Over 800 rules for the Snort IDS software. Last updated 3/25/2000.
6048b29687940ea6614c159d1877a5fec7dfec0a08995d36ff290e44923f7e5c#----------------------------------------------
# http://snort.rapidnet.com Ruleset
# Current Database Updated 03/20/2000
# Contact: Jim Forster - jforster@rapidnet.com
#----------------------------------------------
preprocessor http_decode: 80 443 8080
preprocessor minfrag: 128
preprocessor portscan: 12.23.34.45/32 3 5 /var/log/snort_portscan.log
# ^^^^^^^^^^^ ^ ^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^
# | | | |
#Your IP address or Network here+ | | |
# | | |
#Ammount of ports being connected-----+ | |
# in this | |
#Interval (in seconds)------------------+ |
# |
#Log file (path/name)----------------------------------+
preprocessor portscan-ignorehosts: Hosts to ignore in portscan preprocessor
#---------------------------------------------
# CHANGE THE NEXT LINE TO REFLECT YOUR NETWORK
# (Single system = your ip/32)
var HOME_NET yournet/sub
#---------------------------------------------
alert tcp !$HOME_NET any -> $HOME_NET 79 (msg: "IDS263 - Backdoor Signature - CDK"; content: "ypi0ca"; nocase; flags: AP; depth: "15";)
alert udp 255.255.255.0/24 any -> $HOME_NET any (msg:"IDS201 - BACKDOOR SIGNATURE - Q UDP"; dsize: ">1";)
alert tcp 255.255.255.0/24 any -> $HOME_NET any (msg:"IDS203 - BACKDOOR SIGNATURE - Q TCP"; flags:A; dsize: ">1";)
alert icmp 255.255.255.0/24 any -> $HOME_NET any (msg:"IDS202 - BACKDOOR SIGNATURE - Q ICMP"; itype: 0; dsize: ">1";)
alert tcp $HOME_NET 5714 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE - WinCrash 1.0 Server Active" ; flags:SA; content:"|B4 B4|";)
alert udp !$HOME_NET 3345 -> $HOME_NET 3344 (msg:"BACKDOOR SIGNATURE - Matrix 2.0 Server ACK"; content:"logged in";)
alert udp !$HOME_NET 3344 -> $HOME_NET 3345 (msg:"BACKDOOR SIGNATURE - Matrix 2.0 Client connect"; content:"activate";)
alert tcp !$HOME_NET 5031 -> $HOME_NET !53:80 (msg:"BACKDOOR SIGNATURE - NetMetro Incoming Traffic"; flags:PA;)
alert tcp $HOME_NET any -> !$HOME_NET 5032 (msg:"BACKDOOR SIGNATURE - NetMetro File List"; flags:PA; content:"|2D 2D|";)
alert tcp $HOME_NET !53:80 -> !$HOME_NET 5032 (msg:"BACKDOOR SIGNATURE - NetMetro Outbound Data"; flags:PA;)
alert tcp $HOME_NET 666 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE -- BackConstruction 2.1 Server FTP Open Reply"; flags:PA; content:"FTP Port open";)
alert tcp !$HOME_NET any -> $HOME_NET 666 (msg:"BACKDOOR SIGNATURE -- BackConstruction 2.1 Client FTP Open Request"; flags:PA; content:"FTPON";)
alert tcp $HOME_NET 5401:5402 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE -- BackConstruction 2.1 Connection"; flags:PA; content:"c|3A|\";)
alert tcp any !80 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE - SubSeven 2.1 FTP Enable from Client"; flags:PA; content:"FTPenable!";)
alert tcp $HOME_NET !80 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE - SubSeven 2.1 FTP Enabled Sent from Server!"; flags:PA; content:"FTP server enabled";)
alert tcp $HOME_NET !80 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE - SubSeven 2.1 Login Detected!"; flags:PA; content:"connected. time/date";)
alert tcp $HOME_NET 30100:30102 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE - NetSphere 1.31.337 Data"; flags:PA; content:"NetSphere";)
alert tcp $HOME_NET 31785 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE - HackAttack 1.20 Connect"; flags:PA; content:"host";)
alert tcp $HOME_NET 23476 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE - DonaldDick 1.53 Traffic"; flags:PA; content:"pINg";)
alert udp any 2140 -> $HOME_NET 60000 (msg:"BACKDOOR SIGNATURE - DeepThroat 3.1 Server Active on Network";)
alert udp any 60000 -> $HOME_NET 2140 (msg:"BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network";)
alert udp any 3150 -> $HOME_NET 60000 (msg:"BACKDOOR SIGNATURE - DeepThroat 3.1 Server Active on Network"; content:"|00 23|";)
alert udp any 60000 -> $HOME_NET 3150 (msg:"BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network"; content:"|00 23|";)
alert udp $HOME_NET 2140 -> any 60000 (msg:"BACKDOOR SIGNATURE - DeepThroat 3.1 Keylogger Active on Network"; content:"KeyLogger Is Enabled On port";)
alert tcp $HOME_NET 555 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE - Possible PhaseZero Server Active on Network";content:"phAse";flags:PA;)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS182 - BACKDOOR SIGNATURE - TFN server response"; content: "|73 68 65 6C 6C 20 62 6F 75 6E 64 20 74 6F 20 70 6F 72 74|"; itype: 0; icmp_id: 123; icmp_seq: 0;)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS183 - BACKDOOR SIGNATURE - TFN client command LE"; itype: 0; icmp_id: 51201; icmp_seq: 0;)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS184 - BACKDOOR SIGNATURE - TFN client command BE"; itype: 0; icmp_id: 456; icmp_seq: 0;)
alert icmp 3.3.3.3/32 any -> !$HOME_NET any (msg:"IDS193 - BACKDOOR SIGNATURE - Stacheldraht server-spoof"; itype: 0; icmp_id: 666;)
alert icmp $HOME_NET any -> !$HOME_NET any (msg:"IDS195 - BACKDOOR SIGNATURE - Stacheldraht server-response-gag"; content: "|73 69 63 6B 65 6E|"; itype: 0; icmp_id: 669;)
alert icmp $HOME_NET any -> !$HOME_NET any (msg:"IDS191 - BACKDOOR SIGNATURE - Stacheldraht server-response"; content: "|66 69 63 6B 65 6E|"; itype: 0; icmp_id: 667;)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS192 - BACKDOOR SIGNATURE - Stacheldraht client-spoofworks"; content: "|73 70 6F 6F 66 77 6F 72 6B 73|"; itype: 0; icmp_id: 1000;)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS194 - BACKDOOR SIGNATURE - Stacheldraht client-check-gag"; content: "|67 65 73 75 6E 64 68 65 69 74 21|"; itype: 0; icmp_id: 668;)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS190 - BACKDOOR SIGNATURE - Stacheldraht client-check"; content: "|73 6B 69 6C 6C 7A|"; itype: 0; icmp_id: 666;)
alert icmp !$HOME_NET any -> $HOME_NET 16660 (msg:"IDS179 - BACKDOOR SIGNATURE - Stacheldraht Client";)
alert tcp $HOME_NET 6969 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE - GateCrasheraccess"; flags:PA; content:"GateCrasher";)
alert udp !$HOME_NET any -> $HOME_NET 31335 (msg:"IDS187 - BACKDOOR SIGNATURE - Trin00:DaemontoMaster(PONGdetected)"; content:"PONG";)
alert udp !$HOME_NET any -> $HOME_NET 31335 (msg:"IDS186 - BACKDOOR SIGNATURE - Trin00:DaemontoMaster(messagedetected)"; content:"l44";)
alert udp !$HOME_NET any -> $HOME_NET 31335 (msg:"IDS185 - BACKDOOR SIGNATURE - Trin00:DaemontoMaster(*HELLO*detected)"; content:"*HELLO*";)
alert tcp $HOME_NET 30100 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE - NetSphere access"; flags: PA; content:"NetSphere";)
alert tcp !$HOME_NET any -> $HOME_NET 27665 (msg:"IDS196 - BACKDOOR SIGNATURE - Trin00:Attacker to Master default startup pass detected!";flags:PA; content:"betaalmostdone";)
alert tcp !$HOME_NET any -> $HOME_NET 27665 (msg:"BACKDOOR SIGNATURE - Trin00 Attacker to Master defaultr.i.passdetected!";flags:PA; content:"gOrave";)
alert tcp !$HOME_NET any -> $HOME_NET 27665 (msg:"BACKDOOR SIGNATURE - Trin00 Attacker to Master-default mdie pass detected!";flags:PA; content:"killme";)
alert udp !$HOME_NET any -> $HOME_NET 27444 (msg:"IDS197 - BACKDOOR SIGNATURE - Trin00:MastertoDaemon(defaultpassdetected!)"; content:"l44adsl";)
alert tcp !$HOME_NET !80 -> $HOME_NET 21554 (msg:"BACKDOOR SIGNATURE - GirlFriendaccess"; flags:PA; content:"Girl";)
alert tcp $HOME_NET 21 -> !$HOME_NET any (msg:"IDS001 - BACKDOOR SIGNATURE - ADMw0rm-ftp-retrieval";flags:PA; content:"USERw0rm|0D0A|";)
alert tcp $HOME_NET 555 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE - PhaseZero Server Active on Network"; flags:PA; content:"phAse";)
alert tcp !$HOME_NET any -> $HOME_NET 79 (msg: "IDS11 - Finger cybercop redirection"; flags:PA; content: "|40 6C 6F 63 61 6C 68 6F 73 74 0A|"; dsize: "11"; depth: "11";)
alert tcp !$HOME_NET any -> $HOME_NET 79 (msg: "IDS251 - Finger redirection"; content: "@"; flags: AP;)
alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"FINGER-Search";flags:PA; content:"search";)
alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"FINGER-root";flags:PA; content:"root";)
alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"FINGER-ProbeNull"; flags:PA; content:"|00|";)
alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"FINGER-Probe0";flags:PA; content:"0";)
alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"FINGER-PipeW";flags:PA; content:"/W|3b|";)
alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"FINGER-Pipe"; flags:PA; content:"|7c|";)
alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"FINGER-Bomb";flags:PA; content:"@@";)
alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"IDS011 - FINGER-redirection";flags:PA; content:"|406C6F63616C686F73740A|";dsize:"11";)
alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"IDS131 - FINGER-0@host";flags:PA; content:"|300A20202020|";dsize:"6";depth:"6";)
alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"IDS130 - FINGER-.@host";flags:PA; content:"|2E0A20202020|";dsize:"6";depth:"6";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg: "IDS257 - FTP DoS aix ftpd"; content: "CEL"; flags: AP; dsize: ">1300"; nocase;)
alert udp !$HOME_NET any -> $HOME_NET 69 (msg:"IDS148 - TFTP Write"; content:"|00 02|"; depth:"2"; )
