overflow attempt"; flow:to_server,established; content:"PAT"; nocase; pcre:"/^X?PAT\s+[^\n]{1024}/smi"; reference:cve,2004-0574; reference:url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx; classtype:attempted-admin; sid:2927; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP SEARCH pattern overflow attempt"; flow:to_server,established; content:"SEARCH"; nocase; pcre:"/^SEARCH\s+[^\n]{1024}/smi"; reference:cve,2004-0574; reference:url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx; classtype:attempted-admin; sid:3078; rev:1;)
--- /dev/null
+++ b/rules/netbios.rules
@@ -0,0 +1,512 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: netbios.rules,v 1.46.2.9.2.7 2005/07/22 19:19:54 mwatchinski Exp $
+#--------------
+# NETBIOS RULES
+#--------------
+
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:537; rev:15;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:538; rev:15;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2465; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2466; rev:7;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:536; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2467; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2468; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2469; rev:7;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:533; rev:15;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2470; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2471; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2472; rev:9;)
+
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:532; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2473; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2474; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2475; rev:7;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2174; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2175; rev:8;)
+
+# where did these come from?  I don't know.  lets disable them for real for now
+# and deal with it later...
+### alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C|winreg|00|"; offset:85; nocase; classtype:attempted-recon; rev:2;)
+### alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00|"; offset:85; nocase; classtype:attempted-recon; rev:2;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2476; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2477; rev:6;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2478; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2479; rev:7;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2480; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2481; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2482; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2483; rev:7;)
+
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml"; flow:to_server,established; content:"|00|.|00|E|00|M|00|L"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1293; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .nws"; flow:to_server,established; content:"|00|.|00|N|00|W|00|S"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1294; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda RICHED20.DLL"; flow:to_server,established; content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1295; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS DOS RFPoison"; flow:to_server,established; content:"|5C 00 5C 00|*|00|S|00|M|00|B|00|S|00|E|00|R|00|V|00|E|00|R|00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00|"; reference:arachnids,454; classtype:attempted-dos; sid:529; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS NT NULL session"; flow:to_server,established; content:"|00 00 00 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; reference:arachnids,204; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:530; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; reference:bugtraq,1163; reference:cve,2000-0347; reference:nessus,10392; classtype:attempted-recon; sid:1239; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD.."; flow:to_server,established; content:"|5C|../|00 00 00|"; reference:arachnids,338; classtype:attempted-recon; sid:534; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD..."; flow:to_server,established; content:"|5C|...|00 00 00|"; reference:arachnids,337; classtype:attempted-recon; sid:535; rev:6;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB startup folder access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"Documents and Settings|5C|All Users|5C|Start Menu|5C|Programs|5C|Startup|00|"; distance:0; nocase; classtype:attempted-recon; sid:2176; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB startup folder unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|5C 00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5C 00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5C 00|S|00|t|00|a|00|r|00|t|00|u|00|p"; distance:0; nocase; classtype:attempted-recon; sid:2177; rev:4;)
+
+
+
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS Samba clientaccess"; flow:to_server,established; content:"|00|Unix|00|Samba"; reference:arachnids,341; classtype:not-suspicious; sid:539; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00 00 00|"; depth:4; offset:43; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; sid:2101; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB trans2open buffer overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 14|"; depth:2; offset:60; byte_test:2,>,256,0,relative,little; reference:bugtraq,7294; reference:cve,2003-0201; reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt; classtype:attempted-admin; sid:2103; rev:9;)
+
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC invalid bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2190; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2191; rev:3;)
+alert tcp $HOME_NET 135 -> $EXTERNAL_NET any (msg:"NETBIOS DCERPC ISystemActivator bind accept"; flow:from_server,established; content:"|05|"; within:1; content:"|0C|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00 00|"; within:2; distance:33; flowbits:isset,dce.isystemactivator.bind.attempt; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2350; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,little,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2351; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt big endian unicode"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,<,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2352; rev:9;)
+
+
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.attempt; flowbits:noalert; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2192; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2193; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2491; rev:7;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2492; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2493; rev:7;)
+
+
+
+
+
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2251; rev:14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2252; rev:14;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2257; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2258; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2308; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2309; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2310; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2311; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC Workstation Service direct service bind attempt"; flow:to_server,established; content:"|05 00 0B|"; depth:3; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2315; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC Workstation Service direct service access attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2316; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC print spool bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00 05 00 0B|"; within:17; distance:5; byte_test:1,&,16,1,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:29; flowbits:set,dce.printer.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2348; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC enumerate printers request attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; distance:1; content:"|00|"; within:1; distance:1; byte_test:1,&,3,0,relative; content:"|00 00|"; within:2; distance:19; flowbits:isset,dce.printer.bind; classtype:attempted-recon; sid:2349; rev:5;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup NTMLSSP asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2382; rev:18;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2383; rev:18;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2401; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2402; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup AndX request unicode username overflow attempt"; flow:to_server,established; content:"|00 00|"; distance:0; content:"|00 00|"; distance:0; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,128,6,relative; byte_test:2,>,255,54,relative,little; content:"|00|"; distance:56; content:"|00 00|"; distance:255; content:"|00 00|"; distance:0; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2403; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt"; flow:to_server,established; content:"|00 00|"; distance:0; content:"|00 00|"; distance:0; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,128,6,relative; byte_test:2,>,255,54,relative,little; content:"|00|"; distance:56; content:"|00 00|"; distance:255; content:"|00 00|"; distance:0; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2404; rev:5;)
+
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2494; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2495; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2496; rev:7;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2507; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2524; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; flowbits:isset,netbios.lsass.bind.attempt; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2508; rev:6;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2509; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2510; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2525; rev:6;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2511; rev:9;)
+
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2512; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2526; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2513; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2514; rev:7;)
+alert udp $EXTERNAL_NET 137 -> $HOME_NET any (msg:"NETBIOS NS lookup response name overflow attempt"; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; byte_test:1,>,32,12; reference:bugtraq,10333; reference:bugtraq,10334; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512A.html; classtype:attempted-admin; sid:2563; rev:4;)
+alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"NETBIOS NS lookup short response attempt"; dsize:<56; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; reference:bugtraq,10334; reference:bugtraq,10335; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512C.html; classtype:attempted-admin; sid:2564; rev:4;)
+alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"NETBIOS SMB-DS repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2924; rev:3;)
+alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"NETBIOS SMB repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2923; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2932; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2994; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2976; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2939; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2958; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2937; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2988; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2971; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2989; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2944; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2972; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2936; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2953; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2984; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2979; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2961; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2960; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2948; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2949; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2930; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2931; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2970; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2965; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2951; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2997; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2985; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2947; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2954; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2943; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2998; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2935; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2962; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2977; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2955; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2981; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2993; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2942; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2969; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2973; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2999; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2952; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2966; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2940; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2996; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2963; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2959; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2990; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2992; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2986; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2929; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2956; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2946; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS nddeapi bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2934; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2978; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2982; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2967; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2957; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2941; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2995; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2950; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2974; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2987; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2938; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2964; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2980; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2983; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2991; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2933; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB InitiateSystemShutdown unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2945; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB nddeapi create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2928; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2968; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2975; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup NTMLSSP andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:3004; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:3003; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup NTMLSSP unicode andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:3005; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup NTMLSSP unicode andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:3002; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:3000; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup NTMLSSP andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:3001; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3051; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3036; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3025; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3027; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3044; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3030; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3047; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3054; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3057; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3021; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3032; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3048; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3050; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3024; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3026; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3035; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3041; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3046; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3053; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3043; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3042; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3019; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3020; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3034; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3029; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3052; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3023; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3039; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3037; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3045; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3031; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3028; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3018; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3056; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3055; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3040; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3022; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:3049; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3033; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3038; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3109; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|llsrpc|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3092; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3111; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3100; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3114; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3119; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3127; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|llsrpc|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3096; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3123; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3110; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3117; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3108; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3098; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3095; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3121; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3103; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3102; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3099; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3126; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3118; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3124; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3116; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3113; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3120; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3129; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3091; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|llsrpc|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3094; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3105; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3107; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrconnect little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3115; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3125; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3093; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3112; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3101; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3097; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3128; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|5C|llsrpc|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.llsrpc; classtype:protocol-command-decode; sid:3090; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrconnect overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:3122; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB llsrpc unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3104; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS llsrpc bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:3106; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3135; rev:2;)
+alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"NETBIOS SMB Trans2 FIND_FIRST2 response andx overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:3144; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3141; rev:2;)
+alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"NETBIOS SMB Trans2 FIND_FIRST2 response overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:3143; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3140; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3139; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3137; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3142; rev:2;)
+alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:3146; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3136; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:3138; rev:2;)
+alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 response overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:3145; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3163; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3185; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3256; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3431; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3421; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_test:4,>,128,0,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3238; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_test:4,>,128,0,little,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3239; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3241; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation unicode attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3419; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3260; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3413; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx; classtype:attempted-admin; sid:3218; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC msqueue little endian bind attempt"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3157; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3180; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3406; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3251; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3205; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3211; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3384; rev:2;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS Messenger message little endian overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,8,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:3234; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3397; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3217; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3416; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3170; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3160; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3377; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3428; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx; classtype:attempted-admin; sid:3233; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3435; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3178; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3183; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3248; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3245; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3412; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3386; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3166; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3392; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3409; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3270; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3227; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3203; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3226; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3208; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3255; rev:2;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"NETBIOS name query overflow attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; classtype:attempted-admin; sid:3196; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3430; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3389; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3174; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC IActivation bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; classtype:protocol-command-decode; sid:3275; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3265; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3415; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3268; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC msqueue bind attempt"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3156; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3439; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3162; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3186; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3230; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3383; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3250; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3231; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3216; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3378; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3171; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3427; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3402; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3264; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3423; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3222; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3204; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3210; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3240; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3396; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3247; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3259; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation unicode attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:3411; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3223; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3405; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3244; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3385; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3380; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3184; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3440; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3426; rev:2;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS Messenger message overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,!&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,align,relative; byte_jump:4,8,align,relative; byte_test:4,>,1024,8,relative; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:3235; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3189; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3179; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3254; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"NETBIOS name query overflow attempt TCP"; flow:to_server,established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; classtype:attempted-admin; sid:3195; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3175; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3167; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3432; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3228; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3202; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3420; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3269; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3401; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3390; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3172; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3207; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3391; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3232; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative,little; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3158; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3224; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3258; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3176; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3379; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3213; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3422; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3262; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3436; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3190; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3165; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3243; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3425; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3418; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3395; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3246; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3408; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3253; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt big endian"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,<,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3198; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3215; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3394; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3263; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3433; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3187; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC irot bind attempt"; flow:established,to_server; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3236; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3181; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3168; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3414; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3388; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3382; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS OpenKey unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3229; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC IActivation little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; classtype:protocol-command-decode; sid:3276; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3429; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3220; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3404; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3219; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3398; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3212; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3206; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3399; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC CoGetInstanceFromFile overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3159; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3169; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3261; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3257; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3417; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB RemoteActivation little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3410; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3249; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3271; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:3437; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS irot andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3252; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS msqueue little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3173; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3161; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3400; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3266; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3225; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3214; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt little endian"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|5C 5C|"; byte_test:4,>,256,-8,little,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3197; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3434; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ISystemActivator bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3393; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS RemoteActivation unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:3424; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB OpenKey unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:3221; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB irot unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3242; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3182; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IrotIsRunning unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:3267; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3177; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IActivation unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3387; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3403; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:3209; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ISystemActivator unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3407; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IActivation andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:3381; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3191; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:3438; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC irot little endian bind attempt"; flow:established,to_server; content:"|05|"; depth:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:3237; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB msqueue andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:3164; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS CoGetInstanceFromFile andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3188; rev:2;)
--- /dev/null
+++ b/rules/attack-responses.rules
@@ -0,0 +1,44 @@
+# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
+#
+# This file may contain proprietary rules that were created, tested and
+# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
+# rules that were created by Sourcefire and other third parties and
+# distributed under the GNU General Public License (the "GPL Rules").  The
+# VRT Certified Rules contained in this file are the property of
+# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# The GPL Rules created by Sourcefire, Inc. are the property of
+# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
+# Reserved.  All other GPL Rules are owned and copyrighted by their
+# respective owners (please see www.snort.org/contributors for a list of
+# owners and their respective copyrights).  In order to determine what
+# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
+# Certified Rules License Agreement.
+#
+#
+# $Id: attack-responses.rules,v 1.32.2.3.2.2 2005/07/22 19:19:54 mwatchinski Exp $
+# ----------------
+# ATTACK RESPONSES
+# ----------------
+# These signatures are those when they happen, its usually because a machine
+# has been compromised.  These should not false that often and almost always
+# mean a compromise.