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"IDS213 - FTP-Password Retrieval"; content:"passwd"; flags: AP;)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-user-warez";flags:PA; content:"user warez |0d|";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-user-root";flags:PA; content:"user root |0d|";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-site-exec";flags:PA; content:"site exec";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-shosts";flags:PA; content:".shosts";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-rhosts";flags:PA; content:".rhosts";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-pass-wh00t";flags:PA; content:"pass wh00t";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-pass-h0tb0x";flags:PA; content:"pass h0tb0x";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-nopassword";flags:PA; content:"pass |0d|";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-linux-nulluser";flags:PA; content:"user null |0d|";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-linux-nullpass";flags:PA; content:"pass null |0d|";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-forward";flags:PA; content:".forward";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-cwd~root"; flags:PA; content:"cwd ~root";)
alert udp !$HOME_NET any -> $HOME_NET 69 (msg:"IDS138 - TFTP rootdirectory"; content:"|0001|/";)
alert udp !$HOME_NET any -> $HOME_NET 69 (msg:"IDS137 - TFTP parent directory"; content:"..";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"IDS134 - FTP tar parameters";flags:PA; content:"RETR--use-compress-program";)
alert tcp $HOME_NET 21 -> !$HOME_NET any (msg:"FTP-NT-bad-login"; content:"Login failed.";)
alert tcp $HOME_NET 21 -> !$HOME_NET any (msg:"FTP-bad-login";flags:PA; content:"530 Login incorrect";)
alert icmp !$HOME_NET any -> $HOME_NET any (msg: "IDS264 MISC DoS ath0"; content: "+++ath0"; nocase; itype: 8;)
alert tcp !$HOME_NET any -> $HOME_NET 8080 (msg: "IDS267 - Delegate proxy overflow"; content: "whois|3a|//"; nocase; flags: AP; dsize: ">1000";)
alert udp !$HOME_NET any -> $HOME_NET 9 (msg: "IDS262 - MISC DoS ascend reboot"; content: "|4e414d454e414d45|"; offset: "25"; depth: "50";)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS260 - MISC DoS annex terminal"; content: "ping?query"; flags: AP; dsize: ">1400"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 617 (msg: "IDS261 - MISC DoS arkiea backup"; flags: AP; dsize: ">1445";)
alert tcp !$HOME_NET :1024 -> $HOME_NET any (msg: "IDS252 - MISC DDoS shaft synflood incoming"; flags: S; seq: 674711609;)
alert tcp $HOME_NET :1024 -> !$HOME_NET any (msg: "IDS253 - MISC DDoS shaft synflood outgoing"; flags: S; seq: 674711609;)
alert udp !$HOME_NET any -> $HOME_NET 20433 (msg: "IDS256 - MISC DDoS shaft agent to handler"; content: "alive";)
alert udp !$HOME_NET any -> $HOME_NET 18753 (msg: "IDS255 - MISC DDoS shaft handler to agent"; content: "alive tijgu";)
alert tcp !$HOME_NET any -> $HOME_NET 20432 (msg: "IDS254 - MISC DDoS shaft client to handler"; flags: AP;)
alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"IDS204 - NT NULL session"; flags:PA; content: "|00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4E 00 54 00 20 00 31 00 33 00 38 00 31|";)
alert udp !$HOME_NET any -> $HOME_NET any (msg:"IDS247 - MISC - Large UDP Packet"; dsize: ">800";)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS246 - MISC - Large ICMP Packet"; dsize: ">800";)
alert tcp $HOME_NET 7161 -> !$HOME_NET any (msg:"IDS129 - MISC Cisco Catalyst Remote Access"; flags:SA;)
alert udp !$HOME_NET any -> $HOME_NET 5632 (msg:"IDS239 - MISC-PCAnywhere Startup"; content:"ST"; depth: "2";)
alert tcp $HOME_NET 5632 -> !$HOME_NET any (msg:"IDS240 - MISC-PCAnywhere Failed Login";flags:PA; content:"Invalid login"; depth: "16";)
alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"IDS212 - MISC - DNS Zone Transfer"; content: "|01 00 00 01 00 00 00 00 00 00|"; flags: AP; offset: "2"; depth: "16";)
alert tcp !$HOME_NET 53 -> $HOME_NET :1023 (msg:"IDS007 - MISC-Source Port Traffic 53 TCP"; flags:S;)
alert udp !$HOME_NET 53 -> $HOME_NET 138:1023 (msg:"MISC-Source Port Traffic 138-1023";)
alert udp !$HOME_NET 53 -> $HOME_NET 54:136 (msg:"MISC-Source Port Traffic 54-136";)
alert udp !$HOME_NET 53 -> $HOME_NET 0:52 (msg:"MISC-Source Port Traffic 0-52";)
alert tcp !$HOME_NET 20 -> $HOME_NET :1023 (msg:"IDS006 - MISC-Source Port Traffic 20 TCP"; flags:S; )
alert udp !$HOME_NET any -> $HOME_NET 53 (msg:"MISC-DNS-version-query"; content:"version|04|bind|0000 1000 03";)
alert tcp !$HOME_NET any -> $HOME_NET 5631 (msg:"MISC-PCAnywhere Attempted Administrator Login";flags:PA; content:"ADMINISTRATOR";)
alert udp !$HOME_NET any -> $HOME_NET any (msg:"IDS003 - MISC-Traceroute UDP";ttl:"1";)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"MISC-Traceroute TCP";ttl:"1";)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS118 - MISC-Traceroute ICMP";ttl:1;itype:8;)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS117 - MISC-SourceRoute-ICMP-lssre";ipopts:lsrre;)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS116 - MISC-SourceRoute-ICMP-lssr";ipopts:lsrr;)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"MISC-IRDP-Router-Selection(l0phtattack)";itype:10;)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS174 - MISC-IRDPRouterSelection";itype:10;)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS173 - MISC-IRDPRouterAdvertisement";itype:9;)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS199 - MISC-ICMPRedirectNet";itype:5;icode:0;)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS135 - MISC-ICMPRedirectHost";itype:5;icode:1;)
alert icmp !$HOME_NET any -> !$HOME_NET any (msg:"IDS238 - Traceroute IPOPTS"; ipopts: rr; itype: 0;)
alert tcp !$HOME_NET 6000:6005 -> $HOME_NET any (msg: "IDS126 - Outgoing Xterm"; flags: SA;)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"MISC-Passwd-Attempt";flags:PA; content:"passwd";)
alert udp !$HOME_NET any -> $HOME_NET !520 (msg:"IDS115 - MISC-Traceroute-UDP";TTL:1;)
alert tcp !$HOME_NET any -> $HOME_NET 143 (msg:"IDS147 - MISC-IMAP-x86-linux-buffer-overflow";flags:PA; content:"|e8c0ffffff|/bin/sh";)
alert tcp !$HOME_NET !53 -> $HOME_NET 8080 (msg:"MISC-WinGate-8080-Attempt";flags:S;)
alert udp !$HOME_NET any -> $HOME_NET 32771 (msg:"MISC-Attempted Sun RPC high port access;)
alert tcp !$HOME_NET any -> $HOME_NET 32771 (msg:"MISC-Attempted Sun RPC high port access;)
alert tcp !$HOME_NET !53 -> $HOME_NET 1080 (msg:"MISC-WinGate-1080-Attempt";flags:S;)
alert udp !$HOME_NET any -> $HOME_NET 161 (msg:"SNMP access, public"; content:"public";)
alert udp !$HOME_NET any -> $HOME_NET 161 (msg:"NETBIOS-SNMP-NT-UserList"; content:"|2b06104014d10219|";)
alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"NETBIOS-SMB-IPC$access";flags:PA; content:"|5c00|I|00|P|00|C|00|$|000000|IPC|00|";)
alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"NETBIOS-SMB-IPC$access";flags:PA; content:"\IPC$|00 41 3a 00|";)
alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"NETBIOS-SMB-D$access";flags:PA; content:"\D$|00 41 3a 00|";)
alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"NETBIOS-SMB-CD...";flags:PA; content:"\...|00 00 00|";)
alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"NETBIOS-SMB-CD..";flags:PA; content:"\..|2f 00 00 00|";)
alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"NETBIOS-SMB-C$access";flags:PA; content:"\C$|00 41 3a 00|";)
alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"NETBIOS-SMB-ADMIN$access";flags:PA; content:"\ADMIN$|00 41 3a 00|";)
alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"NETBIOS-Samba-clientaccess";flags:PA; content:"|00|Unix|00|Samba";)
alert udp !$HOME_NET any -> $HOME_NET 137 (msg:"IDS177 - NETBIOS-SMB-Name-Query"; content:"CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|0000|";)
alert tcp $HOME_NET any -> !$HOME_NET 80 (msg:"IDS214 - OVERFLOW - Client - netscape47-unsucessful"; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|"; flags: AP;)
alert tcp !$HOME_NET 80 -> $HOME_NET any (msg:"IDS215 - OVERFLOW - Client - netscape47-retrieved"; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|"; flags: AP;)
alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-Named-ADM-NXT - 8.2->8.2.1";flags:PA; content:"../../../../../../../../../";)
alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-Named-ADM-NXT - 8.2->8.2.1";flags:PA; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool";)
alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-Named-ADM-NXT - 8.2->8.2.1";flags:PA; content:"ADMROCKS";)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-X86";flags:PA; content:"|9090 9090 9090 9090 9090 9090 9090 9090|";)
alert udp !$HOME_NET any -> $HOME_NET any (msg:"IDS181 - OVERFLOW-NOOP-X86"; content:"|9090 9090 9090 9090 9090 9090 9090 9090|";)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-Sparc";flags:PA; content:"|a61c c013 a61c c013 a61c c013 a61c c013|";)
alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-Sparc"; content:"|a61c c013 a61c c013 a61c c013 a61c c013|";)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-Sparc";flags:PA; content:"|13c0 1ca6 13c0 1ca6 13c0 1ca6 13c0 1ca6|";)
alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-Sparc"; content:"|13c0 1ca6 13c0 1ca6 13c0 1ca6 13c0 1ca6|";)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-Solaris";flags:PA; content:"|801c 4011 801c 4011 801c 4011 801c 4011|";)
alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-Solaris"; content:"|801c 4011 801c 4011 801c 4011 801c 4011|";)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-SGI";flags:PA; content:"|240f 1234 240f 1234 240f 1234 240f 1234|";)
alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-SGI"; content:"|240f 1234 240f 1234 240f 1234 240f 1234|";)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-SGI";flags:PA; content:"|03e0 f825 03e0 f825 03e0 f825 03e0 f825|";)
alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-SGI"; content:"|03e0 f825 03e0 f825 03e0 f825 03e0 f825|";)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-HP";flags:PA; content:"|0b39 0280 0b39 0280 0b39 0280 0b39 0280|";)
alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-HP"; content:"|0b39 0280 0b39 0280 0b39 0280 0b39 0280|";)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-HP";flags:PA; content:"|0821 0280 0821 0280 0821 0280 08210 0280|";)
alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-HP"; content:"|0821 0280 0821 0280 0821 0280 0821 0280|";)
alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-Digital"; content:"|47ff 041f 47ff 041f 47ff 041f 47ff 041f|";)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-Digital";flags:PA; content:"|47ff 041f 47ff 041f 47ff 041f 47f f041f|";)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-AIX";flags:PA; content:"|4fff fb82 4fff fb82 4fff fb82 4fff fb82|";)
alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-AIX"; content:"|4fff fb82 4fff fb82 4fff fb82 4fff fb82|";)
alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-LinuxCommonUDP"; content:"|909090e8c0ffffff|/bin/sh";)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-LinuxCommonTCP";flags:PA; content:"|909090e8c0ffffff|/bin/sh";)
alert udp !$HOME_NET any -> $HOME_NET 67 (msg:"OVERFLOW-BOOTP--x86linux"; content:"|4139 30c0 a801 012f 6269 6e2f 7368 00|";)
alert udp !$HOME_NET any -> $HOME_NET 67 (msg:"OVERFLOW-BOOTP-x86bsd"; content:"|6563 686f 206e 6574 726a 7320 7374 7265|";)
alert tcp !$HOME_NET any -> $HOME_NET 6373 (msg:"OVERFLOW-sco-calserver";flags:PA; content:"|eb7f 5d55 fe4d 98fe 4d9b|";)
alert udp !$HOME_NET any -> $HOME_NET 635 (msg:"OVERFLOW-x86-linux-mountd3"; content:"|eb40 5E31 c040 8946 0489 c340 8906|";)
alert udp !$HOME_NET any -> $HOME_NET 635 (msg:"OVERFLOW-x86-linux-mountd2"; content:"|5eb0 0289 06fe c889 4604 b006 8946|";)
alert udp !$HOME_NET any -> $HOME_NET 635 (msg:"OVERFLOW-x86-linux-mountd"; content:"|eb56 5E56 5656 31d2 8856 0b88 561e|";)
alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-named";flags:PA; content:"|CD80 E8D7 FFFF FF|/bin/sh";)
alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-x86linux-rotsb";flags:PA; content:"|31c0 b03f 31db b3ff 31c9 cd80 31c0|";)
alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-x86linux-generic";flags:PA; content:"|cd80 e8d7 ffff ff|/bin/sh";)
alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-x86linux-ADMv3";flags:PA; content:"|31c0b002cd8085c0754ceb4c5eb0|";)
alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-x86linux-ADMv2";flags:PA; content:"|89f7 29c7 89f3 89f9 89f2 ac3c fe|";)
alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-x86freebsd-rotsb";flags:PA; content:"|eb6e 5ec6 069a 31c9 894e 01c6 4605|";)
alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-sparc";flags:PA; content:"|901ac00f 90022008 9202200f d023bff8|";)
alert udp !$HOME_NET any -> $HOME_NET 518 (msg:"OVERFLOW-x86-linux-ntalkd"; content:"|0103 0000 0000 0001 0002 02e8|";)
alert tcp !$HOME_NET any -> $HOME_NET 2766 (msg:"OVERFLOW-x86-solaris-nlps";flags:PA; content:"|eb235e33c08846fa8946f58936|";)
alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"OVERFLOW-x86-windows-MailMax";flags:PA; content:"eb45eb205bfc33c9b1828bf3802b";)
alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"OVERFLOW-x86-windows-CSMMail";flags:PA; content:"eb53eb205bfc33c9b1828bf3802b";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-x86linux-wh0a";flags:PA; content:"|83ec04 5e 83c670 83c62 8d5e0c|";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-x86linux-smiler";flags:PA; content:"|31db 89d8 b017 cd80 eb2c|";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-x86linux-sekure";flags:PA; content:"MKD AAAAAA";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-x86linux-duke";flags:PA; content:"|31c0 31db b017 cd80 31c0 b017 cd80|";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-x86linux-adm";flags:PA; content:"|31c031dbb017cd8031c0b017cd80|";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-generic2";flags:PA; content:"|5858 5858 582F|";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-generic1";flags:PA; content:"|5057 440A 2F69|";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-2!";flags:PA; content:"|5858 5858 582F|";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-1!";flags:PA; content:"|5057 440A2F69|";)
alert tcp !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-x86-linux-imapd6";flags:PA; content:"|eb385e89f389d880460120804602|";)
alert tcp !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-x86-linux-imapd5";flags:PA; content:"|eb35 5E80 4601 3080 4602 3080 4603 30|";)
alert tcp !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-x86-linux-imapd4";flags:PA; content:"|eb34 5e8d 1E89 5e0b 31d2 8956 07|";)
alert tcp !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-x86-linux-imapd3";flags:PA; content:"|eb58 5E31 db83 c308 83c3 0288 5e26|";)
alert tcp !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-x86-linux-imapd2";flags:PA; content:"|89d8 40cd 80e8 c8ff ffff|/";)
alert tcp !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-IMAP";flags:PA; content:"|E8 C0FF FFFF|/bin/sh";)
alert tcp !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-86-linux-imap1";flags:PA; content:"|e8 c0ff ffff|/bin/sh";)
alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"OVERFLOW-x86-linux-samba";flags:PA; content:"|eb2f 5feb 4a5e 89fb 893e 89f2|";)
alert tcp !$HOME_NET any -> $HOME_NET 110 (msg:"OVERFLOW-QPOP";flags:PA; content:"|E8 D9FF FFFF|/bin/sh";)
alert tcp !$HOME_NET any -> $HOME_NET 110 (msg:"OVERFLOW-POP3-x86sco";flags:PA; content:"|560e31c0b03b8d7e1289f989f9|";)
alert tcp !$HOME_NET any -> $HOME_NET 110 (msg:"OVERFLOW-POP3-x86linux";flags:PA; content:"|d840 cd80 e8d9 ffff ff|/bin/sh";)
alert tcp !$HOME_NET any -> $HOME_NET 110 (msg:"OVERFLOW-POP3-x86bsd2";flags:PA; content:"|5e0e31c0b03b8d7e0e89fa89f9|";)
alert tcp !$HOME_NET any -> $HOME_NET 110 (msg:"OVERFLOW-POP3-x86bsd";flags:PA; content:"|685d 5eff d5ff d4ff f58b f590 6631|";)
alert tcp !$HOME_NET any -> $HOME_NET 109 (msg:"OVERFLOW-POP2-x86linux2";flags:PA; content:"|eb2c5b89d980c10639d97c078001|";)
alert tcp !$HOME_NET any -> $HOME_NET 109 (msg:"OVERFLOW-POP2-x86linux";flags:PA; content:"|ffff ff2f 4249 4e2f 5348 00|";)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-IRC-client-Chocoa";flags:PA; content:"|eb4b5b5332e483c30b4b8823b85077|";)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NextFTP-client";flags:PA; content:"|b420 b421 8bcc 83e9 048b 1933 c966 b910|";)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS171 - Ping - All Zeros"; content: "|00000000000000000000000000000000|"; itype: 8; depth: "32";)
alert icmp !$HOME_NET any <> $HOME_NET any (msg:"PING-ICMP Subnet Mask Reply"; itype:18;)
alert icmp !$HOME_NET any <> $HOME_NET any (msg:"IDS216 - PING-ICMP Subnet Mask Request"; itype:17;)
alert icmp !$HOME_NET any <> $HOME_NET any (msg:"PING-ICMP Information Reply"; itype:16;)
alert icmp !$HOME_NET any <> $HOME_NET any (msg:"PING-ICMP Information Request"; itype:15;)
alert icmp !$HOME_NET any <> $HOME_NET any (msg:"PING-ICMP Timestamp"; itype:13;)
alert icmp !$HOME_NET any <> $HOME_NET any (msg:"PING-ICMP Parameter Problem"; itype:12;)
alert icmp !$HOME_NET any <> $HOME_NET any (msg:"PING-ICMP Time Exceeded"; itype:11;)
alert icmp !$HOME_NET any <> $HOME_NET any (msg:"PING-ICMP Source Quench"; itype:4;)
alert icmp !$HOME_NET any <> $HOME_NET any (msg:"PING-ICMP Destination Unreachable"; itype:3;)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS028 - PING NMAP TCP";flags:A;ack:"0";)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS169 - PING Windows Type"; content: "|61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70|"; itype: 8; depth: "32";)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS168 - PING WhatsupGold Windows"; content:"|57686174735570202d2041204e657477|";itype:8;depth:"32";)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS167 - PING TJPingPro1.1Build 2 Windows"; content:"|544a50696e6750726f206279204a696d|";itype:8;depth:"32";)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS166 - PING Seer Windows"; content:"|88042020202020202020202020202020|";itype:8;depth:"32";)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS164 - PING Ping-O-MeterWindows"; content:"|4f4d657465724f6265736541726d6164|";itype:8;depth:"32";)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS163 - PING Pinger Windows"; content:"|44617461000000000000000000000000|";itype:8;depth:"32";)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"PING *NIX Type"; content:"|101112131415161718191a1b1c1d1e1f|";itype:8;depth:"32";)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS162 - PING Nmap2.36BETA";itype:8;dsize:"0";)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS161 - PING Network Toolbox 3 Windows"; content:"|3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d|";itype:8;depth:"32";)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS159 - PING Microsoft Windows"; content:"|6162636465666768696a6b6c6d6e6f70|";itype:8;depth:"32";)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS158 - PING ISS Pinger"; content:"|495353504e475251|";itype:8;depth:"32";)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS157 - PING IP NetMonitor Macintosh"; content:"|a9205375737461696e61626c6520536f|";itype:8;depth:"32";)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS156 - PING Flowpoint 2200DSL Router"; content:"|0102030405060708090a0b0c0d0e0f10|";itype:8;depth:"32";)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS155 - PING Delphi-Piette Windows"; content:"|50696e67696e672066726f6d2044656c|";itype:8;depth:"32";)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS154 - PING CyberKit 2.2 Windows"; content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;depth:"32";)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS153 - PING Cisco Type.x"; content:"|abcdabcdabcdabcdabcdabcdabcdabcd|";itype:8;depth:"32";)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS152 - PING BSD"; content: "|08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17|"; itype: 8; depth: "32";)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS151 - PING BeOS4.x"; content:"|00000000000000000000000008090a0b|";itype:8;depth:"32";)
alert tcp !$HOME_NET any -> $HOME_NET 32771:34000 (msg:"IDS242 - RPC ttdbserv Solaris Overflow"; flags: PA; dsize: ">999"; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|";)
alert tcp !$HOME_NET any -> $HOME_NET 32771:34000 (msg:"IDS241 - RPC ttdbserv Solaris Kill"; flags: PA; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|";offset: "16"; depth: "32";)
alert tcp !$HOME_NET any -> $HOME_NET 634:1400 (msg:"IDS217 - RPC AMD Overflow"; flags:PA; content: "|80 00 04 2C 4C 15 75 5B 00 00 00 00 00 00 00 02|";depth: "32"; )
alert udp !$HOME_NET any -> $HOME_NET 32770: (msg:"IDS009 - RPC-rstatd-query"; content:"|0000000020186A1|";offset:"5";)
alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS125 - RPC - portmap-request-ypupdated"; content:"|0186BC000|";offset:"40";depth:"8";)
alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS012 - RPC - portmap-request-ypserv"; content:"|0186A4000|";offset:"40";depth:"8";)
alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS014 - RPC - portmap-request-yppasswd"; content:"|0186A9000|";offset:"40";depth:"8";)
alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS024 - RPC - portmap-request-ttdbserv"; content:"|0186F3000|";offset:"40";depth:"8";)
alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS015 - RPC - portmap-request-status"; content:"|0186B8000|";offset:"40";depth:"8";)
alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS025 - RPC - portmap-request-selection_svc"; content:"|0186AF000|";offset:"40";depth:"8";)
alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS020 - RPC - portmap-request-sadmind"; content:"|018788000|";offset:"40";depth:"8";)
alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS133 - RPC - portmap-request-rusers"; content:"|0186A2000|";offset:"40";depth:"8";)
alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS010 - RPC - portmap-request-rstatd"; content:"|0186A1000|";offset:"40";depth:"8";)
alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS023 - RPC - portmap-request-rexd";content:"|0186B1000|";offset:"40";depth:"8";)
alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS022 - RPC - portmap-request-pcnfsd"; content:"|0249f1000|";offset:"40";depth:"8";)
alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS014 - RPC - portmap-request-nlockmgr"; content:"|0186B5000|";offset:"40";depth:"8";)
alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS021 - RPC - portmap-request-nisd"; content:"|0187cc000|";offset:"40";depth:"8";)
alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS013 - RPC - portmap-request-mountd"; content:"|0186A5000|";offset:"40";depth:"8";)
alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS017 - RPC - portmap-request-cmsd"; content:"|0186E4000|";offset:"40";depth:"8";)
alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS016 - RPC - portmap-request-bootparam"; content:"|0186BA000|";offset:"40";depth:"8";)
alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS019 - RPC - portmap-request-amountd"; content:"|01873000|";offset:"40";depth:"8";)
alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS018 - RPC - portmap-request-admind"; content:"|0186F7000|";offset:"40";depth:"8";)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS236 - SCAN-IP Eye SYN Scan"; flags: S; seq: 1958810375;)
alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"IDS132 - SCAN-Cybercop Finger Query"; content: "|0A 20 20 20 20 20|"; flags: AP; depth: "1";)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS027 - SCAN-FIN"; flags: F;)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS150 - SCAN-Cybercop OS Probe sfu12"; content: "AAAAAAAAAAAAAAAA"; flags: SFU12; ack: 0; depth: "16";)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS145 - SCAN-Cybercop-OS-Probe sfp"; content: "AAAAAAAAAAAAAAAA"; flags: SFP; ack: 0; depth: "16";)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS146 - SCAN-Cybercop OS Probe sf12"; flags: SF12; dsize: "0";)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS149 - SCAN-Cybercop OS Probe pa12"; content: "AAAAAAAAAAAAAAAA"; flags: AP12; depth: "16";)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"PING-SCAN Sniffer Pro/NetXRay"; content:"|43696e636f30313233343536373839|";itype:8;depth:"32";)
alert icmp !$HOME_NET any -> $HOME_NET any (msg:"SCAN-ICMP Sniffer Pro/NetXRay network scan"; content:"|43696e636f204e6574776f726b2c20496e632e|"; itype: 8; depth: "32";)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"SCAN-SYNFIN";flags:SF;)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS029 - SCAN-Possible Queso Fingerprint attempt";flags:S12;)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS005 - SCAN-Possible NMAP Fingerprint attempt";flags:SFPU;)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS004 - SCAN-NULL Scan";flags:0; seq:0; ack:0;)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS144 - SCAN-FullXMASScan";flags:SRAFPU;)
alert tcp !$HOME_NET any -> $HOME_NET any (msg:"SCAN-FIN";flags:F;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN-Whisker!";flags:PA; content:"HEAD/./";)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN-Cybercop-WEB";flags:PA; content:"get /cybercop";)
alert udp !$HOME_NET any -> $HOME_NET 7 (msg:"SCAN-Cybercop-UDP-bomb"; content:"cybercop";)
alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"SCAN-Cybercop-SMTPexpn";flags:PA; content:"expn cybercop";)
alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"SCAN-Cybercop-SMTPehlo";flags:PA; content:"ehlo cybercop|0a|quit|0a|";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"SCAN-SATAN-FTPcheck";flags:PA; content:"pass -satan";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"SCAN-SAINT-FTPcheck";flags:PA; content:"pass -saint";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"SCAN-pISS-FTPcheck";flags:PA; content:"pass -cklaus";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"SCAN-ISS-FTPcheck";flags:PA; content:"pass -iss@iss";)
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"SCAN-ADM-FTPcheck";flags:PA; content:"PASS ddd@|0a|";)
alert tcp !$HOME_NET any -> $HOME_NET 25 (msg: "IDS266 - SMTP Chameleon Overflow"; content: "HELP"; nocase; flags: AP; dsize: ">500"; depth: "10";)
alert tcp $HOME_NET 25 -> !$HOME_NET any (msg:"IDS249 - SMTP Relaying Denied"; flags:AP; content: "5.7.1"; depth:"70";)
alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS172 - SMTP Exploit558"; flags: PA; content: "|7c 73 65 64 20 2d 65 20 27 31 2c 2f 5e 24 2f 27|";)
alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS141 - SMTP-exploit869c";flags:PA; content:"|0a|Croot|0d0a|Mprog";)
alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"SMTP-vrfy-decode";flags:PA; content:"vrfy decode";)
alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS143 - SMTP-MajordomoIFS";flags:PA; content:"eply-to|3a| a~.`/bin/";)
alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS031 - SMTP-expn-root";flags:PA; content:"expn root";)
alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS032 - SMTP-expn-decode";flags:PA; content:"expn decode";)
alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS122 - SMTP-exploit565";flags:PA; content:"MAIL FROM|3a207c|/usr/ucb/tail";)
alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS121 - SMTP-exploit564";flags:PA; content:"rcpt to|3a| decode";)
alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS119 - SMTP-exploit555";flags:PA; content:"mail from|3a20227c|";)
alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS120 - SMTP-exploit41";flags:PA; content:"rcpt to|3a207c| sed '1,/^$/d'|7c|";)
alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS142 - SMTP-exploit869d";flags:PA; content:"|0a|Croot|0a|Mprog";)
alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS140 - SMTP-exploit869b";flags:PA; content:"|0a|D/";)
alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS139 - SMTP-exploit869a;flags:PA; content:"|0a|C|3a|daemon|0a|R";)
alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS124 - SMTP-exploit8610ha";flags:PA; content:"Croot|09090909090909|Mprog,P=/bin";)
alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS123 - SMTP-exploit8610";flags:PA; content:"Croot|0d0a|Mprog, P=/bin/";)
alert tcp !$HOME_NET any -> $HOME_NET 1417 (msg:"IDS229 - SYSADMIN - Insecure TIMBUKTU Password"; content: "|05 00 3E|"; flags: AP; depth: "16";)
alert tcp any 5050 <> $HOME_NET any (msg:"SYSADMIN - YAHOO Pager Data Logged"; flags: PA;)
alert tcp any 5190 <> $HOME_NET any (msg:"SYSADMIN - AOL Chat Data Logged";)
alert tcp $HOME_NET any -> !$HOME_NET 5050 (msg:"SYSADMIN - YAHOO Pager Active on Network"; flags:A;)
alert tcp $HOME_NET any -> !$HOME_NET 5190 (msg:"SYSADMIN - AOL Chat Active on Network"; flags:A;)
alert tcp !$HOME_NET any <> $HOME_NET 110 (msg:"SYSADMIN - Mail Password";flags:PA; content:"PASS";)
alert tcp !$HOME_NET any <> $HOME_NET 110 (msg:"SYSADMIN - Mail Login";flags:PA; content:"USER";)
alert tcp !$HOME_NET any <> $HOME_NET 21 (msg:"SYSADMIN - FTP-Password";flags:PA; content:"PASS";)
alert tcp !$HOME_NET any <> $HOME_NET 21 (msg:"SYSADMIN - FTP-Login";flags:PA; content:"USER";)
alert tcp $HOME_NET 23 -> !$HOME_NET any (msg:"TELNET - Attempted SU from wrong group"; content: "|74 6F 20 73 75 20 72 6F 6F 74 2E|";)
alert tcp !$HOME_NET any -> $HOME_NET 23 (msg:"TELNET - resolv_host_conf";flags:PA; content:"resolv_host_conf";)
alert tcp !$HOME_NET any -> $HOME_NET 23 (msg:"TELNET - Livingston-DoS";flags:PA; content:"|fff3 fff3 fff3 fff3 fff3|";)