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES directory listing"; flow:established; content:"Volume Serial Number"; classtype:bad-unknown; sid:1292; rev:9;)
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES command completed"; flow:established; content:"Command completed"; nocase; reference:bugtraq,1806; classtype:bad-unknown; sid:494; rev:10;)
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES command error"; flow:established; content:"Bad command or filename"; nocase; classtype:bad-unknown; sid:495; rev:8;)
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES file copied ok"; flow:established; content:"1 file|28|s|29| copied"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:bad-unknown; sid:497; rev:12;)
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES Invalid URL"; flow:from_server,established; content:"Invalid URL"; nocase; reference:url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx; classtype:attempted-recon; sid:1200; rev:10;)
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES index of /cgi-bin/ response"; flow:from_server,established; content:"Index of /cgi-bin/"; nocase; reference:nessus,10039; classtype:bad-unknown; sid:1666; rev:5;)
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES 403 Forbidden"; flow:from_server,established; content:"HTTP/1.1 403"; depth:12; classtype:attempted-recon; sid:1201; rev:7;)
+
+alert ip any any -> any any (msg:"ATTACK-RESPONSES id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:498; rev:6;)
+alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,string; content:" gid="; within:15; byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882; rev:10;)
+
+alert tcp $HOME_NET 8002 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES oracle one hour install"; flow:from_server,established; content:"Oracle Applications One-Hour Install"; reference:nessus,10737; classtype:bad-unknown; sid:1464; rev:5;)
+alert tcp $HOME_NET 749 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful kadmind buffer overflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1900; rev:10;)
+alert tcp $HOME_NET 751 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful kadmind buffer overflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1901; rev:10;)
+alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE"; flow:from_server,established; content:"*GOBBLE*"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:successful-admin; sid:1810; rev:12;)
+alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful gobbles ssh exploit uname"; flow:from_server,established; content:"uname"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:misc-attack; sid:1811; rev:8;)
+alert tcp $HOME_NET 512 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES rexec username too long response"; flow:from_server,established; content:"username too long"; depth:17; reference:bugtraq,7459; classtype:unsuccessful-user; sid:2104; rev:5;)
+alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows"; content:"|28|C|29| Copyright 1985-"; distance:0; content:"Microsoft Corp."; distance:0; reference:nessus,11633; classtype:successful-admin; sid:2123; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful cross site scripting forced download attempt"; flow:to_server,established; content:"|0A|Referer|3A| res|3A|/C|3A|"; classtype:successful-user; sid:2412; rev:3;)
--- /dev/null
+++ b/etc/community-sid-msg.map
@@ -0,0 +1,837 @@
+# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
+# This file is licensed under the GNU General Public License.
+# Please see the file LICENSE in this directory for more details.
+# Id SID -> MSG map
+
+100000100 || COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Flowbit || cve,2004-0629 || bugtraq,10947
+100000101 || COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Exploit || cve,2004-0629 || bugtraq,10947
+100000102 || COMMUNITY GAME Halocon Denial of Service Empty UDP Packet || bugtraq,12281
+100000103 || COMMUNITY GAME Breed Game Server Denial of Service Empty UDP Packet || bugtraq,12262
+100000104 || COMMUNITY GAME Amp II 3D Game Server Denial of Service Empty UDP Packet || bugtraq,12192
+100000105 || COMMUNITY INAPPROPRIATE lolita sex
+100000106 || COMMUNITY SQL-INJECTION Microsoft BizTalk Server 2002 rawdocdata.asp || bugtraq,7470 || cve,2003-0118 || url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx
+100000107 || COMMUNITY SQL-INJECTION Microsoft BizTalk Server 2002 RawCustomSearchField.asp || bugtraq,7470 || cve,2003-0118 || url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx
+100000108 || COMMUNITY SQL-INJECTION OpenBB board.php || bugtraq,7404
+100000109 || COMMUNITY SQL-INJECTION OpenBB member.php || bugtraq,7404
+100000110 || COMMUNITY VIRUS Dabber PORT overflow attempt port 5554 || MCAFEE,125300
+100000111 || COMMUNITY VIRUS Dabber PORT overflow attempt port 1023 || MCAFEE,125300
+100000112 || COMMUNITY WEB-CGI Readfile.tcl Access || bugtraq,7426
+100000113 || COMMUNITY WEB-CGI HappyMall Command Execution member_html.cgi || bugtraq,7530 || cve,2003-0243
+100000114 || COMMUNITY WEB-CGI HappyMall Command Execution normal_html.cgi || bugtraq,7530 || cve,2003-0243
+100000115 || COMMUNITY WEB-CGI PHP-Nuke Web_Links Path Disclosure Null CID || bugtraq,7589
+100000116 || COMMUNITY WEB-CGI PHP-Nuke Web_Links Path Disclosure Non-Numeric CID || bugtraq,7589
+100000117 || COMMUNITY WEB-CGI VBulliten Remote Command Execution Attempt || bugtraq,12542
+100000118 || COMMUNITY WEB-CLIENT Internet Explorer URLMON.DLL Content-Type Overflow Attempt || bugtraq,7419 || cve,2003-0113 || url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx
+100000119 || COMMUNITY WEB-CLIENT Internet Explorer URLMON.DLL Content-Encoding Overflow Attempt || bugtraq,7419 || cve,2003-0113 || url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx
+100000121 || COMMUNITY WEB-MISC Test Script Access
+100000122 || COMMUNITY WEB-MISC mod_jrun overflow attempt || bugtraq,11245 || cve,2004-0646
+100000123 || COMMUNITY INAPPROPRIATE preteen sex
+100000124 || COMMUNITY INAPPROPRIATE girls gone wild
+100000125 || COMMUNITY MISC Sentinel License Manager overflow attempt || cve,CAN-2005-0353 || bugtraq,12742
+100000126 || COMMUNITY MISC GoodTech Telnet Server Buffer Overflow Attempt || cve,2005-0768 || url,unsecure.altervista.org/security/goodtechtelnet.htm
+100000127 || COMMUNITY WEB-CGI Stadtaus.com PHP Form Mail Remote Script Include Attack formmail.inc.php || bugtraq,12735
+100000128 || COMMUNITY WEB-CGI Stadtaus.com PHP Form Mail Remote Script Include Attack download_center_lite.inc.php || bugtraq,12735
+100000129 || COMMUNITY WEB-MISC Cisco IOS HTTP Router Management Service Infinite Loop DoS || bugtraq,10014 || url,www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml
+100000130 || COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS || bugtraq,12778
+100000131 || COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS - Floppy Access || bugtraq,12778
+100000132 || COMMUNITY WEB-MISC Proxy Server Access
+100000133 || COMMUNITY WEB-DoS Xeneo Server Question Mark GET Request || bugtraq,7398 || url,www.northernsolutions.com/support/index.php?view=support&cmd=releasenotes&productid=1
+100000134 || COMMUNITY DOS Tcpdump rsvp attack || cve,2005-1280 || cve,2005-1281 || bugtraq,13391
+100000135 || COMMUNITY IMAP GNU Mailutils request tag format string vulnerability || cve,CAN-2005-1523 || bugtraq,13764
+100000136 || COMMUNITY IMAP GNU imapd search format string attempt || url,www.osvdb.org/displayvuln.php?osvdb_id=19306 || cve,2005-2878
+100000137 || COMMUNITY MISC BAD-SSL tcp detect
+100000138 || COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt localhost || cve,2005-2678
+100000139 || COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt loopback IP || cve,2005-2678
+100000140 || COMMUNITY WEB-MISC MaxDB Web Tool Remote Stack Overflow || cve,2005-0684 || url,www.idefense.com/application/poi/display?id=234&type=vulnerabilities
+100000141 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jsp directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252
+100000142 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jpg directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252
+100000143 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .gif directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252
+100000144 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .wav directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252
+100000145 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .css directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252
+100000146 || COMMUNITY WEB-MISC Ipswitch Imail web calendaring .htm directory traversal attempt || bugtraq,13727 || cve,CAN-2005-1252
+100000148 || COMMUNITY WEB-MISC Barracuda img.pl attempt || bugtraq,14712 || bugtraq,14710 || cve,2005-2848
+100000149 || COMMUNITY WEB-MISC Jboss % attempt || bugtraq,13985 || cve,2005-2006 || url,www.osvdb.org/displayvuln.php?osvdb_id=17403
+100000150 || COMMUNITY WEB-MISC HTTP Transfer-Content Request Smuggling attempt || bugtraq,13873 || bugtraq,14106 || cve,2005-2088 || cve,2005-2089 || cve,2005-2090 || cve,2005-2091 || cve,2005-2092 || cve,2005-2093 || cve,2005-2094 || url,www.osvdb.org/displayvuln.php?osvdb_id=17738 || nessus,18337
+100000151 || COMMUNITY WEB-PHP piranha default passwd attempt || bugtraq,1148 || cve,2000-0248 || nessus,10381
+100000152 || COMMUNITY IMAP MDaemon authentication protocol decode
+100000153 || COMMUNITY IMAP MDaemon authentication multiple packet overflow attempt || bugtraq,14317
+100000154 || COMMUNITY IMAP MDaemon authentication okay protocol decode
+100000155 || COMMUNITY IMAP MDaemon authentication overflow single packet attempt || bugtraq,14317
+100000156 || COMMUNITY WEB-CGI Twiki shell command execution || bugtraq,14834 || cve,2005-2877 || url,twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev
+100000157 || COMMUNITY WEB-CGI ATutor password_reminder.php SQL injection attempt || bugtraq,14831
+100000158 || COMMUNITY SIP INVITE message flooding
+100000159 || COMMUNITY SIP REGISTER message flooding
+100000160 || COMMUNITY SIP TCP/IP message flooding directed to SIP proxy
+100000161 || COMMUNITY SIP DNS No such name treshold - Abnormaly high count of No such name responses
+100000162 || COMMUNITY SIP 401 Unauthorized Flood
+100000163 || COMMUNITY SIP 407 Proxy Authentication Required Flood
+100000164 || COMMUNITY ICMP Linux DoS sctp Exploit || nessus,19777
+100000165 || COMMUNITY EXPLOIT Sentinel LM exploit || bugtraq,12742 || cve,2005-0353 || url,www.osvdb.org/displayvuln.php?osvdb_id=14605 || nessus,17326
+100000166 || COMMUNITY ORACLE TNS Listener shutdown via iSQLPlus attempt || bugtraq,15032 || url,www.red-database-security.com/advisory/oracle_isqlplus_shutdown.html
+100000167 || COMMUNITY SMTP Hydra Activity Detected || url,www.thc.org/releases.php
+100000168 || COMMUNITY WEB-ATTACKS Hydra Activity Detected || url,www.thc.org/releases.php
+100000169 || COMMUNITY WEB-ATTACKS Amap fingerprint attempt || url,www.thc.org/releases.php
+100000170 || COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Host Parameter || bugtraq,15081 || url,www.osvdb.org/displayvuln.php?osvdb_id=19926
+100000171 || COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Accept Parameter || bugtraq,15081 || url,www.osvdb.org/displayvuln.php?osvdb_id=19926
+100000172 || COMMUNITY NNTP Lynx overflow attempt || cve,2005-3120 || bugtraq,15117 || url,www.osvdb.org/displayvuln.php?osvdb_id=20019 || nessus,20035
+100000173 || COMMUNITY WEB-IIS RSA WebAgent Redirect Overflow attempt
+100000174 || COMMUNITY WEB-IIS RSA WebAgent access || cve,2005-1118 || bugtraq,13168
+100000175 || COMMUNITY DOS Ethereal slimp overflow attempt || cve,2005-3243 || url,www.ethereal.com/docs/release-notes/ethereal-0.10.13.html
+100000176 || COMMUNITY EXPLOIT HPUX LPD overflow attempt || cve,2005-3277 || bugtraq,15136
+100000177 || COMMUNITY WEB-MISC Linksys apply.cgi overflow attempt || bugtraq,14822 || cve,2005-2799 || nessus,20096 || url,www.osvdb.org/displayvuln.php?osvdb_id=19389
+100000178 || COMMUNITY WEB-MISC Hasbani-WindWeb GET DoS attempt || bugtraq,15225 || nessus,20097
+100000179 || COMMUNITY WEB-MISC SMC TRACE access || url,www.kb.cert.org/vuls/id/867593
+100000180 || COMMUNITY EXPLOIT SIP UDP spoof attempt || bugtraq,14174 || cve,2005-2182 || url,www.osvdb.org/displayvuln.php?osvdb_id=17838
+100000181 || COMMUNITY GAME FlatFrag game dos exploit || bugtraq,15287 || cve,2005-3492
+100000182 || COMMUNITY GAME Battle Carry attempt || cve,2005-3493 || bugtraq,15282
+100000183 || COMMUNITY WEB-ATTACKS SAP WAS syscmd access || url,www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf
+100000184 || COMMUNITY WEB-MISC JBoss JMXInvokerServlet access || url,online.securityfocus.com/archive/1/415707
+100000185 || COMMUNITY WEB-MISC apache directory list attempt || bugtraq,3009 || cve,2001-0731
+100000186 || COMMUNITY WEB-PHP phpinfo access || bugtraq,5789 || cve,2002-1149 || url,www.osvdb.org/displayvuln.php?osvdb_id=3356
+100000187 || COMMUNITY WEB-PHP XSS attempt
+100000188 || COMMUNITY WEB-PHP Vubb Path attempt || cve,2005-3513 || url,marc.theaimsgroup.com/?l=bugtraq&m=113087965608496&w=2
+100000189 || COMMUNITY MISC streaming RTSP - realplayer || url,www.rtsp.org
+100000190 || COMMUNITY MISC streaming Windows Mediaplayer || url,www.microsoft.com
+100000191 || COMMUNITY SMTP Gnu Mailman utf8 attachement access || bugtraq,15408 || cve,2005-3573 || url,www.osvdb.org/displayvuln.php?osvdb_id=20819
+100000192 || COMMUNITY SQL-INJECTION WIZZ ForumTopicDetails Sql Injection attempt || bugtraq,15410 || url,www.osvdb.org/displayvuln.php?osvdb_id=20846
+100000193 || COMMUNITY SQL-INJECTION WIZZ ForumAuthDetails Sql Injection attempt || bugtraq,15410 || url,www.osvdb.org/displayvuln.php?osvdb_id=20845
+100000194 || COMMUNITY SQL-INJECTION WIZZ ForumReply Sql Injection attempt || bugtraq,15410 || url,www.osvdb.org/displayvuln.php?osvdb_id=20847
+100000195 || COMMUNITY WEB-PHP _SERVER HTTP_ACCEPT_LANGUAGE access || bugtraq,15414 || cve,2005-3347
+100000196 || COMMUNITY IMAP Qualcomm WorldMail SELECT dot dot attempt || cve,2005-3189 || bugtraq,15488
+100000197 || COMMUNITY ICMP undefined code
+100000198 || COMMUNITY MISC Ntp fingerprint detect || url,www.arhont.com/ViewPage7422.html?siteNodeId=3&languageId=1&contentId=-1
+100000199 || COMMUNITY MISC Novell eDirectory iMonitor access || bugtraq,14548 || cve,2005-2551 || nessus,19248 || url,www.osvdb.org/displayvuln.php?osvdb_id=18703
+100000200 || COMMUNITY WEB-MISC Symantec Brightmail Antispam default login attempt || nessus,19598 || url,securityresponse.symantec.com/avcenter/security/Content/2005.05.31a.html
+100000201 || COMMUNITY WEB-PHP CuteNews flood.db.php access || bugtraq,14869 || cve,2005-3010 || nessus,19756 || url,www.osvdb.org/displayvuln.php?osvdb_id=19478
+100000202 || COMMUNITY WEB-PHP DeluxeBB topic.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19404
+100000203 || COMMUNITY WEB-PHP DeluxeBB misc.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19405
+100000204 || COMMUNITY WEB-PHP DeluxeBB pm.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19407
+100000205 || COMMUNITY WEB-PHP DeluxeBB forums.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19406
+100000206 || COMMUNITY WEB-PHP DeluxeBB newpost.php access || bugtraq,14851 || cve,2005-2989 || nessus,19750 || url,www.osvdb.org/displayvuln.php?osvdb_id=19408
+100000207 || COMMUNITY IMAP GNU Mailutils imap4d hex attempt || cve,2005-2878 || bugtraq,14794 || nessus,19605 || url,www.osvdb.org/displayvuln.php?osvdb_id=19306
+100000208 || COMMUNITY MISC Tunneling IP over DNS with NSTX || url,nstx.dereference.de/nstx/ || url,slashdot.org/articles/00/09/10/2230242.shtml
+100000209 || COMMUNITY WEB-MISC FtpLocate flsearch.pl possible command execution attempt || bugtraq,14367 || cve,2005-2420 || nessus,19300 || url,www.osvdb.org/displayvuln.php?osvdb_id=18305
+100000210 || COMMUNITY WEB-MISC generic cmd pipe after = attempt
+100000211 || COMMUNITY WEB-PHP Gallery g2_itemId access || bugtraq,15108 || cve,2005-0222 || nessus,20015 || url,www.osvdb.org/displayvuln.php?osvdb_id=13034
+100000212 || COMMUNITY WEB-PHP Gallery g2_return access || bugtraq,15108 || cve,2005-0222 || nessus,20015 || url,www.osvdb.org/displayvuln.php?osvdb_id=13034
+100000213 || COMMUNITY WEB-PHP Gallery g2_view access || bugtraq,15108 || cve,2005-0222 || nessus,20015 || url,www.osvdb.org/displayvuln.php?osvdb_id=13034
+100000214 || COMMUNITY WEB-PHP Gallery g2_subView access || bugtraq,15108 || cve,2005-0222 || nessus,20015 || url,www.osvdb.org/displayvuln.php?osvdb_id=13034
+100000215 || COMMUNITY DOS Trend Micro ServerProtect EarthAgent attempt || cve,2005-1928 || url,www.idefense.com/application/poi/display?id=356&type=vulnerabilities
+100000216 || COMMUNITY WEB-MISC Trend Micro ServerProtect isaNVWRequest.dll access || cve,2005-1929 || url,www.idefense.com/application/poi/display?id=353&type=vulnerabilities
+100000217 || COMMUNITY WEB-MISC man2web cmd exec attempt || cve,2005-2812 || bugtraq,14747 || nessus,19591
+100000218 || COMMUNITY WEB-PHP MailGust SQL Injection email attempt || bugtraq,14933 || cve,2005-3063 || nessus,19947
+100000219 || COMMUNITY SMTP MIME-Type ms-tnef access || bugtraq,16197 || cve,2006-0002 || url,www.microsoft.com/technet/security/bulletin/MS06-003.mspx
+100000220 || COMMUNITY WEB-PHP PHP-Nuke admin_styles.php phpbb_root_path access || url,www.autistici.org/anacron-group-italy/file/txt/sile002adv.txt || url,www.osvdb.org/displayvuln.php?osvdb_id=16244
+100000221 || COMMUNITY WEB-PHP AppServ main.php appserv_root param access || url,www.osvdb.org/displayvuln.php?osvdb_id=22228
+100000222 || COMMUNITY MISC TFTP32 Get Format string attempt || url,www.securityfocus.com/archive/1/422405/30/0/threaded || url,www.critical.lt/?vulnerabilities/200
+100000223 || COMMUNITY EXPLOIT SIP UDP Softphone overflow attempt || bugtraq,16213 || cve,2006-0189
+100000224 || COMMUNITY SMTP Mozilla filename overflow attempt || bugtraq,16271
+100000225 || COMMUNITY WEB-MISC ASPSurvey Login_Validate.asp Password param access || cve,2006-0192
+100000226 || COMMUNITY VIRUS Possible BlackWorm or Nymex infected host || url,www.microsoft.com/security/encyclopedia/details.aspx?name=Win32%2fMywife.E%40mm || url,cme.mitre.org/data/list.html#24 || url,isc.sans.org/blackworm
+100000227 || COMMUNITY MISC SNMP trap Format String detected || bugtraq,16267 || cve,2006-0250 || url,www.osvdb.org/displayvuln.php?osvdb_id=22493
+100000228 || COMMUNITY WEB-CLIENT Winamp PlayList buffer overflow attempt || bugtraq,16410 || cve,2006-0476 || url,www.frsirt.com/english/advisories/2006/0361
+100000229 || COMMUNITY MISC Lotus Domino LDAP attack || bugtraq,16523 || cve,2006-0580 || url,lists.immunitysec.com/pipermail/dailydave/2006-February/002896.html
+100000230 || COMMUNITY MISC Jabber/Google Talk Outgoing Traffic || url,www.google.com/talk/
+100000231 || COMMUNITY MISC Jabber/Google Talk Outgoing Auth || url,www.google.com/talk/
+100000232 || COMMUNITY MISC Google Talk Logon || url,www.google.com/talk/
+100000233 || COMMUNITY MISC Jabber/Google Talk Outoing Message || url,www.google.com/talk/
+100000234 || COMMUNITY MISC Jabber/Google Talk Log Out || url,www.google.com/talk/
+100000235 || COMMUNITY MISC Jabber/Google Talk Logon Success || url,www.google.com/talk/
+100000236 || COMMUNITY MISC Jabber/Google Talk Incoming Message || url,www.google.com/talk/
+100000237 || COMMUNITY WEB-MISC Proxy Bypass Via Google Translation Same To And From Language || url,www.boingboing.net/2006/02/22/argonne_national_lab.html
+100000238 || COMMUNITY WEB-CLIENT IE mulitple event handler heap overflow attempt || bugtraq,17131 || cve,2006-1245 || url,www.microsoft.com/technet/security/Bulletin/MS06-013.mspx
+100000239 || COMMUNITY WEB-CLIENT IE createTextRange overflow attempt || bugtraq,17196 || cve,2006-1359 || url,www.microsoft.com/technet/security/Bulletin/MS06-013.mspx
+100000240 || COMMUNITY BOT IRC Traffic Detected By Nick Change
+100000241 || COMMUNITY BOT Internal IRC server detected
+100000242 || COMMUNITY BOT Agobot/PhatBot bot.about command
+100000243 || COMMUNITY BOT Agobot/PhatBot bot.die command
+100000244 || COMMUNITY BOT Agobot/PhatBot bot.dns command
+100000245 || COMMUNITY BOT Agobot/PhatBot bot.execute command
+100000246 || COMMUNITY BOT Agobot/PhatBot bot.id command
+100000247 || COMMUNITY BOT Agobot/PhatBot bot.nick command
+100000248 || COMMUNITY BOT Agobot/PhatBot bot.open command
+100000249 || COMMUNITY BOT Agobot/PhatBot bot.remove command
+100000250 || COMMUNITY BOT Agobot/PhatBot bot.removeallbut command
+100000251 || COMMUNITY BOT Agobot/PhatBot bot.rndnick command
+100000252 || COMMUNITY BOT Agobot/PhatBot bot.status command
+100000253 || COMMUNITY BOT Agobot/PhatBot bot.sysinfo command
+100000254 || COMMUNITY BOT Agobot/PhatBot bot.longuptime command
+100000255 || COMMUNITY BOT Agobot/PhatBot bot.highspeed command
+100000256 || COMMUNITY BOT Agobot/PhatBot bot.quit command
+100000257 || COMMUNITY BOT Agobot/PhatBot bot.flushdns command
+100000258 || COMMUNITY BOT Agobot/PhatBot bot.secure command
+100000259 || COMMUNITY BOT Agobot/PhatBot bot.unsecure command
+100000260 || COMMUNITY BOT Agobot/PhatBot bot.command command
+100000261 || COMMUNITY BOT SDBot killthread command
+100000262 || COMMUNITY BOT SDBot cdkey command
+100000263 || COMMUNITY BOT SDBot getcdkey command
+100000264 || COMMUNITY BOT SDBot rndnick command
+100000265 || COMMUNITY BOT SDBot c_rndnick command
+100000266 || COMMUNITY BOT SDBot c_nick command
+100000267 || COMMUNITY BOT SpyBot stopspy  command
+100000268 || COMMUNITY BOT SpyBot redirectspy  command
+100000269 || COMMUNITY BOT SpyBot loadclones command
+100000270 || COMMUNITY BOT SpyBot killclones command
+100000271 || COMMUNITY BOT SpyBot rawclones  command
+100000272 || COMMUNITY BOT GTBot ver command
+100000273 || COMMUNITY BOT GTBot info command
+100000274 || COMMUNITY BOT GTBot scan command
+100000275 || COMMUNITY BOT GTBot portscan command
+100000276 || COMMUNITY BOT GTBot stopscan command
+100000277 || COMMUNITY BOT GTBot packet command
+100000278 || COMMUNITY BOT GTBot bnc command
+100000279 || COMMUNITY SMTP Incoming WAB attachment || cve,2006-0014 || url,www.microsoft.com/technet/security/bulletin/MS06-016.mspx
+100000281 || COMMUNITY MISC Connect Direct Server - Session Terminated Invalid Credentials
+100000282 || COMMUNITY VIRUS Nugache connect
+100000283 || COMMUNITY VIRUS Nugache data || url,securityresponse.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html
+100000284 || COMMUNITY WEB-CLIENT RealMedia invalid chunk size heap overflow attempt || bugtraq,17202 || cve,2005-2922 || url,service.real.com/realplayer/security/03162006_player/en/
+100000285 || COMMUNITY WEB-PHP ldap_var.inc.php remote file include attempt || bugtraq,17915
+100000286 || COMMUNITY WEB-PHP X Poll admin access || url,marc.theaimsgroup.com/?l=bugtraq&m=114710173409997&w=2
+100000287 || COMMUNITY WEB-PHP Claroline ldap.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000288 || COMMUNITY WEB-PHP Claroline atutor.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000289 || COMMUNITY WEB-PHP Claroline db-generic.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000290 || COMMUNITY WEB-PHP Claroline docebo.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000291 || COMMUNITY WEB-PHP Claroline dokeos.1.6.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000292 || COMMUNITY WEB-PHP Claroline dokeos.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000293 || COMMUNITY WEB-PHP Claroline ganesha.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000294 || COMMUNITY WEB-PHP Claroline mambo.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000295 || COMMUNITY WEB-PHP Claroline moodle.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000296 || COMMUNITY WEB-PHP Claroline phpnuke.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000297 || COMMUNITY WEB-PHP Claroline postnuke.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000298 || COMMUNITY WEB-PHP Claroline spip.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000299 || COMMUNITY WEB-PHP Claroline event/init_event_manager.inc.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000300 || COMMUNITY WEB-PHP Claroline export_exe_tracking.class.php access || url,www.claroline.net || url,marc.theaimsgroup.com/?l=full-disclosure&m=114710378713072&w=2