alert tcp !$HOME_NET any -> $HOME_NET 23 (msg:"TELNET - ld_preload";flags:PA; content:"ld_preload";)
alert tcp !$HOME_NET any -> $HOME_NET 23 (msg:"TELNET - ld_library_path";flags:PA; content:"ld_library_path";)
alert tcp $HOME_NET 23 -> !$HOME_NET any (msg:"TELNET - WinGate-Active"; content:"WinGate>";)
alert tcp $HOME_NET 23 -> !$HOME_NET any (msg:"TELNET - NotOnConsole"; content:"not on system console";)
alert tcp $HOME_NET 23 -> !$HOME_NET any (msg:"IDS127 - TELNET - Login Incorrect"; content:"Login incorrect";)
alert tcp $HOME_NET 23 -> !$HOME_NET any (msg:"IDS008 - TELNET - daemon-active";flags:PA; content:"|FFFD18FFFD1FFFFD23FFFD27FFFD24|";)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Fix2001 Worm"; content:"Fix2001.exe"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Y2K Zelu Trojan"; content: "Y2K.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible The_Fly Trojan"; content: "THE_FLY.CHM"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Word Macro - VALE"; content: "DINHEIRO.DOC"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Word Macro - VALE"; content: "MONEY.DOC"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible wscript.KakWorm"; content: "KAK.HTA"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Tune.vbs"; content: "tune.vbs"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NAIL Worm"; content:"|4D 61 72 6B 65 74 20 73 68 61 72 65 20 74 69 70 6F 66 66|";)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NAIL Worm"; content: "|6E 61 6D 65 20 3D 22 57 57 49 49 49 21|";)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NAIL Worm"; content:"|4E 65 77 20 44 65 76 65 6C 6F 70 6D 65 6E 74 73|";)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NAIL Worm"; content:"|47 6F 6F 64 20 54 69 6D 65 73|";)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Papa Worm"; content:"XPASS.XLS"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Suppl Worm"; content:"Suppl.doc"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Freelink Worm"; content:"|4C 49 4E 4B 53 2E 56 42 53|";)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Triplesix Worm"; content: "666TEST.VBS"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Simbiosis Worm"; content: "SETUP.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible BADASS Worm"; content: "|6E 61 6D 65 20 3D 22 42 41 44 41 53 53 2E 45 58 45 22|";)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible ExploreZip.B Worm"; content: "|6E 61 6D 65 20 3D 22 46 69 6C 65 5F 7A 69 70 70 61 74 69 2E 65 78 65 22|";)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Video Worm"; content: "VIDEO.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Passion Worm"; content: "ICQ_GREETINGS.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Common Sense Worm"; content: "|6E 61 6D 65 20 3D 22 54 48 45 5F 46 4C 59 2E 43 48 4D 22|";)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible MyPics Worm"; content: "|6E 61 6D 65 20 3D 22 70 69 63 73 34 79 6F 75 2E 65 78 65 22|";)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Babylonia - X-MAS.exe"; content: "|6E 61 6D 65 20 3D 22 58 2D 4D 41 53 2E 45 58 45 22|";)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - gadget.exe"; content: "GADGET.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - irnglant.exe"; content: "IRNGLANT.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - casper.exe"; content: "CASPER.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - fborfw.exe"; content: "FBORFW.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - cupid2.exe"; content: "CUPID2.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - bboy.exe"; content: "BBOY.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - baby.exe"; content: "BABY.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - goal.exe"; content: "GOAL.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - theobbq.exe"; content: "THEOBBQ.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - panther.exe"; content: "PANTHER.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - chestburst.exe"; content: "CHESTBURST.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - farter.exe"; content: "FARTER.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - boss.exe"; content: "BOSS.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - monica.exe"; content: "MONICA.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - saddam.exe"; content: "SADDAM.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - party.exe"; content: "PARTY.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - hog.exe"; content: "HOG.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - goal1.exe"; content: "GOAL1.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - pirate.exe"; content: "PIRATE.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - video.exe"; content: "VIDEO.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - copier.exe"; content: "COPIER.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - cooler1.exe"; content: "COOLER1.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - cooler3.exe"; content: "COOLER3.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible NewApt.Worm - g-zilla.exe"; content: "G-ZILLA.EXE"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible ToadieE-mail Trojan"; content:"Toadie.exe"; nocase;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible PrettyPark Trojan"; content:"\CoolProgs\";offset:300;depth:750;)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Happy99 Virus"; content:"X-Spanska\:Yes";)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible CheckThis Trojan"; content:"|6E 61 6D 65 20 3D 22 6C 69 6E 6B 73 2E 76 62 73 22|";)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Bubbleboy Worm"; content:"BubbleBoy is back!";)
alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possbile Zipped Files Trojan"; content:"|6E 61 6D 65 20 3D 22 5A 69 70 70 65 64 5F 46 69 6C 65 73 2E 45 58 45 22|";)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS231 - Web-CGI-win-c-sample"; flags: PA; content: "win-c-sample.exe"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS211 - Web-CGI-w3-msql-solx86"; flags: PA; content: "/bin/shA-cA/usr/openwin"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS227 - Web-CGI-Scriptalias"; flags: PA; content: "///";)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-tsch shell";flags:PA; content:"tcsh"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-survey";flags:PA; content:"survey.cgi"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-snorkerz.cmd";flags:PA; content:"snorkerz.cmd"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS220 - WEB-CGI-snork.bat";flags:PA; content:"snork.bat"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-rsh";flags:PA; content:"/rsh"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-rksh";flags:PA; content:"/rksh"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-query";flags:PA; content:"/query"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-post-query";flags:PA; content:"/post-query"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-ksh shell";flags:PA; content:"/ksh"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-day5datanotifier.cgi";flags:PA; content:"/day5datanotifier.cgi"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-day5datacopier.cgi";flags:PA; content:"/day5datacopier.cgi"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-csh shell";flags:PA; content:"cgi-bin/csh"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-bash shell";flags:PA; content:"/bash"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-visadmin.exe";flags:PA; content:"visadmin.exe"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-dumpenv.pl";flags:PA; content:"/dumpenv.pl"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-bb-hist.sh";flags:PA; content:"/bb-hist.sh"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-MachineInfo";flags:PA; content:"/MachineInfo"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-AnyForm2";flags:PA; content:"/AnyForm2"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-wwwuploader.exe";flags:PA; content:"cgi-win/wwwuploader.exe"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-upload.pl";flags:PA; content:"upload.pl"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-sendform.cgi";flags:PA; content:"sendform.cgi"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-ppdscgi";flags:PA; content:"/ppdscgi.exe"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-wwwadmin";flags:PA; content:"wwwadmin.pl"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-wais";flags:PA; content:"wais.pl";nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-w2tvars";flags:PA; content:"w3tvars.pm"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS210 - WEB-CGI-w3-msql";flags:PA; content:"w3-msql"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-redirectt";flags:PA; content:"/redirect"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS226 - WEB-CGI-formmail";flags:PA; content:"/formmail"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-flexform";flags:PA; content:"/flexform"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-calendar";flags:PA; content:"cgi-bin/calendar"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-archie";flags:PA; content:"/archie"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-LWGate Attempt";flags:PA; content:"/LWGate"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-WWW-SQL CGI access attempt";flags:PA; content:"www-sql"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-WWWboard CGI access attempt";flags:PA; content:"wwwboard.cgi"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Wrap CGI access attempt";flags:PA; content:"wrap"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Wguest CGI access attempt";flags:PA; content:"wguest.exe"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Websendmail CGI access attempt";flags:PA; content:"websendmail"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Webgais CGI access attempt";flags:PA; content:"webgais"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Webdist CGI access attempt";flags:PA; content:"webdist.cgi"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Upload CGI access attempt";flags:PA; content:"uploader.exe"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Textcounter CGI access attempt";flags:PA; content:"textcounter.pl"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS218 - WEB-CGI-TEST-CGIprobe!"; flags:PA; content:"test-cgi"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Survey CGI access attempt";flags:PA; content:"survey.cgi"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-rwwwshell CGI access attempt";flags:PA; content:"rwwwshell.pl"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Rguest CGI access attempt";flags:PA; content:"/rguest.exe"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS232 - WEB-CGI-PHP CGI access attempt";flags:PA; content:"php.cgi?