+100000301 || COMMUNITY SMTP McAfee WebShield SMTP bounce message format string attempt || bugtraq,16742 || cve,2006-0559
+100000302 || COMMUNITY WEB-MISC DeviceSelection.asp sRedirectUrl parameter access || bugtraq,17964
+100000303 || COMMUNITY WEB-MISC DeviceSelection.asp sCancelURL parameter access || bugtraq,17964
+100000304 || COMMUNITY WEB-PHP Gphoto index.php rep parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2
+100000305 || COMMUNITY WEB-PHP Gphoto index.php image parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2
+100000306 || COMMUNITY WEB-PHP Gphoto diapho.php rep parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2
+100000307 || COMMUNITY WEB-PHP Gphoto diapho.php image parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2
+100000308 || COMMUNITY WEB-PHP Gphoto affich.php rep parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2
+100000309 || COMMUNITY WEB-PHP Gphoto affich.php image parameter remote file include attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=114754094110073&w=2
+100000310 || COMMUNITY VIRUS Ginwui.B command server dns query attempt - scfzf.xicp.net || url,vil.nai.com/vil/content/v_139545.htm
+100000311 || COMMUNITY VIRUS Ginwui.B command server dns query attempt - localhosts.3322.org || url,vil.nai.com/vil/content/v_139545.htm
+100000312 || COMMUNITY VIRUS Ginwui.B POST attempt || url,vil.nai.com/vil/content/v_139545.htm
+100000313 || COMMUNITY WEB-MISC 3Com Network Supervisor directory traversal || bugtraq,14715 || cve,2005-2020
+100000314 || COMMUNITY WEB-MISC MediaWiki parser script insertion attempt || cve,2006-2611
+100000315 || COMMUNITY WEB-MISC HTTP PUT Request || url,infosecpotpourri.blogspot.com/2006/06/http-put-defacement-attempts.html
+100000316 || COMMUNITY WEB-MISC HTTP PUT Request Successful || url,infosecpotpourri.blogspot.com/2006/06/http-put-defacement-attempts.html
+100000317 || COMMUNITY WEB-MISC phpBazar classified_right.php remote file include || bugtraq,18052
+100000318 || COMMUNITY WEB-MISC phpBazar admin.php unauthorized administrative access || bugtraq,18053 || cve,2006-2527
+100000319 || COMMUNITY WEB-MISC ActualScripts direct.php remote file include || bugtraq,17597
+100000320 || COMMUNITY WEB-MISC ScozNet ScozNews functions.php remote file include || bugtraq,18027
+100000321 || COMMUNITY WEB-MISC ScozNet ScozNews help.php remote file include || bugtraq,18027
+100000322 || COMMUNITY WEB-MISC ScozNet ScozNews mail.php remote file include || bugtraq,18027
+100000323 || COMMUNITY WEB-MISC ScozNet ScozNews news.php remote file include || bugtraq,18027
+100000324 || COMMUNITY WEB-MISC ScozNet ScozNews template.php remote file include || bugtraq,18027
+100000325 || COMMUNITY WEB-MISC ScozNet ScozNews admin_cats.php remote file include || bugtraq,18027
+100000326 || COMMUNITY WEB-MISC ScozNet ScozNews admin_edit.php remote file include || bugtraq,18027
+100000327 || COMMUNITY WEB-MISC ScozNet ScozNews admin_import.php remote file include || bugtraq,18027
+100000328 || COMMUNITY WEB-MISC ScozNet ScozNews admin_templates.php remote file include || bugtraq,18027
+100000329 || COMMUNITY WEB-MISC Invision Power Board class_post.php remote file include || bugtraq,18040
+100000330 || COMMUNITY WEB-MISC Invision Power Board moderate.php remote file include || bugtraq,18040
+100000331 || COMMUNITY WEB-MISC ZixForum settings.asp access || bugtraq,18043
+100000332 || COMMUNITY WEB-MISC Artmedic Newsletter log.php access || bugtraq,18047
+100000333 || COMMUNITY WEB-MISC Artmedic Newsletter log.php access || bugtraq,18047
+100000334 || COMMUNITY WEB-MISC CaLogic Calendars reconfig.php remote file include || bugtraq,18076
+100000335 || COMMUNITY WEB-MISC CaLogic Calendars srxclr.php remote file include || bugtraq,18076
+100000336 || COMMUNITY WEB-MISC phpMyDirectory footer.php remote file include || cve,2006-2521
+100000337 || COMMUNITY WEB-MISC phpMyDirectory defaults_setup.php remote file include || cve,2006-2521
+100000338 || COMMUNITY WEB-MISC phpMyDirectory header.php remote file include || cve,2006-2521
+100000339 || COMMUNITY WEB-MISC V-Webmail core.php remote file include || url,secunia.com/advisories/20297/
+100000340 || COMMUNITY WEB-MISC V-Webmail pop3.php remote file include || url,secunia.com/advisories/20297/
+100000341 || COMMUNITY WEB-MISC DoceboLMS help.php remote file include || bugtraq,18110
+100000342 || COMMUNITY WEB-MISC DoceboLMS business.php remote file include || bugtraq,18110
+100000343 || COMMUNITY WEB-MISC DoceboLMS credits.php remote file include || bugtraq,18110
+100000344 || COMMUNITY WEB-MISC SocketMail index.php remote file include || url,secunia.com/advisories/20273/
+100000345 || COMMUNITY WEB-MISC SocketMail inc-common.php remote file include || url,secunia.com/advisories/20273/
+100000346 || COMMUNITY WEB-MISC Plume CMS prepend.php remote file include || bugtraq,16662
+100000347 || COMMUNITY WEB-MISC Ezupload Pro form.php remote file include || bugtraq,18135
+100000348 || COMMUNITY WEB-MISC Ezupload Pro customize.php remote file include || bugtraq,18135
+100000349 || COMMUNITY WEB-MISC Ezupload Pro initialize.php remote file include || bugtraq,18135
+100000350 || COMMUNITY WEB-MISC UBBThreads ubbt.inc.php remote file include || url,www.nukedx.com/?viewdoc=40
+100000351 || COMMUNITY WEB-MISC UBBThreads config[cookieprefix] remote file include || url,www.nukedx.com/?viewdoc=40
+100000352 || COMMUNITY WEB-MISC Blend Portal blend_common.php remote file include || bugtraq,18153 || url,www.nukedx.com/?viewdoc=41
+100000353 || COMMUNITY WEB-MISC tinyBB footers.php remote file include || bugtraq,18147
+100000354 || COMMUNITY WEB-MISC phpBB-Amod lang_activity.php remote file include || bugtraq,18155
+100000355 || COMMUNITY WEB-MISC eSyndiCat cron.php remote file include || url,secunia.com/advisories/20218/
+100000356 || COMMUNITY WEB-MISC BASE base_qry_common.php remote file include || url,secunia.com/advisories/20300/
+100000357 || COMMUNITY WEB-MISC BASE base_stat_common.php remote file include || url,secunia.com/advisories/20300/
+100000358 || COMMUNITY WEB-MISC BASE base_include.inc.php remote file include || url,secunia.com/advisories/20300/
+100000359 || COMMUNITY WEB-MISC Fastpublish CMS drucken.php remote file include || bugtraq,18163
+100000360 || COMMUNITY WEB-MISC Fastpublish CMS drucken2.php remote file include || bugtraq,18163
+100000361 || COMMUNITY WEB-MISC Fastpublish CMS email_an_benutzer.php remote file include || bugtraq,18163
+100000362 || COMMUNITY WEB-MISC Fastpublish CMS rechnung.php remote file include || bugtraq,18163
+100000363 || COMMUNITY WEB-MISC Fastpublish CMS search.php remote file include || bugtraq,18163
+100000364 || COMMUNITY WEB-MISC Fastpublish CMS admin.php remote file include || bugtraq,18163
+100000365 || COMMUNITY WEB-MISC phpNuke index.php remote file include || bugtraq,18186
+100000366 || COMMUNITY WEB-MISC phpNuke admin_ug_auth.php remote file include || bugtraq,18186
+100000367 || COMMUNITY WEB-MISC phpNuke admin_board.php remote file include || bugtraq,18186
+100000368 || COMMUNITY WEB-MISC phpNuke admin_disallow.php remote file include || bugtraq,18186
+100000369 || COMMUNITY WEB-MISC phpNuke admin_forumauth.php remote file include || bugtraq,18186
+100000370 || COMMUNITY WEB-MISC phpNuke admin_groups.php remote file include || bugtraq,18186
+100000371 || COMMUNITY WEB-MISC phpNuke admin_ranks.php remote file include || bugtraq,18186
+100000372 || COMMUNITY WEB-MISC phpNuke admin_styles.php remote file include || bugtraq,18186
+100000373 || COMMUNITY WEB-MISC phpNuke admin_user_ban.php remote file include || bugtraq,18186
+100000374 || COMMUNITY WEB-MISC phpNuke admin_words.php remote file include || bugtraq,18186
+100000375 || COMMUNITY WEB-MISC phpNuke admin_avatar.php remote file include || bugtraq,18186
+100000376 || COMMUNITY WEB-MISC phpNuke admin_db_utilities.php remote file include || bugtraq,18186
+100000377 || COMMUNITY WEB-MISC phpNuke admin_forum_prune.php remote file include || bugtraq,18186
+100000378 || COMMUNITY WEB-MISC phpNuke admin_forums.php remote file include || bugtraq,18186
+100000379 || COMMUNITY WEB-MISC phpNuke admin_mass_email.php remote file include || bugtraq,18186
+100000380 || COMMUNITY WEB-MISC phpNuke admin_smilies.php remote file include || bugtraq,18186
+100000381 || COMMUNITY DELETED phpNuke admin_ug_auth.php remote file include || bugtraq,18186
+100000382 || COMMUNITY WEB-MISC phpNuke admin_users.php remote file include || bugtraq,18186
+100000383 || COMMUNITY WEB-MISC OsTicket open_form.php remote file include || bugtraq,18190
+100000384 || COMMUNITY WEB-MISC Ottoman index.php remote file include || bugtraq,18208
+100000385 || COMMUNITY WEB-MISC Ottoman error.php remote file include || bugtraq,18208
+100000386 || COMMUNITY WEB-MISC Ottoman main_class.php remote file include || bugtraq,18208
+100000387 || COMMUNITY WEB-MISC Ovidentia index.php remote file include || bugtraq,18232
+100000388 || COMMUNITY WEB-MISC Ovidentia topman.php remote file include || bugtraq,18232
+100000389 || COMMUNITY WEB-MISC Ovidentia approb.php remote file include || bugtraq,18232
+100000390 || COMMUNITY WEB-MISC Ovidentia vacadmb.php remote file include || bugtraq,18232
+100000391 || COMMUNITY WEB-MISC Ovidentia vacadma.php remote file include || bugtraq,18232
+100000392 || COMMUNITY WEB-MISC Ovidentia vacadm.php remote file include || bugtraq,18232
+100000393 || COMMUNITY WEB-MISC Ovidentia start.php remote file include || bugtraq,18232
+100000394 || COMMUNITY WEB-MISC Ovidentia search.php remote file include || bugtraq,18232
+100000395 || COMMUNITY WEB-MISC Ovidentia posts.php remote file include || bugtraq,18232
+100000396 || COMMUNITY WEB-MISC Ovidentia options.php remote file include || bugtraq,18232
+100000397 || COMMUNITY WEB-MISC Ovidentia login.php remote file include || bugtraq,18232
+100000398 || COMMUNITY WEB-MISC Ovidentia frchart.php remote file include || bugtraq,18232
+100000399 || COMMUNITY WEB-MISC Ovidentia flbchart.php remote file include || bugtraq,18232
+100000400 || COMMUNITY WEB-MISC Ovidentia fileman.php remote file include || bugtraq,18232
+100000401 || COMMUNITY WEB-MISC Ovidentia faq.php remote file include || bugtraq,18232
+100000402 || COMMUNITY WEB-MISC Ovidentia event.php remote file include || bugtraq,18232
+100000403 || COMMUNITY WEB-MISC Ovidentia directory.php remote file include || bugtraq,18232
+100000404 || COMMUNITY WEB-MISC Ovidentia articles.php remote file include || bugtraq,18232
+100000405 || COMMUNITY WEB-MISC Ovidentia artedit.php remote file include || bugtraq,18232
+100000406 || COMMUNITY WEB-MISC Ovidentia approb.php remote file include || bugtraq,18232
+100000407 || COMMUNITY WEB-MISC Ovidentia calday.php remote file include || bugtraq,18232
+100000408 || COMMUNITY WEB-MISC AssoCIateD cache_mngt.php remote file include || bugtraq,18220
+100000409 || COMMUNITY WEB-MISC AssoCIateD gallery_functions.php remote file include || bugtraq,18220
+100000410 || COMMUNITY WEB-MISC REDAXO index.inc.php remote file include || bugtraq,18229
+100000411 || COMMUNITY WEB-MISC REDAXO index.inc.php remote file include || bugtraq,18229
+100000412 || COMMUNITY WEB-MISC REDAXO index.inc.php remote file include || bugtraq,18229
+100000413 || COMMUNITY WEB-MISC REDAXO index.inc.php remote file include || bugtraq,18229
+100000414 || COMMUNITY WEB-MISC REDAXO community.inc.php remote file include || bugtraq,18229
+100000415 || COMMUNITY WEB-MISC Bytehoard server.php remote file include || bugtraq,18234
+100000416 || COMMUNITY WEB-MISC MyBloggie admin.php remote file include || bugtraq,18241
+100000417 || COMMUNITY WEB-MISC MyBloggie scode.php remote file include || bugtraq,18241
+100000418 || COMMUNITY WEB-MISC Ashwebstudio Ashnews ashheadlines.php remote file include || bugtraq,18248
+100000419 || COMMUNITY WEB-MISC Ashwebstudio Ashnews ashnews.php remote file include || bugtraq,18248
+100000420 || COMMUNITY WEB-MISC Informium common-menu.php remote file include || bugtraq,18249
+100000421 || COMMUNITY WEB-MISC Igloo wiki.php remote file include || bugtraq,18250
+100000422 || COMMUNITY WEB-MISC phpBB template.php remote file include || bugtraq,18255
+100000423 || COMMUNITY WEB-MISC DotWidget CMS index.php remote file include || bugtraq,18258
+100000424 || COMMUNITY WEB-MISC DotWidget CMS feedback.php remote file include || bugtraq,18258
+100000425 || COMMUNITY WEB-MISC DotWidget CMS printfriendly.php remote file include || bugtraq,18258
+100000426 || COMMUNITY WEB-MISC DotClear prepend.php remote file include || bugtraq,18259
+100000427 || COMMUNITY WEB-MISC JBoss jmx-console html adaptor access || url,jboss.org/wiki/Wiki.jsp?page=JMXConsole
+100000428 || COMMUNITY WEB-MISC JBoss RMI class download service directory listing attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2
+100000429 || COMMUNITY WEB-MISC JBoss web-console access || url,www.jboss.org/wiki/Wiki.jsp?page=WebConsole
+100000430 || COMMUNITY WEB-MISC BlueShoes Bs_Faq.class.php remote file include || bugtraq,18261
+100000431 || COMMUNITY WEB-MISC BlueShoes fileBrowserInner.php remote file include || bugtraq,18261
+100000432 || COMMUNITY WEB-MISC BlueShoes file.php remote file include || bugtraq,18261
+100000433 || COMMUNITY WEB-MISC BlueShoes viewer.php remote file include || bugtraq,18261
+100000434 || COMMUNITY WEB-MISC BlueShoes Bs_ImageArchive.class.php remote file include || bugtraq,18261
+100000435 || COMMUNITY WEB-MISC BlueShoes Bs_Ml_User.class.php remote file include || bugtraq,18261
+100000436 || COMMUNITY WEB-MISC BlueShoes Bs_Wse_Profile.class.php remote file include || bugtraq,18261
+100000437 || COMMUNITY WEB-MISC CS-Cart class.cs_phpmailer.php remote file include || bugtraq,18263
+100000438 || COMMUNITY WEB-MISC Claroline mambo.inc.php remote file include || bugtraq,18265
+100000439 || COMMUNITY WEB-MISC Claroline postnuke.inc.php remote file include || bugtraq,18265
+100000440 || COMMUNITY WEB-MISC CyBoards common.php remote file include || bugtraq,18272
+100000441 || COMMUNITY WEB-MISC Wikiwig wk_lang.php remote file include || bugtraq,18291
+100000442 || COMMUNITY WEB-MISC MiraksGalerie pcltar.lib.php remote file include || bugtraq,18313
+100000443 || COMMUNITY WEB-MISC MiraksGalerie galimage.lib.php remote file include || bugtraq,18313
+100000444 || COMMUNITY WEB-MISC MiraksGalerie galsecurity.lib.php remote file include || bugtraq,18313
+100000445 || COMMUNITY WEB-PHP Particle Gallery Viewimage PHP Variable Injection Attempt || bugtraq,18270
+100000446 || COMMUNITY WEB-PHP Particle Wiki PHP SQL Injection attempt || bugtraq,18273
+100000447 || COMMUNITY WEB-CLIENT Mozilla Firefox DOMNodeRemoved attack attempt || bugtraq,18228 || cve,2006-2779
+100000448 || COMMUNITY WEB-MISC OfficeFlow default.asp xss attempt || bugtraq,18367
+100000449 || COMMUNITY WEB-MISC OfficeFlow files.asp MSSQL injection attempt || bugtraq,18367
+100000450 || COMMUNITY WEB-MISC VanillaSoft Helpdesk default.asp xss attempt || bugtraq,18368
+100000451 || COMMUNITY WEB-MISC KAPhotoservice album.asp xss attempt || bugtraq,18379
+100000452 || COMMUNITY WEB-MISC KAPhotoservice album.asp xss attempt || bugtraq,18379
+100000453 || COMMUNITY WEB-MISC KAPhotoservice edtalbum.asp xss attempt || bugtraq,18379
+100000454 || COMMUNITY WEB-MISC KAPhotoservice edtalbum.asp xss attempt || bugtraq,18379
+100000455 || COMMUNITY WEB-MISC Axent Forum viewposts.cfm xss attempt || bugtraq,18473
+100000456 || COMMUNITY WEB-MISC SSPwiz index.cfm xss attempt || bugtraq,18482
+100000457 || COMMUNITY WEB-MISC ASP Stats pages.asp MSSQL injection attempt || bugtraq,18512
+100000458 || COMMUNITY WEB-MISC DPVision Tradingeye Shop details.cfm xss attempt || bugtraq,18526
+100000459 || COMMUNITY WEB-MISC WeBBoA yeni_host.asp MSSQL injection attempt || bugtraq,18564
+100000460 || COMMUNITY WEB-MISC AZureus index.tmpl xss attempt || bugtraq,18596
+100000461 || COMMUNITY WEB-MISC Open WebMail openwebmail-read.pl xss attempt || bugtraq,18598
+100000462 || COMMUNITY WEB-MISC Open WebMail openwebmail-read.pl xss attempt || bugtraq,18598
+100000463 || COMMUNITY WEB-PHP Joomla joomla.php remote file include || bugtraq,18363
+100000464 || COMMUNITY WEB-PHP LoveCompass AEPartner design.inc.php remote file include || bugtraq,18370
+100000465 || COMMUNITY WEB-PHP Empris sql_fcnsOLD.php remote file include || bugtraq,18371
+100000466 || COMMUNITY WEB-PHP Free QBoard post.php remote file include || bugtraq,18373
+100000467 || COMMUNITY WEB-PHP WebprojectDB nav.php remote file include || bugtraq,18378
+100000468 || COMMUNITY WEB-PHP WebprojectDB lang.php remote file include || bugtraq,18378
+100000469 || COMMUNITY WEB-PHP iFoto index.php xss attempt || bugtraq,18391
+100000470 || COMMUNITY WEB-PHP Foing manage_songs.php remote file include || bugtraq,18392
+100000471 || COMMUNITY WEB-PHP VBZoom show.php SQL injection attempt || bugtraq,18403
+100000472 || COMMUNITY WEB-PHP VBZoom show.php SQL injection attempt || bugtraq,18403
+100000473 || COMMUNITY WEB-PHP VBZoom language.php SQL injection attempt || bugtraq,18403
+100000474 || COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt || bugtraq,18403
+100000475 || COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt || bugtraq,18403
+100000476 || COMMUNITY WEB-PHP VBZoom meaning.php SQL injection attempt || bugtraq,18403
+100000477 || COMMUNITY WEB-PHP VBZoom subject.php SQL injection attempt || bugtraq,18403
+100000478 || COMMUNITY WEB-PHP aWebNews visview.php remote file include || bugtraq,18406
+100000479 || COMMUNITY WEB-PHP CzarNews headlines.php remote file include || bugtraq,18411
+100000480 || COMMUNITY WEB-PHP Somery team.php remote file include || bugtraq,18412
+100000481 || COMMUNITY WEB-PHP Hinton Design PHPHG signed.php remote file include || bugtraq,18413
+100000482 || COMMUNITY WEB-PHP BoastMachine vote.php remote file include || bugtraq,18415
+100000483 || COMMUNITY WEB-PHP Wheatblog view_links.php remote file include || bugtraq,18416
+100000484 || COMMUNITY WEB-PHP Confixx ftp_index.php xss attempt || bugtraq,18426
+100000485 || COMMUNITY WEB-PHP RahnemaCo page.php remote file include || bugtraq,18435
+100000486 || COMMUNITY WEB-PHP PhpBlueDragon CMS template.php remote file include || bugtraq,18440
+100000487 || COMMUNITY WEB-PHP ISPConfig server.inc.php remote file include || bugtraq,18441
+100000488 || COMMUNITY WEB-PHP ISPConfig app.inc.php remote file include || bugtraq,18441
+100000489 || COMMUNITY WEB-PHP ISPConfig login.php remote file include || bugtraq,18441
+100000490 || COMMUNITY WEB-PHP ISPConfig trylogin.php remote file include || bugtraq,18441
+100000491 || COMMUNITY WEB-PHP DeluxeBB posting.php remote file include || bugtraq,18455
+100000492 || COMMUNITY WEB-PHP DeluxeBB newpm.php remote file include || bugtraq,18455
+100000493 || COMMUNITY WEB-PHP DeluxeBB postreply.php remote file include || bugtraq,18455
+100000494 || COMMUNITY WEB-PHP Zeroboard write_ok.php xss attempt || bugtraq,18458
+100000495 || COMMUNITY WEB-PHP Zeroboard write_ok.php xss attempt || bugtraq,18458
+100000496 || COMMUNITY WEB-PHP Chipmailer index.php SQL injection attempt || bugtraq,18463
+100000497 || COMMUNITY WEB-PHP Calendarix cal_event.php SQL injection attempt || bugtraq,18469
+100000498 || COMMUNITY WEB-PHP Calendarix cal_popup.php SQL injection attempt || bugtraq,18469
+100000499 || COMMUNITY WEB-PHP PictureDis thumstbl.php remote file include || bugtraq,18471
+100000500 || COMMUNITY WEB-PHP PictureDis wpfiles.php remote file include || bugtraq,18471
+100000501 || COMMUNITY WEB-PHP PictureDis wallpapr.php remote file include || bugtraq,18471
+100000502 || COMMUNITY WEB-PHP Ji-Takz tag.class.php remote file include || bugtraq,18474
+100000503 || COMMUNITY WEB-PHP Nucleus CMS action.php remote file include || bugtraq,18475
+100000504 || COMMUNITY WEB-PHP Nucleus CMS media.php remote file include || bugtraq,18475
+100000505 || COMMUNITY WEB-PHP Nucleus CMS server.php remote file include || bugtraq,18475
+100000506 || COMMUNITY WEB-PHP Nucleus CMS api_metaweblog.inc.php remote file include || bugtraq,18475
+100000507 || COMMUNITY WEB-PHP FlashChat adminips.php remote file include || bugtraq,18480
+100000508 || COMMUNITY WEB-PHP Wikkawiki wakka.php access || bugtraq,18481
+100000509 || COMMUNITY WEB-PHP RahnemaCo page.php remote file include || bugtraq,18490
+100000510 || COMMUNITY WEB-PHP VBZoom rank.php SQL injection attempt || bugtraq,18497
+100000511 || COMMUNITY WEB-PHP VBZoom message.php SQL injection attempt || bugtraq,18497
+100000512 || COMMUNITY WEB-PHP VBZoom lng.php SQL injection attempt || bugtraq,18497
+100000513 || COMMUNITY WEB-PHP SAPHPLesson showcat.php SQL injection attempt || bugtraq,18501
+100000514 || COMMUNITY WEB-PHP SAPHPLesson misc.php SQL injection attempt || bugtraq,18501
+100000515 || COMMUNITY WEB-PHP CMS Faethon header.php xss attempt || bugtraq,18505
+100000516 || COMMUNITY WEB-PHP CMS Faethon footer.php xss attempt || bugtraq,18505
+100000517 || COMMUNITY WEB-PHP e107 search.php xss attempt || bugtraq,18508
+100000518 || COMMUNITY WEB-PHP PHP Live Helper initiate.php remote file include || bugtraq,18509
+100000519 || COMMUNITY WEB-PHP VUBB index.php SQL injection attempt || bugtraq,18516
+100000520 || COMMUNITY WEB-PHP Xarancms xaramcms_haupt.php SQL injection attempt || bugtraq,18520
+100000521 || COMMUNITY WEB-PHP TPL Design TplShop category.php SQL injection attempt || bugtraq,18524
+100000522 || COMMUNITY WEB-PHP The Edge eCommerce Shop productDetail.php xss attempt || bugtraq,18528
+100000523 || COMMUNITY WEB-PHP CavoxCms index.php SQL injection attempt || bugtraq,18533
+100000524 || COMMUNITY WEB-PHP Micro CMS microcms-include.php remote file include || bugtraq,18537
+100000525 || COMMUNITY WEB-PHP PHPMyDirectory offer-pix.php xss attempt || bugtraq,18539
+100000526 || COMMUNITY WEB-PHP PHPMyDirectory index.php xss attempt || bugtraq,18539
+100000527 || COMMUNITY WEB-PHP AssoCIateD index.php xss attempt || bugtraq,18541
+100000528 || COMMUNITY WEB-PHP PHPMyForum topic.php xss attempt || bugtraq,18542
+100000529 || COMMUNITY WEB-PHP NC Linklist index.php xss attempt || bugtraq,18546
+100000530 || COMMUNITY WEB-PHP NC Linklist index.php xss attempt || bugtraq,18546
+100000531 || COMMUNITY WEB-PHP BtitTracker torrents.php SQL injection attempt || bugtraq,18549
+100000532 || COMMUNITY WEB-PHP BtitTracker torrents.php SQL injection attempt || bugtraq,18549
+100000533 || COMMUNITY WEB-PHP VUBB functions.php SQL injection attempt || bugtraq,18561
+100000534 || COMMUNITY WEB-PHP VUBB english.php xss attempt || bugtraq,18562
+100000535 || COMMUNITY WEB-PHP IMGallery galeria.php SQL injection attempt || bugtraq,18566
+100000536 || COMMUNITY WEB-PHP IMGallery galeria.php SQL injection attempt || bugtraq,18566
+100000537 || COMMUNITY WEB-PHP thinkWMS index.php SQL injection attempt || bugtraq,18567
+100000538 || COMMUNITY WEB-PHP thinkWMS index.php SQL injection attempt || bugtraq,18567
+100000539 || COMMUNITY WEB-PHP thinkWMS printarticle.php SQL injection attempt || bugtraq,18567
+100000540 || COMMUNITY WEB-PHP Enterprise Groupware index.php xss attempt || bugtraq,18590
+100000541 || COMMUNITY WEB-PHP Dating Agent picture.php SQL injection attempt || bugtraq,18607
+100000542 || COMMUNITY WEB-PHP Dating Agent mem.php SQL injection attempt || bugtraq,18607
+100000543 || COMMUNITY WEB-PHP Dating Agent search.php SQL injection attempt || bugtraq,18607
+100000544 || COMMUNITY WEB-PHP Dating Agent search.php SQL injection attempt || bugtraq,18607
+100000545 || COMMUNITY WEB-PHP PHP Blue Dragon CMS team_admin.php remote file include || bugtraq,18609
+100000546 || COMMUNITY WEB-PHP PHP Blue Dragon CMS rss_admin.php remote file include || bugtraq,18609
+100000547 || COMMUNITY WEB-PHP PHP Blue Dragon CMS manual_admin.php remote file include || bugtraq,18609
+100000548 || COMMUNITY WEB-PHP PHP Blue Dragon CMS forum_admin.php remote file include || bugtraq,18609
+100000549 || COMMUNITY WEB-PHP Custom Datin Biz user_view.php xss attempt || bugtraq,18626
+100000550 || COMMUNITY WEB-PHP Project Eros BBSEngine comment.php access || bugtraq,18627
+100000551 || COMMUNITY WEB-PHP Project Eros BBSEngine aolbonics.php access || bugtraq,18627
+100000552 || COMMUNITY WEB-PHP SmartSiteCMS inc_foot.php remote file include || bugtraq,18628
+100000553 || COMMUNITY WEB-PHP PHPMySMS gateway.php remote file include || bugtraq,18633
+100000554 || COMMUNITY WEB-PHP VebiMiau error.php xss attempt || bugtraq,18643
+100000555 || COMMUNITY WEB-PHP VebiMiau error.php xss attempt || bugtraq,18643
+100000556 || COMMUNITY WEB-PHP VebiMiau error.php xss attempt || bugtraq,18643
+100000557 || COMMUNITY WEB-PHP VebiMiau index.php xss attempt || bugtraq,18643
+100000558 || COMMUNITY WEB-PHP VebiMiau messages.php xss attempt || bugtraq,18643
+100000559 || COMMUNITY WEB-PHP Infinite Core Technologies ICT index.php SQL injection attempt || bugtraq,18644
+100000560 || COMMUNITY WEB-PHP eNpaper1 root_header.php remote file include || bugtraq,18649
+100000561 || COMMUNITY WEB-PHP dotProject ui.class.php xss attempt || bugtraq,18650
+100000562 || COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt || bugtraq,18651
+100000563 || COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt || bugtraq,18651
+100000564 || COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt || bugtraq,18651
+100000565 || COMMUNITY WEB-PHP GL-SH Deaf Forum show.php xss attempt || bugtraq,18651
+100000566 || COMMUNITY WEB-PHP XennoBB messages.php xss attempt || bugtraq,18652
+100000567 || COMMUNITY WEB-PHP Qdig index.php xss attempt || bugtraq,18653
+100000568 || COMMUNITY WEB-PHP Qdig index.php xss attempt || bugtraq,18653
+100000569 || COMMUNITY WEB-PHP Indexu app_change_email.php remote file include || bugtraq,18477
+100000570 || COMMUNITY WEB-PHP Indexu app_change_pwd.php remote file include || bugtraq,18477
+100000571 || COMMUNITY WEB-PHP Indexu app_mod_rewrite.php remote file include || bugtraq,18477
+100000572 || COMMUNITY WEB-PHP Indexu app_page_caching.php remote file include || bugtraq,18477
+100000573 || COMMUNITY WEB-PHP Indexu app_setup.php remote file include || bugtraq,18477
+100000574 || COMMUNITY WEB-PHP Indexu cat_add.php remote file include || bugtraq,18477
+100000575 || COMMUNITY WEB-PHP Indexu cat_delete.php remote file include || bugtraq,18477
+100000576 || COMMUNITY WEB-PHP Indexu cat_edit.php remote file include || bugtraq,18477
+100000577 || COMMUNITY WEB-PHP Indexu cat_path_update.php remote file include || bugtraq,18477
+100000578 || COMMUNITY WEB-PHP Indexu cat_search.php remote file include || bugtraq,18477
+100000579 || COMMUNITY WEB-PHP Indexu cat_struc.php remote file include || bugtraq,18477
+100000580 || COMMUNITY WEB-PHP Indexu cat_view.php remote file include || bugtraq,18477
+100000581 || COMMUNITY WEB-PHP Indexu cat_view_hidden.php remote file include || bugtraq,18477
+100000582 || COMMUNITY WEB-PHP Indexu cat_view_hierarchy.php remote file include || bugtraq,18477
+100000583 || COMMUNITY WEB-PHP Indexu cat_view_registered_only.php remote file include || bugtraq,18477
+100000584 || COMMUNITY WEB-PHP Indexu checkurl_web.php remote file include || bugtraq,18477
+100000585 || COMMUNITY WEB-PHP Indexu db_alter.php remote file include || bugtraq,18477
+100000586 || COMMUNITY WEB-PHP Indexu db_alter_change.php remote file include || bugtraq,18477
+100000587 || COMMUNITY WEB-PHP Indexu db_backup.php remote file include || bugtraq,18477
+100000588 || COMMUNITY WEB-PHP Indexu db_export.php remote file include || bugtraq,18477
+100000589 || COMMUNITY WEB-PHP Indexu db_import.php remote file include || bugtraq,18477
+100000590 || COMMUNITY WEB-PHP Indexu editor_add.php remote file include || bugtraq,18477
+100000591 || COMMUNITY WEB-PHP Indexu editor_delete.php remote file include || bugtraq,18477
+100000592 || COMMUNITY WEB-PHP Indexu editor_validate.php remote file include || bugtraq,18477
+100000593 || COMMUNITY WEB-PHP Indexu head.php remote file include || bugtraq,18477
+100000594 || COMMUNITY WEB-PHP Indexu index.php remote file include || bugtraq,18477
+100000595 || COMMUNITY WEB-PHP Indexu inv_config.php remote file include || bugtraq,18477
+100000596 || COMMUNITY WEB-PHP Indexu inv_config_payment.php remote file include || bugtraq,18477
+100000597 || COMMUNITY WEB-PHP Indexu inv_create.php remote file include || bugtraq,18477
+100000598 || COMMUNITY WEB-PHP Indexu inv_delete.php remote file include || bugtraq,18477
+100000599 || COMMUNITY WEB-PHP Indexu inv_edit.php remote file include || bugtraq,18477
+100000600 || COMMUNITY WEB-PHP Indexu inv_markpaid.php remote file include || bugtraq,18477
+100000601 || COMMUNITY WEB-PHP Indexu inv_markunpaid.php remote file include || bugtraq,18477
+100000602 || COMMUNITY WEB-PHP Indexu inv_overdue.php remote file include || bugtraq,18477
+100000603 || COMMUNITY WEB-PHP Indexu inv_paid.php remote file include || bugtraq,18477
+100000604 || COMMUNITY WEB-PHP Indexu inv_send.php remote file include || bugtraq,18477
+100000605 || COMMUNITY WEB-PHP Indexu inv_unpaid.php remote file include || bugtraq,18477
+100000606 || COMMUNITY WEB-PHP Indexu lang_modify.php remote file include || bugtraq,18477
+100000607 || COMMUNITY WEB-PHP Indexu link_add.php remote file include || bugtraq,18477
+100000608 || COMMUNITY WEB-PHP Indexu link_bad.php remote file include || bugtraq,18477
+100000609 || COMMUNITY WEB-PHP Indexu link_bad_delete.php remote file include || bugtraq,18477
+100000610 || COMMUNITY WEB-PHP Indexu link_checkurl.php remote file include || bugtraq,18477
+100000611 || COMMUNITY WEB-PHP Indexu link_delete.php remote file include || bugtraq,18477
+100000612 || COMMUNITY WEB-PHP Indexu link_duplicate.php remote file include || bugtraq,18477
+100000613 || COMMUNITY WEB-PHP Indexu link_edit.php remote file include || bugtraq,18477
+100000614 || COMMUNITY WEB-PHP Indexu link_premium_listing.php remote file include || bugtraq,18477
+100000615 || COMMUNITY WEB-PHP Indexu link_premium_sponsored.php remote file include || bugtraq,18477
+100000616 || COMMUNITY WEB-PHP Indexu link_search.php remote file include || bugtraq,18477
+100000617 || COMMUNITY WEB-PHP Indexu link_sponsored_listing.php remote file include || bugtraq,18477
+100000618 || COMMUNITY WEB-PHP Indexu link_validate.php remote file include || bugtraq,18477
+100000619 || COMMUNITY WEB-PHP Indexu link_validate_edit.php remote file include || bugtraq,18477
+100000620 || COMMUNITY WEB-PHP Indexu link_view.php remote file include || bugtraq,18477
+100000621 || COMMUNITY WEB-PHP Indexu log_search.php remote file include || bugtraq,18477
+100000622 || COMMUNITY WEB-PHP Indexu mail_modify.php remote file include || bugtraq,18477
+100000623 || COMMUNITY WEB-PHP Indexu menu.php remote file include || bugtraq,18477
+100000624 || COMMUNITY WEB-PHP Indexu message_create.php remote file include || bugtraq,18477
+100000625 || COMMUNITY WEB-PHP Indexu message_delete.php remote file include || bugtraq,18477
+100000626 || COMMUNITY WEB-PHP Indexu message_edit.php remote file include || bugtraq,18477
+100000627 || COMMUNITY WEB-PHP Indexu message_send.php remote file include || bugtraq,18477
+100000628 || COMMUNITY WEB-PHP Indexu message_subscriber.php remote file include || bugtraq,18477
+100000629 || COMMUNITY WEB-PHP Indexu message_view.php remote file include || bugtraq,18477
+100000630 || COMMUNITY WEB-PHP Indexu review_validate.php remote file include || bugtraq,18477
+100000631 || COMMUNITY WEB-PHP Indexu review_validate_edit.php remote file include || bugtraq,18477
+100000632 || COMMUNITY WEB-PHP Indexu summary.php remote file include || bugtraq,18477
+100000633 || COMMUNITY WEB-PHP Indexu template_active.php remote file include || bugtraq,18477
+100000634 || COMMUNITY WEB-PHP Indexu template_add_custom.php remote file include || bugtraq,18477
+100000635 || COMMUNITY WEB-PHP Indexu template_delete.php remote file include || bugtraq,18477
+100000636 || COMMUNITY WEB-PHP Indexu template_delete_file.php remote file include || bugtraq,18477
+100000637 || COMMUNITY WEB-PHP Indexu template_duplicate.php remote file include || bugtraq,18477
+100000638 || COMMUNITY WEB-PHP Indexu template_export.php remote file include || bugtraq,18477
+100000639 || COMMUNITY WEB-PHP Indexu template_import.php remote file include || bugtraq,18477
+100000640 || COMMUNITY WEB-PHP Indexu template_manager.php remote file include || bugtraq,18477
+100000641 || COMMUNITY WEB-PHP Indexu template_modify.php remote file include || bugtraq,18477
+100000642 || COMMUNITY WEB-PHP Indexu template_modify_file.php remote file include || bugtraq,18477
+100000643 || COMMUNITY WEB-PHP Indexu template_rename.php remote file include || bugtraq,18477
+100000644 || COMMUNITY WEB-PHP Indexu user_add.php remote file include || bugtraq,18477
+100000645 || COMMUNITY WEB-PHP Indexu user_delete.php remote file include || bugtraq,18477
+100000646 || COMMUNITY WEB-PHP Indexu user_edit.php remote file include || bugtraq,18477
+100000647 || COMMUNITY WEB-PHP Indexu user_search.php remote file include || bugtraq,18477
+100000648 || COMMUNITY WEB-PHP Indexu whos.php remote file include || bugtraq,18477
+100000649 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582
+100000650 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582
+100000651 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582
+100000652 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582
+100000653 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582
+100000654 || COMMUNITY WEB-PHP MyPHP Guestbook index.php xss attempt || bugtraq,18582
+100000655 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582
+100000656 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582
+100000657 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582
+100000658 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582
+100000659 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582
+100000660 || COMMUNITY WEB-PHP MyPHP Guestbook guestbook.php xss attempt || bugtraq,18582
+100000661 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582
+100000662 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582
+100000663 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582
+100000664 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582
+100000665 || COMMUNITY WEB-PHP MyPHP Guestbook edit.php xss attempt || bugtraq,18582
+100000666 || COMMUNITY WEB-PHP Harpia files.php remote file include || bugtraq,18614
+100000667 || COMMUNITY WEB-PHP Harpia files.php remote file include || bugtraq,18614
+100000668 || COMMUNITY WEB-PHP Harpia pheader.php remote file include || bugtraq,18614
+100000669 || COMMUNITY WEB-PHP Harpia headlines.php remote file include || bugtraq,18614
+100000670 || COMMUNITY WEB-PHP Harpia web_statsConfig.php remote file include || bugtraq,18614
+100000671 || COMMUNITY WEB-PHP Harpia preload.php remote file include || bugtraq,18614
+100000672 || COMMUNITY WEB-PHP Harpia users.php remote file include || bugtraq,18614
+100000673 || COMMUNITY WEB-PHP Harpia web_statsConfig.php remote file include || bugtraq,18614
+100000674 || COMMUNITY WEB-PHP Harpia footer.php remote file include || bugtraq,18614
+100000675 || COMMUNITY WEB-PHP Harpia pfooter.php remote file include || bugtraq,18614
+100000676 || COMMUNITY WEB-PHP Harpia missing.php remote file include || bugtraq,18614
+100000677 || COMMUNITY WEB-PHP Harpia topics.php remote file include || bugtraq,18614
+100000678 || COMMUNITY WEB-PHP Harpia header.php remote file include || bugtraq,18614
+100000679 || COMMUNITY WEB-PHP Harpia index.php remote file include || bugtraq,18614
+100000680 || COMMUNITY WEB-PHP Harpia search.php remote file include || bugtraq,18614
+100000681 || COMMUNITY WEB-PHP Harpia header.php remote file include || bugtraq,18614
+100000682 || COMMUNITY WEB-PHP Harpia email.php remote file include || bugtraq,18614
+100000683 || COMMUNITY WEB-PHP cPanel select.html xss attempt || bugtraq,18655
+100000684 || COMMUNITY VIRUS OutBound Dremn Trojan Beacon || url,symantec.com/avcenter/venc/data/trojan.dremn.html
+100000685 || COMMUNITY VIRUS Answering Dremn Trojan Server || url,symantec.com/avcenter/venc/data/trojan.dremn.html
+100000686 || COMMUNITY DOS EnergyMech parse_notice vulnerability - inbound || bugtraq,18664
+100000687 || COMMUNITY DOS EnergyMech parse_notice vulnerability - outbound || bugtraq,18664
+100000688 || COMMUNITY POLICY Ajax Remote Desktop Connection || url,www.peterdamen.com/ajaxrd/
+100000689 || COMMUNITY SMTP Mytob MAIL FROM Attempt || url,www.symantec.com/avcenter/venc/data/w32.mytob@mm.html
+100000690 || COMMUNITY SQL-INJECTION BXCP Sql Injection attempt || bugtraq,18765 || url,www.milw0rm.com/exploits/1975
+100000691 || COMMUNITY SQL-INJECTION Diesel Joke Script Sql Injection attempt || bugtraq,18760
+100000692 || COMMUNITY WEB-CLIENT midi file download attempt || bugtraq,18507
+100000693 || COMMUNITY WEB-CLIENT winamp midi file header overflow attempt || bugtraq,18507
+100000694 || COMMUNITY WEB-MISC VCard PRO gbrowse.php SQL injection attempt || bugtraq,18699
+100000695 || COMMUNITY WEB-MISC VCard PRO rating.php SQL injection attempt || bugtraq,18699
+100000696 || COMMUNITY WEB-MISC VCard PRO create.php SQL injection attempt || bugtraq,18699
+100000697 || COMMUNITY WEB-MISC VCard PRO search.php SQL injection attempt || bugtraq,18699
+100000698 || COMMUNITY WEB-MISC BXCP index.php SQL injection attempt || bugtraq,18765
+100000699 || COMMUNITY WEB-MISC Vincent Leclercq News diver.php xss attempt || bugtraq,18775
+100000700 || COMMUNITY WEB-MISC Vincent Leclercq News diver.php xss attempt || bugtraq,18775
+100000701 || COMMUNITY WEB-MISC WordPress index.php SQL injection attempt || bugtraq,18779
+100000702 || COMMUNITY WEB-MISC Webvizyon SayfalaAltList.asp MSSQL injection attempt || bugtraq,18899
+100000703 || COMMUNITY WEB-PHP Horde index.php show XSS attempt || bugtraq,18845
+100000704 || COMMUNITY WEB-PHP SmartSiteCMS comment.php remote file include || bugtraq,18697
+100000705 || COMMUNITY WEB-PHP SmartSiteCMS test.php remote file include || bugtraq,18697
+100000706 || COMMUNITY WEB-PHP SmartSiteCMS index.php remote file include || bugtraq,18697
+100000707 || COMMUNITY WEB-PHP SmartSiteCMS inc_adminfoot.php remote file include || bugtraq,18697
+100000708 || COMMUNITY WEB-PHP SmartSiteCMS comedit.php remote file include || bugtraq,18697
+100000709 || COMMUNITY WEB-PHP SquirrelMail search.php xss attempt || bugtraq,18700
+100000710 || COMMUNITY WEB-PHP Xoops MyAds Module annonces-p-f.php SQL injection attempt || bugtraq,18718
+100000711 || COMMUNITY WEB-PHP PHPRaid raids.php remote file include || bugtraq,18719
+100000712 || COMMUNITY WEB-PHP PHPRaid register.php remote file include || bugtraq,18719
+100000713 || COMMUNITY WEB-PHP PHPRaid roster.php remote file include || bugtraq,18719
+100000714 || COMMUNITY WEB-PHP PHPRaid view.php remote file include || bugtraq,18719
+100000715 || COMMUNITY WEB-PHP PHPRaid logs.php remote file include || bugtraq,18719
+100000716 || COMMUNITY WEB-PHP PHPRaid users.php remote file include || bugtraq,18719
+100000717 || COMMUNITY WEB-PHP PHPRaid configuration.php remote file include || bugtraq,18719
+100000718 || COMMUNITY WEB-PHP PHPRaid guilds.php remote file include || bugtraq,18719
+100000719 || COMMUNITY WEB-PHP PHPRaid index.php remote file include || bugtraq,18719
+100000720 || COMMUNITY WEB-PHP PHPRaid locations.php remote file include || bugtraq,18719
+100000721 || COMMUNITY WEB-PHP PHPRaid login.php remote file include || bugtraq,18719
+100000722 || COMMUNITY WEB-PHP PHPRaid lua_output.php remote file include || bugtraq,18719
+100000723 || COMMUNITY WEB-PHP PHPRaid permissions.php remote file include || bugtraq,18719
+100000724 || COMMUNITY WEB-PHP PHPRaid profile.php remote file include || bugtraq,18719
+100000725 || COMMUNITY WEB-PHP PHPRaid view.php SQL injection attempt || bugtraq,18720
+100000726 || COMMUNITY WEB-PHP Vincent-Leclercq News diver.php SQL injection attempt || bugtraq,18729
+100000727 || COMMUNITY WEB-PHP Softbiz Banner Exchange insertmember.php xss attempt || bugtraq,18735
+100000728 || COMMUNITY WEB-PHP Geeklog functions.inc remote file include || bugtraq,18740
+100000729 || COMMUNITY WEB-PHP Geeklog functions.inc remote file include || bugtraq,18740
+100000730 || COMMUNITY WEB-PHP Geeklog BlackList.Examine.class.php remote file include || bugtraq,18740
+100000731 || COMMUNITY WEB-PHP Geeklog DeleteComment.Action.class.php remote file include || bugtraq,18740
+100000732 || COMMUNITY WEB-PHP Geeklog EditIPofURL.Admin.class.php remote file include || bugtraq,18740
+100000733 || COMMUNITY WEB-PHP Geeklog MTBlackList.Examine.class.php remote file include || bugtraq,18740
+100000734 || COMMUNITY WEB-PHP Geeklog MassDelete.Admin.class.php remote file include || bugtraq,18740
+100000735 || COMMUNITY WEB-PHP Geeklog MailAdmin.Action.class.php remote file include || bugtraq,18740
+100000736 || COMMUNITY WEB-PHP Geeklog MassDelTrackback.Admin.class.php remote file include || bugtraq,18740
+100000737 || COMMUNITY WEB-PHP Geeklog EditHeader.Admin.class.php remote file include || bugtraq,18740
+100000738 || COMMUNITY WEB-PHP Geeklog EditIP.Admin.class.php remote file include || bugtraq,18740
+100000739 || COMMUNITY WEB-PHP Geeklog IPofUrl.Examine.class.php remote file include || bugtraq,18740
+100000740 || COMMUNITY WEB-PHP Geeklog Import.Admin.class.php remote file include || bugtraq,18740
+100000741 || COMMUNITY WEB-PHP Geeklog LogView.Admin.class.php remote file include || bugtraq,18740
+100000742 || COMMUNITY WEB-PHP Geeklog functions.inc remote file include || bugtraq,18740
+100000743 || COMMUNITY WEB-PHP Plume CMS dbinstall.php remote file include || bugtraq,18750
+100000744 || COMMUNITY WEB-PHP MyNewsGroups tree.php SQL injection attempt || bugtraq,18757
+100000745 || COMMUNITY WEB-PHP Diesel Joke Site category.php SQL injection attempt || bugtraq,18760
+100000746 || COMMUNITY WEB-PHP Randshop header.inc.php remote file include || bugtraq,18763
+100000747 || COMMUNITY WEB-PHP Plume CMS index.php remote file include || bugtraq,18780
+100000748 || COMMUNITY WEB-PHP Plume CMS rss.php remote file include || bugtraq,18780
+100000749 || COMMUNITY WEB-PHP Plume CMS search.php remote file include || bugtraq,18780
+100000750 || COMMUNITY WEB-PHP Free QBoard index.php remote file include || bugtraq,18788
+100000751 || COMMUNITY WEB-PHP Free QBoard about.php remote file include || bugtraq,18788
+100000752 || COMMUNITY WEB-PHP Free QBoard contact.php remote file include || bugtraq,18788
+100000753 || COMMUNITY WEB-PHP Free QBoard delete.php remote file include || bugtraq,18788
+100000754 || COMMUNITY WEB-PHP Free QBoard faq.php remote file include || bugtraq,18788
+100000755 || COMMUNITY WEB-PHP Free QBoard features.php remote file include || bugtraq,18788
+100000756 || COMMUNITY WEB-PHP Free QBoard history.php remote file include || bugtraq,18788
+100000757 || COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt || bugtraq,18791
+100000758 || COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt || bugtraq,18791
+100000759 || COMMUNITY WEB-PHP QTO File Manager qtofm.php xss attempt || bugtraq,18791
+100000760 || COMMUNITY WEB-PHP The Banner Engine top.php xss attempt || bugtraq,18793
+100000761 || COMMUNITY WEB-PHP PHPWebGallery comments.php xss attempt || bugtraq,18798
+100000762 || COMMUNITY WEB-PHP Randshop index.php remote file include || bugtraq,18809
+100000763 || COMMUNITY WEB-PHP Kamikaze-QSCM config.inc access || bugtraq,18816
+100000764 || COMMUNITY WEB-PHP MyPHP CMS global_header.php remote file include || bugtraq,18834
+100000765 || COMMUNITY WEB-PHP LifeType index.php SQL injection attempt || bugtraq,18835
+100000766 || COMMUNITY WEB-PHP Blog CMS thumb.php remote file include || bugtraq,18837
+100000767 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839
+100000768 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839
+100000769 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839
+100000770 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839
+100000771 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839
+100000772 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839
+100000773 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839
+100000774 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839
+100000775 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839
+100000776 || COMMUNITY WEB-PHP Blog CMS index.php SQL injection attempt || bugtraq,18839
+100000777 || COMMUNITY WEB-PHP Blog CMS action.php SQL injection attempt || bugtraq,18839
+100000778 || COMMUNITY WEB-PHP PHPMailList maillist.php xss attempt || bugtraq,18840
+100000779 || COMMUNITY WEB-PHP Horde index.php xss attempt || bugtraq,18845
+100000780 || COMMUNITY WEB-PHP Horde problem.php xss attempt || bugtraq,18845
+100000781 || COMMUNITY WEB-PHP Horde go.php xss attempt || bugtraq,18845
+100000782 || COMMUNITY WEB-PHP Horde go.php xss attempt || bugtraq,18845
+100000783 || COMMUNITY WEB-PHP ATutor create_course.php xss attempt || bugtraq,18857
+100000784 || COMMUNITY WEB-PHP ATutor create_course.php xss attempt || bugtraq,18857
+100000785 || COMMUNITY WEB-PHP ATutor password_reminder.php xss attempt || bugtraq,18857
+100000786 || COMMUNITY WEB-PHP ATutor browse.php xss attempt || bugtraq,18857
+100000787 || COMMUNITY WEB-PHP ATutor fix_content.php xss attempt || bugtraq,18857
+100000788 || COMMUNITY WEB-PHP FreeWebshop search.php xss attempt || bugtraq,18878
+100000789 || COMMUNITY WEB-PHP FreeWebshop details.php SQL injection attempt || bugtraq,18878
+100000790 || COMMUNITY WEB-PHP Pivot edit_new.php remote file include || bugtraq,18881
+100000791 || COMMUNITY WEB-PHP Pivot pv_core.php access || bugtraq,18881
+100000792 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881
+100000793 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881
+100000794 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881
+100000795 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881
+100000796 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881
+100000797 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881
+100000798 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881
+100000799 || COMMUNITY WEB-PHP Pivot blogroll.php xss attempt || bugtraq,18881
+100000800 || COMMUNITY WEB-PHP Pivot editor_menu.php xss attempt || bugtraq,18881
+100000801 || COMMUNITY WEB-PHP Pivot editor_menu.php xss attempt || bugtraq,18881
+100000802 || COMMUNITY WEB-PHP BosClassifieds index.php remote file include || bugtraq,18883
+100000803 || COMMUNITY WEB-PHP BosClassifieds recent.php remote file include || bugtraq,18883
+100000804 || COMMUNITY WEB-PHP BosClassifieds account.php remote file include || bugtraq,18883
+100000805 || COMMUNITY WEB-PHP BosClassifieds classified.php remote file include || bugtraq,18883
+100000806 || COMMUNITY WEB-PHP BosClassifieds search.php remote file include || bugtraq,18883
+100000807 || COMMUNITY WEB-PHP CommonSense search.php SQL injection attempt || bugtraq,18893
+100000808 || COMMUNITY WEB-PHP AjaxPortal ajaxp.php SQL injection attempt || bugtraq,18897
+100000809 || COMMUNITY WEB-PHP RW Download stats.php remote file include || bugtraq,18901
+100000810 || COMMUNITY WEB-PHP PHPBB download.php remote file include || bugtraq,18914
+100000811 || COMMUNITY WEB-PHP PHPBB attach_rules.php remote file include || bugtraq,18914
+100000812 || COMMUNITY WEB-PHP SimpleBoard SBP index.php remote file include || bugtraq,18917
+100000813 || COMMUNITY WEB-PHP SimpleBoard SBP file_upload.php remote file include || bugtraq,18917
+100000814 || COMMUNITY WEB-PHP SimpleBoard SBP image_upload.php remote file include || bugtraq,18917
+100000815 || COMMUNITY WEB-PHP SimpleBoard SBP performs.php remote file include || bugtraq,18917
+100000816 || COMMUNITY WEB-PHP PC_CookBook pccookbook.php remote file include || bugtraq,18919
+100000817 || COMMUNITY WEB-PHP SMF Forum smf.php remote file include || bugtraq,18924
+100000818 || COMMUNITY WEB-PHP Graffiti Forums topics.php SQL injection attempt || bugtraq,18928
+100000819 || COMMUNITY DELETED PhpWebGallery XSS attempt
+100000820 || COMMUNITY WEB-PHP SaPHPLesson add.php SQL injection attempt || bugtraq,18934
+100000821 || COMMUNITY WEB-PHP VBZooM sub-join.php SQL injection attempt || bugtraq,18937
+100000822 || COMMUNITY WEB-PHP VBZooM reply.php SQL injection attempt || bugtraq,18937
+100000823 || COMMUNITY WEB-PHP VBZooM ignore-pm.php SQL injection attempt || bugtraq,18937
+100000824 || COMMUNITY WEB-PHP VBZooM sendmail.php SQL injection attempt || bugtraq,18937
+100000825 || COMMUNITY WEB-PHP Phorum posting.php xss attempt || bugtraq,18941
+100000826 || COMMUNITY WEB-PHP Phorum search.php SQL injection attempt || bugtraq,18941
+100000827 || COMMUNITY WEB-PHP HiveMail address.view.php xss attempt || bugtraq,18949
+100000828 || COMMUNITY WEB-PHP HiveMail address.view.php xss attempt || bugtraq,18949
+100000829 || COMMUNITY WEB-PHP HiveMail address.view.php xss attempt || bugtraq,18949
+100000830 || COMMUNITY WEB-PHP HiveMail index.php xss attempt || bugtraq,18949
+100000831 || COMMUNITY WEB-PHP HiveMail compose.email.php xss attempt || bugtraq,18949
+100000832 || COMMUNITY WEB-PHP HiveMail read.markas.php xss attempt || bugtraq,18949
+100000833 || COMMUNITY WEB-PHP HiveMail search.results.php SQL injection attempt || bugtraq,18949
+100000834 || COMMUNITY WEB-PHP Lazarus codes-english.php xss attempt || bugtraq,18956
+100000835 || COMMUNITY WEB-PHP Lazarus picture.php xss attempt || bugtraq,18956
+100000836 || COMMUNITY WEB-PHP MiniBB com_minibb.php remote file include || bugtraq,18998
+100000837 || COMMUNITY WEB-PHP MiniBB index.php remote file include || bugtraq,18998
+100000838 || COMMUNITY WEB-PHP PhotoCycle photocycle.php xss attempt || bugtraq,18964
+100000839 || COMMUNITY WEB-PHP PHP Event Calendar calendar.php remote file include || bugtraq,18965
+100000840 || COMMUNITY WEB-PHP FlatNuke index.php remote file include || bugtraq,18966
+100000841 || COMMUNITY WEB-PHP PerForms performs.php remote file include || bugtraq,18968
+100000842 || COMMUNITY WEB-PHP PHPBB 3 memberlist.php SQL injection attempt || bugtraq,18969
+100000843 || COMMUNITY WEB-PHP Koobi Pro index.php xss attempt || bugtraq,18970
+100000844 || COMMUNITY WEB-PHP Koobi Pro index.php SQL injection attempt || bugtraq,18970
+100000845 || COMMUNITY WEB-PHP Invision Power Board ipsclass.php SQL injection attempt || bugtraq,18984
+100000846 || COMMUNITY WEB-PHP Subberz Lite user-func.php remote file include || bugtraq,18990
+100000847 || COMMUNITY WEB-PHP Sitemap sitemap.xml.php remote file include || bugtraq,18991
+100000848 || COMMUNITY DELETED PhpWebGallery XSS attempt || bugtraq,18798
+100000849 || COMMUNITY WEB-PHP IceWarp include.php remote file include || bugtraq,19007
+100000850 || COMMUNITY WEB-PHP IceWarp include.php remote file include || bugtraq,19007
+100000851 || COMMUNITY WEB-PHP IceWarp include.php remote file include || bugtraq,19007
+100000852 || COMMUNITY WEB-PHP IceWarp include.php remote file include || bugtraq,19007
+100000853 || COMMUNITY WEB-PHP IceWarp settings.html remote file include || bugtraq,19007
+100000854 || COMMUNITY WEB-PHP ListMessenger listmessenger.php remote file include || bugtraq,19014
+100000855 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019
+100000856 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019
+100000857 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019
+100000858 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019
+100000859 || COMMUNITY WEB-PHP Professional Home Page Tools class.php SQL injection attempt || bugtraq,19019
+100000860 || COMMUNITY WEB-PHP Francisco Charrua Photo-Gallery room.php SQL injection attempt || bugtraq,19020
+100000861 || COMMUNITY WEB-PHP FlushCMS class.rich.php remote file include || bugtraq,19023
+100000862 || COMMUNITY WEB-PHP FlushCMS class.rich.php remote file include || bugtraq,19023
+100000863 || COMMUNITY WEB-PHP PHPMyRing view_com.php SQL injection attempt || url,secunia.com/advisories/21451/
+100000864 || COMMUNITY WEB-CLIENT tsuserex.dll COM Object Instantiation Vulnerability || url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=14
+100000865 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s01 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html
+100000866 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s02 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html
+100000867 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s03 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html
+100000868 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit s04 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html
+100000869 || COMMUNITY WEB-PHP powergap remote file Inclusion Exploit sid variant || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html
+100000870 || COMMUNITY WEB-PHP powergap remote file inclusion exploit sid variant 2 || url,www.powergap-shop.de || url,msgs.securepoint.com/cgi-bin/get/bugtraq0608/301.html
+100000871 || COMMUNITY WEB-PHP CubeCart XSS attack || url,retrogod.altervista.org/cubecart_3011_adv.html
+100000872 || COMMUNITY WEB-PHP CubeCart XSS attack || url,retrogod.altervista.org/cubecart_3011_adv.html
+100000873 || COMMUNITY WEB-PHP discloser 0.0.4 Remote File Inclusion
+100000874 || COMMUNITY MISC DLR-TOR Directory server response || url,tor.eff.org
+100000875 || COMMUNITY MISC DLR-TOR Client Traffic || url,tor.eff.org
+100000876 || COMMUNITY MISC Google Talk Version Check
+100000877 || COMMUNITY MISC Google Talk Startup
+100000878 || COMMUNITY WEB-CGI Roller Weblog XSS exploit || bugtraq,20045
+100000879 || COMMUNITY WEB-CGI Roller Weblog XSS exploit || bugtraq,20045
+100000880 || COMMUNITY WEB-CGI Roller Weblog XSS exploit || bugtraq,20045
+100000881 || COMMUNITY WEB-CLIENT ImageMagick SGI ZSIZE Header Information Overflow Attempt || bugtraq,19507 || cve,2006-4144
+100000882 || COMMUNITY WEB-PHP PHP Live Helper globals.php remote file include || bugtraq,19349
+100000883 || COMMUNITY WEB-PHP Inlink remote file inclusion exploit || url,milw0rm.com/exploits/2295
+100000884 || COMMUNITY WEB-MISC SimpleBlog Remote SQL Injection attempt || url,milw0rm.com/exploits/2296
+100000885 || COMMUNITY WEB-PHP pHNews access attempt || url,milw0rm.com/exploits/2298
+100000886 || COMMUNITY WEB-PHP Proxima access attempt || url,milw0rm.com/exploits/2299
+100000887 || COMMUNITY WEB-PHP pmwiki exploit attempt || url,milw0rm.com/exploits/2291
+100000888 || COMMUNITY WEB-PHP tikiwiki exploit attempt || url,milw0rm.com/exploits/2288
+100000889 || COMMUNITY WEB-PHP yappa-ng exploit attempt || url,milw0rm.com/exploits/2292
+100000890 || COMMUNITY WEB-MISC Webmin null char attempt || bugtraq,19820 || nessus,22300
+100000891 || COMMUNITY WEB-MISC Usermin null char attempt || bugtraq,19820 || nessus,22300
+100000892 || COMMUNITY MISC Q.931 Invalid Call Reference Length Buffer Overflow || url,www.ethereal.com/news/item_20050504_01.html || url,www.elook.org/internet/126.html
+100000893 || COMMUNITY POLICY Weather Channel Desktop App Installer
+100000894 || COMMUNITY POLICY Weather Channel Desktop App
+100000895 || COMMUNITY WEB-MISC Blojsom Weblog blog-category-description xss attempt || url,www.kb.cert.org/vuls/id/425861
+100000896 || COMMUNITY WEB-MISC Blojsom Weblog blog-entry-title xss attempt || url,www.kb.cert.org/vuls/id/425861
+100000897 || COMMUNITY WEB-MISC Blojsom Weblog rss-enclosure-url xss attempt || url,www.kb.cert.org/vuls/id/425861
+100000898 || COMMUNITY WEB-MISC Blojsom Weblog technorati-tags xss attempt || url,www.kb.cert.org/vuls/id/425861
+100000899 || COMMUNITY WEB-MISC Blojsom Weblog blog-category-name xss attempt || url,www.kb.cert.org/vuls/id/425861
+100000900 || COMMUNITY BOT Mytob IRC DCC file transfer request || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99
+100000901 || COMMUNITY BOT Mytob IRC DCC chat request || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99
+100000902 || COMMUNITY BOT Mytob IRC channel join || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99
+100000903 || COMMUNITY BOT Mytob IRC dns request || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99
+100000904 || COMMUNITY BOT Mytob IRC dns response || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99
+100000905 || COMMUNITY BOT Mytob IRC nick change || url,www.symantec.com/security_response/writeup.jsp?docid=2006-052411-0911-99
+100000906 || COMMUNITY WEB-PHP UBB.threads remote file include
+100000907 || COMMUNITY WEB-PHP phpMyWebmin change_preferences2 script remote file include || url,www.securityfocus.com/bid/20281/info
+100000908 || COMMUNITY WEB-PHP phpMyWebmin create_file script remote file include || url,www.securityfocus.com/bid/20281/info
+100000909 || COMMUNITY WEB-PHP phpMyWebmin upload_local script remote file include || url,www.securityfocus.com/bid/20281/info
+100000910 || COMMUNITY WEB-PHP phpMyWebmin upload_multi script remote file include || url,www.securityfocus.com/bid/20281/info
+100000911 || COMMUNITY WEB-PHP Dayfox Blog adminlog.php module remote file include || url,www.securityfocus.com/archive/1/447500/30/0/threaded
+100000912 || COMMUNITY WEB-PHP Dayfox Blog postblog.php module remote file include || url,www.securityfocus.com/archive/1/447500/30/0/threaded
+100000913 || COMMUNITY WEB-PHP Dayfox Blog index.php module remote file include || url,www.securityfocus.com/archive/1/447500/30/0/threaded
+100000914 || COMMUNITY WEB-PHP Dayfox Blog index2.php module remote file include || url,www.securityfocus.com/archive/1/447500/30/0/threaded
+100000915 || COMMUNITY WEB-PHP Somery Include.php remote file include || bugtraq,19912
+100000916 || COMMUNITY WEB-PHP MyBulletinBoard Functions_Post.php xss attempt || bugtraq,19770
+100000917 || COMMUNITY WEB-PHP PHP-Dimension functions_kb.php remote file include attempt || bugtraq,20367
+100000918 || COMMUNITY WEB-PHP PHP-Dimension themen_portal_mitte.php remote include attempt || bugtraq,20367
+100000919 || COMMUNITY WEB-PHP Segue CMS themesettings.inc.php remote file include attempt || bugtraq,20640 || cve,2006-5497 || url,osvdb.org/29904 || nessus,22922 || url,www.milw0rm.com/exploits/2600
+100000920 || COMMUNITY WEB-PHP MiniBB bb_func_txt.php pathToFiles variable remote file include || bugtraq,20757 || url,osvdb.org/29971 || nessus,22926
+100000921 || COMMUNITY WEB-PHP PunBB register.php language variable remote file include || bugtraq,20786 || cve,2006-5735 || url,osvdb.org/30132 || nessus,22932
+100000922 || COMMUNITY WEB-PHP Etomite CMS index.php id variable SQL injection || bugtraq,21135 || url,osvdb.org/30442 || url,secunia.com/advisories/22885
+100000923 || COMMUNITY DOS Single-Byte UDP Flood
+100000924 || COMMUNITY POLICY Google SafeSearch off
+100000925 || COMMUNITY-WEB-PHP ADP Forum Attempted Password Recon || url,www.milw0rm.com/exploits/3053
+100000926 || COMMUNITY-WEB-PHP EasyNews PRO News Attempted Password Recon || url,www.milw0rm.com/exploits/3039
+100000927 || COMMUNITY MISC Microsoft Messenger phishing attempt - corrupted registry || url,www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx
+100000928 || COMMUNITY EXPLOIT LANDesk Management Suite Alerting Service buffer overflow || bugtraq,23483 || cve,2007-1674
+100000929 || COMMUNITY WEB-PHP Xoops module Articles SQL Injection Exploit || url,www.securityfocus.com/archive/1/463916
+100000930 || COMMUNITY WEB-PHP Drake CMS 404.php Local File Include Vulnerability || bugtraq,23215
+100000931 || COMMUNITY WEB-PHP Softerra Time-Assistant remote include attempt || bugtraq,23203
+100000932 || COMMUNITY WEB-PHP Softerra Time-Assistant remote include attempt || bugtraq,23203
+100000933 || COMMUNITY WEB-PHP Aardvark button/settings_sql.php File Include Vulnerability || url,securityfocus.com/archive/1/464351
+100000934 || COMMUNITY WEB-PHP Aardvark button/new_day.php File Include Vulnerability || url,securityfocus.com/archive/1/464351