/"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Perlshop CGI access attempt";flags:PA; content:"/perlshop.cgi"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-NPH-publish CGI access attempt";flags:PA; content:"nph-publish"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS224 - WEB-CGI-NPH CGI access attempt";flags:PA; content:"nph-test-cgi"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Maillist CGI access attempt";flags:PA; content:"/maillist.pl"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-JJ CGI access attempt";flags:PA; content:"/jj"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Info2 www CGI access attempt";flags:PA; content:"/info2www"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Htmlscript CGI access attempt";flags:PA; content:"/htmlscript"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS235 - WEB-CGI-HANDLERprobe!"; flags:PA; content:"/handler"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS228 - WEB-CGI-Guestbook CGI access attempt";flags:PA; content:"/guestbook.cgi"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Glimpse CGI access attempt";flags:PA; content:"/glimpse"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS221 - WEB-CGI-Finger CGI access attempt";flags:PA; content:"cgi-bin/finger"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Files CGI access attempt";flags:PA; content:"/files.pl"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Filemail CGI access attempt";flags:PA; content:"/filemail.pl"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Faxsurvey probe"; flags:PA; content:"/faxsurvey"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Environ CGI access attempt";flags:PA; content:"/environ.cgi"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Edit CGI access attempt";flags:PA; content:"/edit.pl"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Classifieds CGI access attempt";flags:PA; content:"cgi-bin/classifieds.cgi"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS234 - WEB-CGI-Cgiwrap CGI access attempt";flags:PA; content:"cgiwrap"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Cgichk Pf display access attempt";flags:PA; content:"/pfdispaly.cgi"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-CGI view-source access attempt";flags:PA; content:"/view-source?../../../../../../../etc/passwd"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-CGI pf display access attempt";flags:PA; content:"/pfdisplay.cgi"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS219 - WEB-CGI--Perl access attempt";flags:PA; content:"perl.exe"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-CGI Man access attempt";flags:PA; content:"/man.sh"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Campas CGI access attempt";flags:PA; content:"/campas"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Bnbform CGI access attempt";flags:PA; content:"/bnbform.cgi"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-AT-admin CGI access attempt";flags:PA; content:"/AT-admin.cgi"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Args CGI access attempt";flags:PA; content:"/args.bat"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS225 - WEB-CGI-AnyForm CGI access attempt";flags:PA; content:"/AnForm2"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Aglimpse CGI access attempt";flags:PA; content:"/aglimpse"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Count.cgi probe!"; flags:PA; content:"cgi-bin/Count.cgi"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS128 - WEB-CGI phf attempt";flags:PA; content:"/phf";flags:AP; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-COLDFUSION-cfmlsyntaxcheck";flags:PA; content:"cfdocs/cfmlsyntaxcheck.cfm"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-viewexample";flags:PA; content:"cfdocs/snippets/viewexample.cfm"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-verify mail";flags:PA; content:"CFUSION_VERIFYMAIL()"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-sourcewindow";flags:PA; content:"cfdocs/exampleapp/docs/sourcewindow.cfm"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-settings refresh";flags:PA; content:"CFUSION_SETTINGS_REFRESH()"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-set odbc ini";flags:PA; content:"CFUSION_SETODBCINI()"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-sendmail";flags:PA; content:"cfdocs/expeval/sendmail.cfm"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-openfile";flags:PA; content:"cfdocs/expeval/openfile.cfm"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-mainframeset";flags:PA; content:"cfdocs/examples/mainframeset.cfm"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-gettempdirectory";flags:PA; content:"cfdocs/snippets/gettempdirectory.cfm"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-get odbc ini";flags:PA; content:"CFUSION_GETODBCINI()"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-get odbc dsn";flags:PA; content:"CFUSION_GETODBCDSN()"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-get datasourceusername";flags:PA; content:"CF_GETDATASOURCEUSERNAME()"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-fileexists";flags:PA; content:"cfdocs/snippets/fileexists.cfm"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-exprcalc";flags:PA; content:"cfdocs/expeval/exprcalc.cfm"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-Example-parks";flags:PA; content:"cfdocs/examples/parks/detail.cfm"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-Example-cfappman";flags:PA; content:"/cfappman/index.cfm"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-Example-beaninfo";flags:PA; content:"cfdocs/examples/cvbeans/beaninfo.cfm"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-evaluate";flags:PA; content:"cfdocs/snippets/evaluate.cfm"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-display";flags:PA; content:"cfdocs/expeval/displayopenedfile.cfm"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-db connections flush";flags:PA; content:"CFUSION_DBCONNECTIONS_FLUSH()"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-datasourceusername";flags:PA; content:"CF_SETDATASOURCEUSERNAME()"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-datasourcepassword";flags:PA; content:"CF_SETDATASOURCEPASSWORD()"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-datasource";flags:PA; content:"CF_ISCOLDFUSIONDATASOURCE()"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-admin-encrypt";flags:PA; content:"CFUSION_ENCRYPT()"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-admin-decrypt";flags:PA; content:"CFUSION_DECRYPT()"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS237 - Web-Frontpage .htw"; flags: PA; content: ".htw"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS248 - Web-Frontpage …. request"; flags: PA; content: "...."; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-writeto.cnf";flags:PA; content:"_vti_pvt/writeto.cnf"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-users.pwd";flags:PA; content:"users.pwd"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-svcacl.cnf";flags:PA; content:"_vti_pvt/svcacl.cnf"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-shtml.exe";flags:PA; content:"_vti_bin/shtml.exe"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-shtml.dll";flags:PA; content:"_vti_bin/shtml.dll"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-services.cnf";flags:PA; content:"_vti_pvt/services.cnf"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-service.stp";flags:PA; content:"_vti_pvt/service.stp"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-service.pwd";flags:PA; content:"service.pwd"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-service.cnf";flags:PA; content:"_vti_pvt/service.cnf"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-registrations.txt";flags:PA; content:"_private/registrations.txt"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-registrations.htm";flags:PA; content:"_private/registrations.htm"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-register.txt";flags:PA; content:"_private/register.txt"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-register.htm";flags:PA; content:"_private/register.htm"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-orders.txt";flags:PA; content:"_private/orders.txt"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-orders.htm";flags:PA; content:"_private/orders.htm"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-fpsrvadm.exe";flags:PA; content:"fpsrvadm.exe"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-fpremadm.exe";flags:PA; content:"fpremadm.exe"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-fpadmin.htm";flags:PA; content:"admisapi/fpadmin.htm"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-Fpadmcgi.exe";flags:PA; content:"scripts/Fpadmcgi.exe"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-form_results.htm";flags:PA; content:"_private/form_results.htm"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-form_results";flags:PA; content:"_private/form_results.txt"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-contents.htm";flags:PA; content:"admcgi/contents.htm"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-cfgwiz.exe";flags:PA; content:"cfgqiz.exe"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-authors.pwd";flags:PA; content:"authors.pwd"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-author.exe";flags:PA; content:"_vti_bin/_vti_aut/author.exe"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-administrators.pwd";flags:PA; content:"administrators.pwd"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-admin.pl";flags:PA; content:"admin.pl"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-access.cnf";flags:PA; content:"_vti_pvt/access.cnf"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS200 - Web-IIS Encoding"; flags:PA; content: "|25 31 75|";)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS - Possible Attempt at FPCOUNT.EXE DoS"; flags:PA; content:"fpcount.exe"; content:"Digits=-"; nocase;)
alert tcp !$HOME_NET 1024: -> $HOME_NET 1031:1035 (msg:"IIS - Possible Attempt at NT INETINFO.EXE 100% CPU Utilization"; flags:S;)
alert tcp !$HOME_NET 1024: -> $HOME_NET 1029 (msg:"IIS - Possible Attempt at NT DNS.EXE 100% CPU Utilization"; flags:S;)
alert tcp !$HOME_NET 1024: -> $HOME_NET 1091 (msg:"IIS - Possible Attempt at NT DNS.EXE 100% CPU Utilization"; flags:S;)
alert tcp !$HOME_NET 1024: -> $HOME_NET 1043 (msg:"IIS - Possible Attempt at NT WINS.EXE 100% CPU Utilization"; flags:S;)
alert tcp !$HOME_NET 1024: -> $HOME_NET 1038 (msg:"IIS - Possible Attempt at NT TPSVCS.EXE 100% CPU Utilization"; flags:S;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-getdrvs.exe";flags:PA; content:"scripts/tools/getdrvs.exe"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-anot3.htr Attempt";flags:PA; content:"iisadmpwd/anot3.htr"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-anot.htr Attempt";flags:PA; content:"iisadmpwd/anot.htr"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-aexp4b.htr Attempt";flags:PA; content:"iisadmpwd/aexp4b.htr"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-aexp4.htr Attempt";flags:PA; content:"iisadmpwd/aexp4.htr"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-aexp2b.htr Attempt";flags:PA; content:"iisadmpwd/aexp2b.htr"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-aexp2.htr Attempt";flags:PA; content:"iisadmpwd/aexp2.htr"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-aexp.htr Attempt";flags:PA; content:"iisadmpwd/aexp.htr"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-achg.htr Attempt";flags:PA; content:"iisadmpwd/achg.htr"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-uploadn";flags:PA; content:"scripts/uploadn.asp"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-srchadm";flags:PA; content:"srchadm"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-srch.htm";flags:PA; content:"samples/isapi/srch.htm"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-srch.asp";flags:PA; content:"iissamples/issamples/query.asp"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-showcode";flags:PA; content:"msadc/samples/selector/showcode.asp"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-search97";flags:PA; content:"search97.vts";)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-scripts-browse";flags:PA; content:"scripts/|20|"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-SAM Attempt";flags:PA; content:"sam._"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-perl-browse20";flags:PA; content:"%20.pl"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-perl-browse0a";flags:PA; content:"%0a.pl"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-perl";flags:PA; content:"scripts/perl?"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-Overflow-htr";flags:PA; content:"BBBB.htrHTTP"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-newdsn";flags:PA; content:"scripts/tools/newdsn.exe"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-newdsn";flags:PA; content:"scripts/tools/newdsn.exe"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-MSProxy";flags:PA; content:"scripts/proxy/w3proxy.dll"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-msadc/msadcs.dll";flags:PA; content:"msadc/msadcs.dll"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-isc$data";flags:PA; content:".idc|3a3a|$data"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-iisadmpwd";flags:PA; content:"iisadmpwd/aexp3.htr"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-idc-srch";flags:PA; content:"#filename=*.idc"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-getdrvrs";flags:PA; content:"scripts/tools/getdrvrs.exe"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-fpcount";flags:PA; content:"scripts/fpcount.exe"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-exec-srch";flags:PA; content:"#filename=*.exe"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-details.idc";flags:PA; content:"scripts/samples/details.idc"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-del";flags:PA; content:"&del+/s+c|3a|\*.*"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-ctguestb.idc";flags:PA; content:"scripts/samples/ctguestb.idc"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-codebrowser SDK";flags:PA; content:"iissamples/sdk/asp/docs/codebrws.asp"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-codebrowser Exair";flags:PA; content:"iissamples/exair/howitworks/codebrws.asp"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-cmd?";flags:PA; content:".cmd?&"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-CGImail";flags:PA; content:"scripts/CGImail.exe"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-catalog_type";flags:PA; content:"AdvWorks/equipment/catalog_type.asp"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-carbo.dll";flags:PA; content:"carbo.dll"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-bdir";flags:PA; content:"scripts/iisadmin/bdir.htr"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-bat?";flags:PA; content:".bat?&"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-asp-srch";flags:PA; content:"#filename=*.asp"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-asp-dot";flags:PA; content:".asp."; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-asp$data";flags:PA; content:".asp|3a3a|$data"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-admin-dll-serv";flags:PA; content:"scripts/iisadmin/ism.dll?http/serv"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-admin-dll";flags:PA; content:"scripts/iisadmin/ism.dll?http/dir"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-admin-default";flags:PA; content:"scripts/iisadmin/default.htm"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-admin";flags:PA; content:"scripts/iisadmin"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-adctest.asp";flags:PA; content:"msadc/samples/adctest.asp"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-_vti_inf";flags:PA; content:"_vti_inf.html"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-_Site Server Config";flags:PA; content:"adsamples/config/site.csc"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-*.idc";flags:PA; content:"*.idc"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-%2E-asp";flags:PA; content:"%2e.asp"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS259 - Web MISC - alibaba overflow"; content: "POST"; flags: AP; dsize: ">1400";)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS265 - Web cgi cgitest"; content: "cgitest.exe|0d0a|user"; nocase; flags: AP; offset: "4";)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS258 - Web cgi get32.exe"; flags:PA; content: "get32.exe"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 2301 (msg:"IDS244 - Web-compaq-insight-dot-dot"; content: "../";)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS209 - WEB-MISC - Phorum Violation"; flags: AP; content:"violation.php3"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS208 - WEB-MISC - Phorum Read"; flags: AP; content:"read.php3"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS207 - WEB-MISC - Phorum Code"; flags: AP; content:"code.php3"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS206 - WEB-MISC - Phorum Auth"; flags: AP; content:"PHP_AUTH_USER=boogieman"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS205 - WEB-MISC - Phorum Admin"; flags: AP; content:"admin.php3"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 457 (msg:"IDS180 - WEB-netscape-overflow-unixware"; flags: AP; content: "|eb 5f 9a ff ff ff ff 07 ff c3 5e 31 c0 89 46 9d|";)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC-.wwwacl";flags:PA; content:"secure/wwwacl"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC-.htaccess";flags:PA; content:"secure/.htaccess"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC-cmd.exe Attempt";flags:PA; content:"scripts/../../cmd.exe"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC-cpshost.dll Attempt";flags:PA; content:"scripts/cpshost.dll"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC-convert.bas Attempt";flags:PA; content:"scripts/convert.bas"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC-AuthChangeUrl";flags:PA; content:"_AuthChangeUrl?"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-webcart";flags:PA; content:"/webcart/"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-prefix-get //";flags:PA; content:"get //"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-PageService";flags:PA; content:"?PageServices"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-ORiley-win-c-sample.exe";flags:PA; content:"cgi-shl/win-c-sample.exe"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-ORiley-args.bat";flags:PA; content:"cgi-dos/args.bat"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-mylog";flags:PA; content:"mylog.phtml?"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-mlog";flags:PA; content:"mlog.phtml?"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-ls%20-l";flags:PA; content:"ls%20-l"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Lotus-EditDoc";flags:PA; content:"?EditDocument"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Lotus-DelDoc";flags:PA; content:"?DeleteDocument"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-ICQ webserver";flags:PA; content:".html/......"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-etcpaswd";flags:PA; content:"etc/passwd"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Ecommerce-import.txt";flags:PA; content:"orders/import.txt"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Ecommerce-import.txt";flags:PA; content:"config/import.txt"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Ecommerce-checks.txt";flags:PA; content:"orders/checks.txt"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Ecommerce-check.txt";flags:PA; content:"config/check.txt"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Domino-names.nsf";flags:PA; content:"names.nsf"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Domino-log.nsf";flags:PA; content:"log.nsf"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Domino-domlog.nsf";flags:PA; content:"domlog.nsf"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Domino-domcfg.nsf";flags:PA; content:"domcfg.nsf"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Domino-catalog.nsf";flags:PA; content:"catalog.nsf"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-count.cgi";flags:PA; content:"count.cgi"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-cgi-bin///";flags:PA; content:"cgi-bin///"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-cd..";flags:PA; content:"cd.."; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-cat%20";flags:PA; content:"cat%20"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-ApacheDOS";flags:PA; content:"|2f2f2f2f2f2f2f2f|";)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-~root";flags:PA; content:"~root"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-///cgi-bin";flags:PA; content:"///cgi-bin"; nocase;)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-/....";flags:PA; content:"|2f2e2e2e2e|";)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-..\..";flags:PA; content:"|2e2e5c2e2e|";)
alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-../..";flags:PA; content:"|2e2e2f2e2e|";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Registry Add Client Request"; content:"89";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Close Port Scan Client Request"; content:"121";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Process List Client request"; content:"64";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 FTP Server Port Client Request"; content:"21";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Send to URL Client Request"; content:"12";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Keylogger on Server OFF"; content:"KeyLogger Shut Down";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Keylogger on Server ON"; content:"KeyLogger Is Enabled On port";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Resolution Change Client Request"; content:"125";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Monitor on/off Client Request"; content:"07";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Show Replyable Dialog Box Client Request"; content:"71";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Show Dialog Box Client Request"; content:"70";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Freeze Mouse Client Request"; content:"35";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request"; content:"110";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Swap Mouse Buttons Client Request"; content:"34";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Hide/Show Desktop Client Request"; content:"33";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Hide/Show Clock Client Request"; content:"32";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Hide/Show Systray Client Request"; content:"30";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"31";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"04";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 CD ROM Close Client Request"; content:"03";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 CD ROM Open Client Request"; content:"02";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 HUP Modem Client Request"; content:"199";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Find File Client Request"; content:"118";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Find File Client Request"; content:"117";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Get NET File Client Request"; content:"100";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Run Program Hidden Client Request"; content:"15";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Run Program Normal Client Request"; content:"14";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Play Sound Client Request"; content:"36";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Delete File Client Request"; content:"41";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Change Wallpaper Client Request"; content:"20";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Create Directory Client Request"; content:"39";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Show Picture Client Request"; content:"22";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Server Response"; content:"Ahhhh My Mouth Is Open";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Send Text to Window Client Request"; content:"63";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Show Window Client Request"; content:"25";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Hide Window Client Request"; content:"26";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Change Window Title Client Request"; content:"60";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Enable Window Client Request"; content:"24";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Disable Window Client Request"; content:"23";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Kill Window Client Request"; content:"38";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 All Window List Client Request"; content:"370";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Visible Window List Client Request"; content:"37";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 ICQ Alert OFF Client Request"; content:"88";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 ICQ Alert ON Client Request"; content: "40";)
alert udp !$HOME_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Server Rehash Client Request"; content:"shutd0wnM0therF***eR";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Rehash Client Request"; content:"911";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Server Password Remove Client Request"; content:"92";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Server Password Change Client Request"; content:"91";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 RAS Passwords Client Request"; content:"17";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Cached Passwords Client Request"; content:"16";)
alert udp $HOME_NET 2140 -> !$HOME_NET 60000 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Server FTP Port Change From Server"; content:"FTP Server changed to";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Server FTP Port Change Client Request"; content:"21";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 FTP Status Client Request"; content:"09";)
alert udp $HOME_NET 2140 -> !$HOME_NET 60000 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 E-Mail Info From Server"; content:"Retreaving";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 E-Mail Info Client Request"; content:"12";)
alert udp $HOME_NET 2140 -> !$HOME_NET 60000 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Server Status From Server"; content:"Host";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Server Status Client Request"; content:"10";)
alert udp $HOME_NET 2140 -> !$HOME_NET 60000 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Drive Info From Server"; content:"C - ";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Drive Info Client Request"; content:"130";)
alert udp $HOME_NET 2140 -> !$HOME_NET 60000 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 System Info From Server"; content:"Comp Name";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 System Info Client Request"; content:"13";)
alert udp $HOME_NET 3150 -> !$HOME_NET 60000 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Wrong Password";: content:"Wrong Password";)
alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 System Info Client Request"; content:"13";)
alert udp $HOME_NET 3150 -> !$HOME_NET 60000 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Wrong Password"; content:"Wrong Password";)
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed