#---------------------------------------------- # http://snort.rapidnet.com 'ALL' Ruleset # Current Database Updated 07/06/2000 # Contact: Jim Forster - jforster@rapidnet.com #---------------------------------------------- preprocessor http_decode: 80 443 8080 preprocessor minfrag: 128 preprocessor portscan: 12.23.34.45/32 3 5 /var/log/snort_portscan.log # ^^^^^^^^^^^ ^ ^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^ # | | | | #Your IP address or Network here+ | | | # | | | #Ammount of ports being connected-----+ | | # in this | | #Interval (in seconds)------------------+ | # | #Log file (path/name)----------------------------------+ preprocessor portscan-ignorehosts: # Hosts to ignore in portscan detection #--------------------------------------------- # CHANGE THE NEXT LINE TO REFLECT YOUR NETWORK # (Single system = your ip/32) var HOME_NET yournet/subnet #--------------------------------------------- alert tcp !$HOME_NET any -> $HOME_NET 32771:34000 (msg:"IDS242 - RPC ttdbserv Solaris Overflow"; content: "|C0 22 3F FC A2 02 20 09 C0 2C 7F FF E2 22 3F F4|"; flags: AP; dsize: >999;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS232 - WEB-CGI-PHP CGI access attempt";flags:PA; content:"php.cgi?/"; offset: 5; depth: 32; nocase;) alert tcp $HOME_NET !80 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE - SubSeven 2.1 FTP Enabled Sent from Server!"; flags:PA; content:"FTP server enabled";) alert tcp $HOME_NET 21 -> !$HOME_NET any (msg:"IDS001 - BACKDOOR SIGNATURE - ADMw0rm-ftp-retrieval";flags:PA; content:"USERw0rm|0D0A|";) alert tcp !$HOME_NET !80 -> $HOME_NET 21554 (msg:"BACKDOOR SIGNATURE - GirlFriendaccess"; flags:PA; content:"Girl";) alert tcp $HOME_NET 30100 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE - NetSphere access"; flags: PA; content:"NetSphere";) alert tcp $HOME_NET 6969 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE - GateCrasheraccess"; flags:PA; content:"GateCrasher";) alert icmp !$HOME_NET any -> $HOME_NET 16660 (msg:"IDS179 - BACKDOOR SIGNATURE - Stacheldraht Client";) alert tcp $HOME_NET 555 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE - Possible PhaseZero Server Active on Network";content:"phAse";flags:PA;) alert udp $HOME_NET 2140 -> any 60000 (msg:"BACKDOOR SIGNATURE - DeepThroat 3.1 Keylogger Active on Network"; content:"KeyLogger Is Enabled On port";) alert udp any 60000 -> $HOME_NET 3150 (msg:"BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network"; content:"|00 23|";) alert udp any 3150 -> $HOME_NET 60000 (msg:"BACKDOOR SIGNATURE - DeepThroat 3.1 Server Active on Network"; content:"|00 23|";) alert udp any 60000 -> $HOME_NET 2140 (msg:"BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network";) alert udp any 2140 -> $HOME_NET 60000 (msg:"BACKDOOR SIGNATURE - DeepThroat 3.1 Server Active on Network";) alert tcp $HOME_NET 23476 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE - DonaldDick 1.53 Traffic"; flags:PA; content:"pINg";) alert tcp $HOME_NET 31785 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE - HackAttack 1.20 Connect"; flags:PA; content:"host";) alert tcp $HOME_NET 555 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE - PhaseZero Server Active on Network"; flags:PA; content:"phAse";) alert tcp $HOME_NET any -> !$HOME_NET 5032 (msg:"BACKDOOR SIGNATURE - NetMetro File List"; flags:PA; content:"|2D 2D|";) alert udp 255.255.255.0/24 any -> $HOME_NET any (msg:"IDS201 - BACKDOOR SIGNATURE - Q UDP"; dsize: ">1";) alert tcp 255.255.255.0/24 any -> $HOME_NET any (msg:"IDS203 - BACKDOOR SIGNATURE - Q TCP"; flags:A; dsize: ">1";) alert icmp 255.255.255.0/24 any -> $HOME_NET any (msg:"IDS202 - BACKDOOR SIGNATURE - Q ICMP"; itype: 0; dsize: ">1";) alert tcp $HOME_NET 5714 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE - WinCrash 1.0 Server Active" ; flags:SA; content:"|B4 B4|";) alert udp !$HOME_NET 3345 -> $HOME_NET 3344 (msg:"BACKDOOR SIGNATURE - Matrix 2.0 Server ACK"; content:"logged in";) alert tcp $HOME_NET 30100:30102 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE - NetSphere 1.31.337 Data"; flags:PA; content:"NetSphere";) alert tcp !$HOME_NET 5031 -> $HOME_NET !53:80 (msg:"BACKDOOR SIGNATURE - NetMetro Incoming Traffic"; flags:PA;) alert tcp $HOME_NET !80 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE - SubSeven 2.1 Login Detected!"; flags:PA; content:"connected. time/date";) alert tcp $HOME_NET !53:80 -> !$HOME_NET 5032 (msg:"BACKDOOR SIGNATURE - NetMetro Outbound Data"; flags:PA;) alert tcp $HOME_NET 666 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE -- BackConstruction 2.1 Server FTP Open Reply"; flags:PA; content:"FTP Port open";) alert tcp !$HOME_NET any -> $HOME_NET 666 (msg:"BACKDOOR SIGNATURE -- BackConstruction 2.1 Client FTP Open Request"; flags:PA; content:"FTPON";) alert tcp $HOME_NET 5401:5402 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE -- BackConstruction 2.1 Connection"; flags:PA; content:"c|3A|\";) alert tcp any !80 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE - SubSeven 2.1 FTP Enable from Client"; flags:PA; content:"FTPenable!";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"IDS263 - Backdoor Signature - CDK"; content: "ypi0ca"; nocase; flags: AP; depth: "15";) alert udp !$HOME_NET 3344 -> $HOME_NET 3345 (msg:"BACKDOOR SIGNATURE - Matrix 2.0 Client connect"; content:"activate";) alert tcp any any -> any 15104 (msg: "IDS111 - DDoS - mstream client to handler"; flags: S;) alert tcp any 12754 -> any any (msg: "IDS110 - DDoS - mstream handler to client"; content: ">"; flags: AP;) alert tcp any any -> any 12754 (msg: "IDS110 - DDoS - mstream client to handler"; content: ">"; flags: AP;) alert udp any any -> any 10498 (msg: "IDS103 - DDoS - mstream agent pong to handler" ; content: "pong";) alert udp any any -> any 10498 (msg: "IDS102 - DDoS - mstream handler ping to agent" ; content: "ping";) alert udp any any -> any 10498 (msg: "IDS101- DDoS - mstream handler to agent"; content: "stream/"; ) alert udp any any -> any 6838 (msg: "IDS100 - DDoS - mstream agent to handler"; content: "newserver"; ) alert tcp any 15104 -> any any (msg: "IDS112 - DDoS - mstream handler to client"; content: ">"; flags: AP;) alert tcp !$HOME_NET any -> $HOME_NET 27665 (msg:"DDoS - Trin00 Attacker to Master-default mdie pass detected!";flags:PA; content:"killme";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS194 - DDoS - Stacheldraht client-check-gag"; content: "|67 65 73 75 6E 64 68 65 69 74 21|"; itype: 0; icmp_id: 668;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS190 - DDoS - Stacheldraht client-check"; content: "|73 6B 69 6C 6C 7A|"; itype: 0; icmp_id: 666;) alert udp !$HOME_NET any -> $HOME_NET 31335 (msg:"IDS187 - DDoS - Trin00:DaemontoMaster(PONGdetected)"; content:"PONG";) alert udp !$HOME_NET any -> $HOME_NET 31335 (msg:"IDS186 - DDoS - Trin00:DaemontoMaster(messagedetected)"; content:"l44";) alert udp !$HOME_NET any -> $HOME_NET 31335 (msg:"IDS185 - DDoS - Trin00:DaemontoMaster(*HELLO*detected)"; content:"*HELLO*";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS192 - DDoS - Stacheldraht client-spoofworks"; content: "|73 70 6F 6F 66 77 6F 72 6B 73|"; itype: 0; icmp_id: 1000;) alert tcp !$HOME_NET any -> $HOME_NET 27665 (msg:"DDoS - Trin00 Attacker to Master defaultr.i.passdetected!";flags:PA; content:"gOrave";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS182 - DDoS - TFN server response"; content: "|73 68 65 6C 6C 20 62 6F 75 6E 64 20 74 6F 20 70 6F 72 74|"; itype: 0; icmp_id: 123; icmp_seq: 0;) alert tcp !$HOME_NET any -> $HOME_NET 27665 (msg:"IDS196 - DDoS - Trin00:Attacker to Master default startup pass detected!";flags:PA; content:"betaalmostdone";) alert icmp $HOME_NET any -> !$HOME_NET any (msg:"IDS191 - DDoS - Stacheldraht server-response"; content: "|66 69 63 6B 65 6E|"; itype: 0; icmp_id: 667;) alert icmp $HOME_NET any -> !$HOME_NET any (msg:"IDS195 - DDoS - Stacheldraht server-response-gag"; content: "|73 69 63 6B 65 6E|"; itype: 0; icmp_id: 669;) alert icmp 3.3.3.3/32 any -> !$HOME_NET any (msg:"IDS193 - DDoS - Stacheldraht server-spoof"; itype: 0; icmp_id: 666;) alert udp !$HOME_NET any -> $HOME_NET 27444 (msg:"IDS197 - DDoS - Trin00:MastertoDaemon(defaultpassdetected!)"; content:"l44adsl";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS183 - DDoS - TFN client command LE"; itype: 0; icmp_id: 51201; icmp_seq: 0;) alert tcp !$HOME_NET any -> $HOME_NET 20432 (msg:"IDS254 - DDoS shaft client to handler"; flags: AP;) alert udp !$HOME_NET any -> $HOME_NET 18753 (msg:"IDS255 - DDoS shaft handler to agent"; content: "alive tijgu";) alert udp !$HOME_NET any -> $HOME_NET 20433 (msg:"IDS256 - DDoS shaft agent to handler"; content: "alive";) alert tcp $HOME_NET :1024 -> !$HOME_NET any (msg:"IDS253 - DDoS shaft synflood outgoing"; flags: S; seq: 674711609;) alert tcp !$HOME_NET :1024 -> $HOME_NET any (msg:"IDS252 - DDoS shaft synflood incoming"; flags: S; seq: 674711609;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS184 - DDoS - TFN client command BE"; itype: 0; icmp_id: 456; icmp_seq: 0;) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"IDS011 - Finger cybercop redirection"; flags:PA; content: "|40 6C 6F 63 61 6C 68 6F 73 74 0A|"; dsize: "11"; depth: "11";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"IDS251 - Finger redirection"; content: "@"; flags: AP;) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"FINGER-Search";flags:PA; content:"search";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"FINGER-root";flags:PA; content:"root";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"FINGER-ProbeNull"; flags:PA; content:"|00|";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"FINGER-Probe0";flags:PA; content:"0";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"FINGER-PipeW";flags:PA; content:"/W|3b|";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"FINGER-Pipe"; flags:PA; content:"|7c|";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"FINGER-Bomb";flags:PA; content:"@@";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"IDS131 - CVE-1999-0612 - FINGER-0@host";flags:PA; content:"|300A|";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"IDS130 - CVE-1999-0612 - FINGER-.@host";flags:PA; content:"|2E0A|";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-pass-h0tb0x";flags:PA; content:"pass h0tb0x";) alert tcp $HOME_NET 21 -> !$HOME_NET any (msg:"FTP-NT-bad-login"; content:"Login failed.";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"IDS134 - CVE-1999-0202 - FTP tar parameters";flags:PA; content:"RETR--use-compress-program";) alert udp !$HOME_NET any -> $HOME_NET 69 (msg:"IDS137 - CVE-1999-0183 - TFTP parent directory"; content:"..";) alert udp !$HOME_NET any -> $HOME_NET 69 (msg:"IDS138 - CVE-1999-0183 - TFTP rootdirectory"; content:"|0001|/";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-cwd~root"; flags:PA; content:"cwd ~root";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-forward";flags:PA; content:".forward";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-linux-nullpass";flags:PA; content:"pass null |0d|";) alert tcp $HOME_NET 21 -> !$HOME_NET any (msg:"FTP-bad-login";flags:PA; content:"530 Login incorrect";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-nopassword";flags:PA; content:"pass |0d|";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"IDS257 - Aix FTP Buffer Overflow";flags:PA;dsize:>1300; content:"CEL ";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-pass-wh00t";flags:PA; content:"pass wh00t";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-rhosts";flags:PA; content:".rhosts";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-shosts";flags:PA; content:".shosts";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-site-exec";flags:PA; content:"site exec";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-user-root";flags:PA; content:"user root |0d|";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-user-warez";flags:PA; content:"user warez |0d|";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"IDS213 - FTP-Password Retrieval"; content:"passwd"; flags: AP;) alert udp !$HOME_NET any -> $HOME_NET 69 (msg:"IDS148 - CVE-1999-0183 - TFTP Write"; content:"|00 02|"; depth:"2"; ) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"FTP-linux-nulluser";flags:PA; content:"user null |0d|";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"VNC Active on Network"; flags:PA; content:"RFB 003.003";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS116 - MISC-SourceRoute-ICMP-lssr";ipopts:lsrr;) alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"IDS212 - MISC - DNS Zone Transfer"; content: "|01 00 00 01 00 00 00 00 00 00|"; flags: AP; offset: "2"; depth: "16";) alert tcp !$HOME_NET 53 -> $HOME_NET :1023 (msg:"IDS007 - MISC-Source Port Traffic 53 TCP"; flags:S;) alert udp !$HOME_NET 53 -> $HOME_NET 138:1023 (msg:"MISC-Source Port Traffic 138-1023";) alert udp !$HOME_NET 53 -> $HOME_NET 54:136 (msg:"MISC-Source Port Traffic 54-136";) alert udp !$HOME_NET 53 -> $HOME_NET 0:52 (msg:"MISC-Source Port Traffic 0-52";) alert tcp !$HOME_NET 20 -> $HOME_NET :1023 (msg:"IDS006 - MISC-Source Port Traffic 20 TCP"; flags:S; ) alert udp !$HOME_NET any -> $HOME_NET 53 (msg:"MISC-DNS-version-query"; content:"version|04|bind|0000 1000 03";) alert tcp !$HOME_NET any -> $HOME_NET 5631 (msg:"MISC-PCAnywhere Attempted Administrator Login";flags:PA; content:"ADMINISTRATOR";) alert udp !$HOME_NET any -> $HOME_NET any (msg:"IDS003 - MISC-Traceroute UDP";ttl:"1";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"MISC-Traceroute TCP";ttl:"1";) alert tcp !$HOME_NET !53 -> $HOME_NET 1080 (msg:"MISC-WinGate-1080-Attempt";flags:S;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS117 - MISC-SourceRoute-ICMP-lssre";ipopts:lsrre;) alert udp !$HOME_NET any -> $HOME_NET 5632 (msg:"IDS239 - MISC-PCAnywhere Startup"; content:"ST"; depth: "2";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"MISC-IRDP-Router-Selection(l0phtattack)";itype:10;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS174 - MISC-IRDPRouterSelection";itype:10;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS173 - MISC-IRDPRouterAdvertisement";itype:9;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS199 - CVE-1999-0265 - MISC-ICMPRedirectNet";itype:5;icode:0;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS135 - CVE-1999-0265 - MISC-ICMPRedirectHost";itype:5;icode:1;) alert icmp !$HOME_NET any -> !$HOME_NET any (msg:"IDS238 - Traceroute IPOPTS"; ipopts: rr; itype: 0;) alert tcp !$HOME_NET 6000:6005 -> $HOME_NET any (msg:"IDS126 - Outgoing Xterm"; flags: SA;) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"MISC-Passwd-Attempt";flags:PA; content:"passwd";) alert udp !$HOME_NET any -> $HOME_NET !520 (msg:"IDS115 - MISC-Traceroute-UDP";TTL:1;) alert tcp !$HOME_NET any -> $HOME_NET 143 (msg:"IDS147 - CVE-1999-004 - IMAP-x86-linux-buffer-overflow";flags:PA; content:"|e8c0ffffff|/bin/sh";) alert tcp !$HOME_NET !53 -> $HOME_NET 8080 (msg:"MISC-WinGate-8080-Attempt";flags:S;) alert tcp !$HOME_NET any -> $HOME_NET 32771 (msg:"MISC-Attempted Sun RPC high port access";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS118 - MISC-Traceroute ICMP";ttl:1;itype:8;) alert tcp !$HOME_NET any -> $HOME_NET any (ipopts: lsrr; msg: "Source routed packet";) alert tcp any any <> any 6699 (msg:"Napster Client Data"; flags:PA; content:".mp3"; nocase;) alert tcp any any <> any 8888 (msg:"Napster 8888 Data"; flags:PA; content:".mp3"; nocase;) alert tcp any any <> any 7777 (msg:"Napster 7777 Data"; flags:PA; content:".mp3"; nocase;) alert tcp any any <> any 6666 (msg:"Napster 6666 Data"; flags:PA; content:".mp3"; nocase;) alert tcp any any <> any 5555 (msg:"Napster 5555 Data"; flags:PA; content:".mp3"; nocase;) alert tcp any any <> any 4444 (msg:"Napster 4444 Data"; flags:PA; content:".mp3"; nocase;) alert tcp any any <> any 8875 (msg:"Napster Server Login"; flags:PA; content:"anon@napster.com";) alert udp !$HOME_NET any -> $HOME_NET 161 (msg:"BUGTRAQ ID 1009 - Possible attempt at Bay/Nortel Nautica Marlin DoS); dsize:0;) alert tcp !$HOME_NET any -> $HOME_NET 9090 (msg:"MISC - Attempt at VQServer Admin"; flags:PA; content:"GET / HTTP/1.1"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 617 (msg:"MISC Knox Arkeia DOS"; flags:PA;dsize:>1445;) alert udp !$HOME_NET any -> $HOME_NET any (ipopts: ssrr; msg: "Source routed packet";) alert tcp !$HOME_NET any -> $HOME_NET 1417 (msg:"IDS229 - Insecure TIMBUKTU Password"; content: "|05 00 3E|"; flags: AP; depth: "16";) alert tcp !$HOME_NET any -> $HOME_NET any (ipopts: ssrr; msg: "Source routed packet";) alert tcp $HOME_NET 5632 -> !$HOME_NET any (msg:"IDS240 - MISC-PCAnywhere Failed Login";flags:PA; content:"Invalid login"; depth: "16";) alert icmp !$HOME_NET any -> $HOME_NET any (ipopts: ssrr; msg: "Source routed packet";) alert icmp !$HOME_NET any -> $HOME_NET any (ipopts: lsrr; msg: "Source routed packet";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS264 MISC DoS ath0"; content: "+++ath0"; nocase; itype: 8;) alert tcp !$HOME_NET any -> $HOME_NET 8080 (msg:"IDS267 - Delegate proxy overflow"; content: "whois|3a|//"; nocase; flags: AP; dsize: ">1000";) alert udp !$HOME_NET any -> $HOME_NET 9 (msg:"IDS262 - CVE-1999-0060 - Ascend Router DoS"; content: "|4e 41 4d 45 4e 41 4d 45|"; offset: "25"; depth: "50";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS260 - MISC Annex Terminal DOS"; flags:PA;dsize:>1446; content:"ping?query";) alert tcp !$HOME_NET any -> $HOME_NET 617 (msg:"IDS261 - MISC DoS arkiea backup"; flags: AP; dsize: ">1445";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"IDS204 - NT NULL session"; flags:PA; content: "|00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4E 00 54 00 20 00 31 00 33 00 38 00 31|";) alert udp !$HOME_NET any -> $HOME_NET any (msg:"IDS247 - MISC - Large UDP Packet"; dsize: ">800";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS246 - MISC - Large ICMP Packet"; dsize: ">800";) alert tcp $HOME_NET 7161 -> !$HOME_NET any (msg:"IDS129 - CVE-1999-0430 - Cisco Catalyst Remote Access"; flags:SA;) alert udp !$HOME_NET any -> $HOME_NET any (ipopts: lsrr; msg: "Source routed packet";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"Possible RFParalyze Attempt"; flags:PA; content:"BEAVIS"; content:"yep yep";) alert udp !$HOME_NET any -> $HOME_NET 161 (msg:"NETBIOS-SNMP-NT-UserList"; content:"|2b 06 10 40 14 d1 02 19|";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"NETBIOS-SMB-IPC$access";flags:PA; content:"|5c00|I|00|P|00|C|00|$|000000|IPC|00|";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"NETBIOS-SMB-IPC$access";flags:PA; content:"\IPC$|00 41 3a 00|";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"NETBIOS-SMB-D$access";flags:PA; content:"\D$|00 41 3a 00|";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"NETBIOS-SMB-CD...";flags:PA; content:"\...|00 00 00|";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"NETBIOS-SMB-CD..";flags:PA; content:"\..|2f 00 00 00|";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"NETBIOS-SMB-C$access";flags:PA; content:"\C$|00 41 3a 00|";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"NETBIOS-SMB-ADMIN$access";flags:PA; content:"\ADMIN$|00 41 3a 00|";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"NETBIOS-Samba-clientaccess";flags:PA; content:"|00|Unix|00|Samba";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS275 - Cisco Web Crash"; flags:PA; content: "|20 2F 25 25|"; depth: "16";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS273 - Sniffit overflow"; flags:PA; content: "from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase; dsize: ">512";) alert tcp !$HOME_NET any -> $HOME_NET 119 (msg:"IDS274 - NNTP Cassandra Overflow"; flags:PA; content: "AUTHINFO USER"; nocase; dsize: ">512"; depth: "16";) alert tcp !$HOME_NET any -> $HOME_NET 2766 (msg:"OVERFLOW-x86-solaris-nlps";flags:PA; content:"|eb235e33c08846fa8946f58936|";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-generic1";flags:PA; content:"|5057 440A 2F69|";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-generic2";flags:PA; content:"|5858 5858 582F|";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-x86linux-adm";flags:PA; content:"|31 c0 31 db b0 17 cd 80 31 c0 b0 17 cd 80|";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-x86linux-duke";flags:PA; content:"|31c0 31db b017 cd80 31c0 b017 cd80|";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-x86linux-sekure";flags:PA; content:"MKD AAAAAA";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-x86linux-smiler";flags:PA; content:"|31db 89d8 b017 cd80 eb2c|";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-x86linux-wh0a";flags:PA; content:"|83 ec 04 5e 83 c6 70 83 c6 28 d5 e0 c0|";) alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-x86linux-generic";flags:PA; content:"|cd80 e8d7 ffff ff|/bin/sh";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"OVERFLOW-x86-windows-MailMax";flags:PA; content:"eb45eb205bfc33c9b1828bf3802b";) alert tcp !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-x86-linux-imapd6";flags:PA; content:"|eb385e89f389d880460120804602|";) alert udp !$HOME_NET any -> $HOME_NET 518 (msg:"OVERFLOW-x86-linux-ntalkd"; content:"|0103 0000 0000 0001 0002 02e8|";) alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-sparc";flags:PA; content:"|90 1a c0 0f 90 02 20 08 92 02 20 0f d0 23 bf f8|";) alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-x86freebsd-rotsb";flags:PA; content:"|eb6e 5ec6 069a 31c9 894e 01c6 4605|";) alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-x86linux-ADMv2";flags:PA; content:"|89f7 29c7 89f3 89f9 89f2 ac3c fe|";) alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-x86linux-ADMv3";flags:PA; content:"|31 c0 b0 02 cd 80 85 c0 75 4c eb 4c 5e b0|";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"OVERFLOW-x86-windows-CSMMail";flags:PA; content:"eb53eb205bfc33c9b1828bf3802b";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"OVERFLOW-x86-linux-samba";flags:PA; content:"|eb2f 5feb 4a5e 89fb 893e 89f2|";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-IRC-client-Chocoa";flags:PA; content:"|eb 4b 5b 53 32 e4 83 c3 0b 4b 88 23 b8 50 77|";) alert tcp !$HOME_NET any -> $HOME_NET 109 (msg:"OVERFLOW-POP2-x86linux";flags:PA; content:"|ffff ff2f 4249 4e2f 5348 00|";) alert tcp !$HOME_NET any -> $HOME_NET 109 (msg:"OVERFLOW-POP2-x86linux2";flags:PA; content:"|eb2c5b89d980c10639d97c078001|";) alert tcp !$HOME_NET any -> $HOME_NET 110 (msg:"OVERFLOW-POP3-x86bsd";flags:PA; content:"|685d 5eff d5ff d4ff f58b f590 6631|";) alert tcp !$HOME_NET any -> $HOME_NET 110 (msg:"OVERFLOW-POP3-x86bsd2";flags:PA; content:"|5e0e31c0b03b8d7e0e89fa89f9|";) alert tcp !$HOME_NET any -> $HOME_NET 110 (msg:"OVERFLOW-POP3-x86linux";flags:PA; content:"|d840 cd80 e8d9 ffff ff|/bin/sh";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-2!";flags:PA; content:"|5858 5858 582F|";) alert tcp !$HOME_NET any -> $HOME_NET 110 (msg:"OVERFLOW-QPOP";flags:PA; content:"|E8 D9FF FFFF|/bin/sh";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-1!";flags:PA; content:"|5057 440A2F69|";) alert tcp !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-86-linux-imap1";flags:PA; content:"|e8 c0ff ffff|/bin/sh";) alert tcp !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-IMAP";flags:PA; content:"|E8 C0FF FFFF|/bin/sh";) alert tcp !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-x86-linux-imapd2";flags:PA; content:"|89d8 40cd 80e8 c8ff ffff|/";) alert tcp !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-x86-linux-imapd3";flags:PA; content:"|eb58 5E31 db83 c308 83c3 0288 5e26|";) alert tcp !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-x86-linux-imapd4";flags:PA; content:"|eb34 5e8d 1E89 5e0b 31d2 8956 07|";) alert tcp !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-x86-linux-imapd5";flags:PA; content:"|eb35 5E80 4601 3080 4602 3080 4603 30|";) alert udp !$HOME_NET any -> $HOME_NET 635 (msg:"OVERFLOW-x86-linux-mountd"; content:"|eb56 5E56 5656 31d2 8856 0b88 561e|";) alert tcp !$HOME_NET any -> $HOME_NET 110 (msg:"OVERFLOW-POP3-x86sco";flags:PA; content:"|560e31c0b03b8d7e1289f989f9|";) alert udp !$HOME_NET any -> $HOME_NET any (msg:"IDS181 - OVERFLOW-NOOP-X86"; content:"|9090 9090 9090 9090 9090 9090 9090 9090|";) alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-SGI"; content:"|240f 1234 240f 1234 240f 1234 240f 1234|";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-SGI";flags:PA; content:"|240f 1234 240f 1234 240f 1234 240f 1234|";) alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-Solaris"; content:"|801c 4011 801c 4011 801c 4011 801c 4011|";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-Solaris";flags:PA; content:"|801c 4011 801c 4011 801c 4011 801c 4011|";) alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-Sparc"; content:"|13c0 1ca6 13c0 1ca6 13c0 1ca6 13c0 1ca6|";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-Sparc";flags:PA; content:"|13c0 1ca6 13c0 1ca6 13c0 1ca6 13c0 1ca6|";) alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-x86linux-rotsb";flags:PA; content:"|31c0 b03f 31db b3ff 31c9 cd80 31c0|";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-Sparc";flags:PA; content:"|a61c c013 a61c c013 a61c c013 a61c c013|";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-HP";flags:PA; content:"|0b39 0280 0b39 0280 0b39 0280 0b39 0280|";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-X86";flags:PA; content:"|9090 9090 9090 9090 9090 9090 9090 9090|";) alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-Named-ADM-NXT - 8.2->8.2.1";flags:PA; content:"ADMROCKS";) alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-Named-ADM-NXT - 8.2->8.2.1";flags:PA; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool";) alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-Named-ADM-NXT - 8.2->8.2.1";flags:PA; content:"../../../../../../../../../";) alert tcp !$HOME_NET 80 -> $HOME_NET any (msg:"IDS215 - OVERFLOW - Client - netscape47-retrieved"; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|"; flags: AP;) alert tcp $HOME_NET any -> !$HOME_NET 80 (msg:"IDS214 - OVERFLOW - Client - netscape47-unsucessful"; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|"; flags: AP;) alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-Sparc"; content:"|a61c c013 a61c c013 a61c c013 a61c c013|";) alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-AIX"; content:"|4fff fb82 4fff fb82 4fff fb82 4fff fb82|";) alert tcp !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-named";flags:PA; content:"|CD80 E8D7 FFFF FF|/bin/sh";) alert udp !$HOME_NET any -> $HOME_NET 635 (msg:"OVERFLOW-x86-linux-mountd2"; content:"|5eb0 0289 06fe c889 4604 b006 8946|";) alert udp !$HOME_NET any -> $HOME_NET 635 (msg:"OVERFLOW-x86-linux-mountd3"; content:"|eb40 5E31 c040 8946 0489 c340 8906|";) alert tcp !$HOME_NET any -> $HOME_NET 6373 (msg:"OVERFLOW-sco-calserver";flags:PA; content:"|eb7f 5d55 fe4d 98fe 4d9b|";) alert udp !$HOME_NET any -> $HOME_NET 67 (msg:"OVERFLOW-BOOTP-x86bsd"; content:"|6563 686f 206e 6574 726a 7320 7374 7265|";) alert udp !$HOME_NET any -> $HOME_NET 67 (msg:"OVERFLOW-BOOTP--x86linux"; content:"|4139 30c0 a801 012f 6269 6e2f 7368 00|";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-SGI";flags:PA; content:"|03e0 f825 03e0 f825 03e0 f825 03e0 f825|";) alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-LinuxCommonUDP"; content:"|90 90 90 e8 c0 ff ff ff|/bin/sh";) alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-SGI"; content:"|03e0 f825 03e0 f825 03e0 f825 03e0 f825|";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-AIX";flags:PA; content:"|4fff fb82 4fff fb82 4fff fb82 4fff fb82|";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-Digital";flags:PA; content:"|47 ff 04 1f 47 ff 04 1f 47 ff 04 1f 47 ff 04 1f|";) alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-Digital"; content:"|47 ff 04 1f 47 ff 04 1f 47 ff 04 1f 47 ff 04 1f|";) alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-HP"; content:"|0821 0280 0821 0280 0821 0280 0821 0280|";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-HP";flags:PA; content:"|0821 0280 0821 0280 0821 0280 08210 0280|";) alert udp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-HP"; content:"|0b39 0280 0b39 0280 0b39 0280 0b39 0280|";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NextFTP-client";flags:PA; content:"|b420 b421 8bcc 83e9 048b 1933 c966 b910|";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-LinuxCommonTCP";flags:PA; content:"|90 90 90 e8 c0 ff ff ff|/bin/sh";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS166 - PING Seer Windows"; content:"|88042020202020202020202020202020|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS152 - PING BSD"; content: "|08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17|"; itype: 8; depth: "32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS153 - PING Cisco Type.x"; content:"|abcdabcdabcdabcdabcdabcdabcdabcd|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS154 - PING CyberKit 2.2 Windows"; content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS155 - PING Delphi-Piette Windows"; content:"|50696e67696e672066726f6d2044656c|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS156 - PING Flowpoint 2200DSL Router"; content:"|0102030405060708090a0b0c0d0e0f10|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS157 - PING IP NetMonitor Macintosh"; content:"|a9205375737461696e61626c6520536f|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS158 - PING ISS Pinger"; content:"|495353504e475251|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS159 - PING Microsoft Windows"; content:"|6162636465666768696a6b6c6d6e6f70|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS161 - PING Network Toolbox 3 Windows"; content:"|3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS162 - PING Nmap2.36BETA";itype:8;dsize:"0";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"PING *NIX Type"; content:"|101112131415161718191a1b1c1d1e1f|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS151 - PING BeOS4.x"; content:"|00000000000000000000000008090a0b|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS164 - PING Ping-O-MeterWindows"; content:"|4f4d657465724f6265736541726d6164|";itype:8;depth:"32";) alert icmp !$HOME_NET any <> $HOME_NET any (msg:"PING-ICMP Message"; itype:18;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS167 - PING TJPingPro1.1Build 2 Windows"; content:"|544a50696e6750726f206279204a696d|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS168 - PING WhatsupGold Windows"; content:"|57686174735570202d2041204e657477|";itype:8;depth:"32";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS169 - PING Windows Type"; content: "|61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70|"; itype: 8; depth: "32";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS028 - PING NMAP TCP";flags:A;ack:"0";) alert icmp !$HOME_NET any <> $HOME_NET any (msg:"PING-ICMP Destination Unreachable"; itype:3;) alert icmp !$HOME_NET any <> $HOME_NET any (msg:"PING-ICMP Source Quench"; itype:4;) alert icmp !$HOME_NET any <> $HOME_NET any (msg:"PING-ICMP Time Exceeded"; itype:11;) alert icmp !$HOME_NET any <> $HOME_NET any (msg:"PING-ICMP Parameter Problem"; itype:12;) alert icmp !$HOME_NET any <> $HOME_NET any (msg:"PING-ICMP Timestamp"; itype:13;) alert icmp !$HOME_NET any <> $HOME_NET any (msg:"PING-ICMP Information Request"; itype:15;) alert icmp !$HOME_NET any <> $HOME_NET any (msg:"PING-ICMP Information Reply"; itype:16;) alert icmp !$HOME_NET any <> $HOME_NET any (msg:"IDS216 - PING-ICMP Subnet Mask Request"; itype:17;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS163 - PING Pinger Windows"; content:"|44617461000000000000000000000000|";itype:8;depth:"32";) alert tcp !$HOME_NET any -> $HOME_NET 111 (msg:"RPC Info Query"; content:"|00 01 86 A0 00 00 00 02 00 00 00 04|";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS025 - RPC - portmap-request-selection_svc"; content:"|01 86 AF 00 00|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS019 - RPC - portmap-request-amountd"; content:"|01 87 03 00 00|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS016 - RPC - portmap-request-bootparam"; content:"|01 86 BA 00 00|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS017 - RPC - portmap-request-cmsd"; content:"|01 86 E4 00 00|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS013 - RPC - portmap-request-mountd"; content:"|01 86 A5 00 00|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS021 - RPC - portmap-request-nisd"; content:"|01 87 cc 00 00|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS022 - RPC - portmap-request-pcnfsd"; content:"|02 49 f1 00 00|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS023 - RPC - portmap-request-rexd";content:"|01 86 B1 00 00|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS010 - RPC - portmap-request-rstatd"; content:"|01 86 A1 00 00|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS018 - RPC - portmap-request-admind"; content:"|01 86 F7 00 00|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS020 - RPC - portmap-request-sadmind"; content:"|01 87 88 00 00|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS015 - RPC - portmap-request-status"; content:"|01 86 B8 00 00|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS024 - RPC - portmap-request-ttdbserv"; content:"|01 86 F3 00 00|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS014 - RPC - portmap-request-yppasswd"; content:"|01 86 A9 00 00|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS012 - RPC - portmap-request-ypserv"; content:"|01 86 A4 00 00|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS125 - RPC - portmap-request-ypupdated"; content:"|01 86 BC 00 00|";offset:"40";depth:"8";) alert udp !$HOME_NET any -> $HOME_NET 32770: (msg:"IDS009 - RPC-rstatd-query"; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|";offset:"5";) alert tcp !$HOME_NET any -> $HOME_NET 634:1400 (msg:"IDS217 - RPC AMD Overflow"; flags:PA; content: "|80 00 04 2C 4C 15 75 5B 00 00 00 00 00 00 00 02|";depth: "32"; ) alert tcp !$HOME_NET any -> $HOME_NET 32771:34000 (msg:"IDS241 - CVE-1999-0003 - RPC ttdbserv Solaris Kill"; flags: PA; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|";offset: "16"; depth: "32";) alert tcp !$HOME_NET any -> $HOME_NET 32771:34000 (msg:"IDS242 - CVE-1999-0003 - RPC ttdbserv Solaris Overflow"; flags: PA; dsize: ">999"; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS133 - RPC - portmap-request-rusers"; content:"|01 86 A2 00 00|";offset:"40";depth:"8";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth Mode 8- Handler CGI access attempt"; content:"/cgi-bin\\handler"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth Mode 8- Web Distribution access attempt"; content:"/cgi-bin\\webdist.cgi"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth- mlog access attempt"; content:"/mlog.phtml"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth- mylog access attempt"; content:"/mylog.phtml"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth Mode 8- Start Stop Web access attempt"; content:"/cfide\\administrator\\startstop.html"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth Mode 8- cfappman access attempt"; content:"/cfappman\\index.cfm"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth Mode 8- Mall log order access attempt"; content:"/mall_log_files\\order.log"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth- IIS search97 access attempt"; content:"/search97.vts"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth- BigConf access attempt"; content:"/bigconf.cgi"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth- Shopping cart access attempt"; content:"/quikstore.cfg"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth Mode 8- Order log access attempt"; content:"/admin_files\\order.log"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth- WS_FTP.INI access attempt "; content:"/ws_ftp.ini"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth- Order log access attempt"; content:"/admin_files/order.log"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth Mode 8- wrap CGI access attempt"; content:"/cgi-bin\\wrap"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth - Mall log order access attempt"; content:"/mall_log_files/order.log"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth- cfappman access attempt"; content:"/cfappman/index.cfm"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth- Start Stop Web access attempt"; content:"/cfide/administrator/startstop.html"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (dsize: > 512; msg:"SCAN - Whisker Stealth Mode 4- head"; content:"|68 65 61 64|"; offset: 0; depth: 4;) alert tcp !$HOME_NET any -> $HOME_NET 80 (dsize: > 512; msg:"SCAN - Whisker Stealth Mode 4- HEAD"; content:"HEAD"; offset: 0; depth: 4; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth Mode 8- DBML Parser access attempt"; content:"/cfide\\administrator\\startstop.html"; nocase; flags: PA;) alert udp !$HOME_NET any -> $HOME_NET 53 (msg:"IDS277 - NAMED Iquery Probe"; content: "|0980 0000 0001 0000 0000|"; offset: "2"; depth: "16";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"IDS132 - CVE-1999-0612 - Cybercop Finger Query"; content: "|0A 20 20 20 20 20|"; flags: AP; depth: "10";) alert tcp !$HOME_NET any -> $HOME_NET 32771: (msg:"IDS26 - NFS Showmount"; flags:PA; content: "|00 01 86 A5 00 00 00 01 00 00 00 05 00 00 00 01|"; offset: "16"; depth: "32";) alert udp !$HOME_NET any -> $HOME_NET 53 (msg:"IDS278 - NAMED Version Probe"; content: "|07|version|04|bind|00 0010 0008|"; nocase; offset: "13"; depth: "32";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS005 - SCAN-Possible NMAP Fingerprint attempt";flags:SFPU;) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"SCAN-ISS-FTPcheck";flags:PA; content:"pass -iss@iss";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"SCAN-pISS-FTPcheck";flags:PA; content:"pass -cklaus";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"SCAN-SAINT-FTPcheck";flags:PA; content:"pass -saint";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"SCAN-SATAN-FTPcheck";flags:PA; content:"pass -satan";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"SCAN-Cybercop-SMTPehlo";flags:PA; content:"ehlo cybercop|0a|quit|0a|";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"SCAN-Cybercop-SMTPexpn";flags:PA; content:"expn cybercop";) alert udp !$HOME_NET any -> $HOME_NET 7 (msg:"SCAN-Cybercop-UDP-bomb"; content:"cybercop";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN-Cybercop-WEB";flags:PA; content:"get /cybercop";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN-Whisker!";flags:PA; content:"HEAD/./";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS236 - SCAN-IP Eye SYN Scan"; flags: S; seq: 1958810375;) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS004 - SCAN-NULL Scan";flags:0; seq:0; ack:0;) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS029 - SCAN-Possible Queso Fingerprint attempt";flags:S12;) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"SCAN-SYN FIN";flags:SF;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"SCAN-ICMP Sniffer Pro/NetXRay network scan"; content:"|43696e636f204e6574776f726b2c20496e632e|"; itype: 8; depth: "32";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS149 - SCAN-Cybercop OS Probe pa12"; content: "AAAAAAAAAAAAAAAA"; flags: AP12; depth: "16";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS146 - SCAN-Cybercop OS Probe sf12"; flags: SF12; dsize: "0";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS145 - SCAN-Cybercop-OS-Probe sfp"; content: "AAAAAAAAAAAAAAAA"; flags: SFP; ack: 0; depth: "16";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS150 - SCAN-Cybercop OS Probe sfu12"; content: "AAAAAAAAAAAAAAAA"; flags: SFU12; ack: 0; depth: "16";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS027 - SCAN-FIN"; flags: F;) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"SCAN-ADM-FTPcheck";flags:PA; content:"PASS ddd@|0a|";) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS144 - SCAN-FullXMASScan";flags:SRAFPU;) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS032 - SMTP-expn-decode";flags:PA; content:"expn decode";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS124 - SMTP-exploit8610ha";flags:PA; content:"Croot|09090909090909|Mprog,P=/bin";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS139 - CVE-1999-0204 - SMTP-exploit869a;flags:PA; content:"|0a|C|3a|daemon|0a|R";) alert tcp !$HOME_NET 113 -> $HOME_NET 25 (msg:"IDS140 - CVE-1999-0204 - SMTP-exploit869b";flags:PA; content:"|0a|D/";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS142 - CVE-1999-0204 - SMTP-exploit869d";flags:PA; content:"|0a|Croot|0a|Mprog";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS120 - SMTP-exploit41";flags:PA; content:"rcpt to|3a207c| sed '1,/^$/d'|7c|";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS119 - SMTP-exploit555";flags:PA; content:"mail from|3a20227c|";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS123 - SMTP-exploit8610";flags:PA; content:"Croot|0d0a|Mprog, P=/bin/";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS122 - SMTP-exploit565";flags:PA; content:"MAIL FROM|3a207c|/usr/ucb/tail";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS266 - CAN-1999-0261 - SMTP Chameleon Overflow"; content: "HELP"; nocase; flags: AP; dsize: ">500"; depth: "10";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS031 - SMTP-expn-root";flags:PA; content:"expn root";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS143 - CVE-1999-0208 - SMTP-MajordomoIFS";flags:PA; content:"eply-to|3a| a~.`/bin/";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"SMTP-vrfy-decode";flags:PA; content:"vrfy decode";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS141 - CVE-1999-0204 - SMTP-exploit869c";flags:PA; content:"|0a|Croot|0d0a|Mprog";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS172 - CVE-1999-0095 - SMTP Exploit558"; flags: PA; content: "|7c 73 65 64 20 2d 65 20 27 31 2c 2f 5e 24 2f 27|";) alert tcp $HOME_NET 25 -> !$HOME_NET any (msg:"IDS249 - SMTP Relaying Denied"; flags:AP; content: "5.7.1"; depth:"70";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS121 - SMTP-exploit564";flags:PA; content:"rcpt to|3a| decode";) alert tcp $HOME_NET 23 -> !$HOME_NET any (msg:"TELNET - Attempted SU from wrong group"; content: "|74 6F 20 73 75 20 72 6F 6F 74 2E|"; logto:"TELNET";) alert tcp !$HOME_NET any -> $HOME_NET 23 (msg:"TELNET - resolv_host_conf";flags:PA; content:"resolv_host_conf";) alert tcp !$HOME_NET any -> $HOME_NET 23 (msg:"TELNET - Livingston-DoS";flags:PA; content:"|fff3 fff3 fff3 fff3 fff3|";) alert tcp !$HOME_NET any -> $HOME_NET 23 (msg:"TELNET - ld_preload";flags:PA; content:"ld_preload";) alert tcp !$HOME_NET any -> $HOME_NET 23 (msg:"TELNET - ld_library_path";flags:PA; content:"ld_library_path";) alert tcp $HOME_NET 23 -> !$HOME_NET any (msg:"TELNET - WinGate-Active"; content:"WinGate>";) alert tcp $HOME_NET 23 -> !$HOME_NET any (msg:"TELNET - NotOnConsole"; content:"not on system console";) alert tcp $HOME_NET 23 -> !$HOME_NET any (msg:"IDS127 - TELNET - Login Incorrect"; content:"Login incorrect"; logto:"TELNET";) alert tcp $HOME_NET 23 -> !$HOME_NET any (msg:"IDS008 - TELNET - daemon-active";flags:PA; content:"|FF FD 18 FF FD 1F FF FD 23 FF FD 27 FF FD 24|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Resume Worm"; content: "filename=\"Explorer.doc\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Worm - xls.vbs file"; content: "filename=\"; content:".xls.vbs"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Resume Worm"; content: "filename=\"RESUME1.DOC\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Resume Worm"; content: "filename=\"Explorer.doc\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Resume Worm"; content: "filename=\"NORMAL.DOT\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Resume Worm"; content: "filename=\"NORMAL.DOT\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Timofonica Worm"; content: "filename=\"TIMOFONICA.TXT.vbs\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Timofonica Worm"; content: "filename=\"TIMOFONICA.TXT.vbs\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Worm - gif.vbs file"; content: "filename=\"; content:".gif.vbs"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Worm - doc.vbs file"; content: "filename=\"; content:".doc.vbs"; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Worm - txt.vbs file"; content: "filename=\"; content:".txt.vbs"; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Worm - xls.vbs file"; content: "filename=\"; content:".xls.vbs"; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Worm - doc.vbs file"; content: "filename=\"; content:".doc.vbs"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Worm - gif.vbs file"; content: "filename=\"; content:".gif.vbs"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Worm - txt.vbs file"; content: "filename=\"; content:".txt.vbs"; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Resume Worm"; content: "filename=\"RESUME1.DOC\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Worm - jpg.vbs file"; content: "filename=\"; content:".jpg.vbs"; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Worm - jpg.vbs file"; content: "filename=\"; content:".jpg.vbs"; nocase;) alert tcp any 110 -> any any (msg:"Possible MailVirus - Incoming .VBS"; content:"multipart"; content:"name="; content:".vbs"; nocase;) alert tcp any any -> any 25 (msg:"Possible MailVirus - Outgoing .VBS"; content:"multipart"; content:"name="; content:".vbs"; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming ExploreZip.B Worm"; content: "|6E 61 6D 65 20 3D 22 46 69 6C 65 5F 7A 69 70 70 61 74 69 2E 65 78 65 22|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - gadget.exe"; content: "filename=\"GADGET.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Freelink Worm"; content:"|4C 49 4E 4B 53 2E 56 42 53|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Simbiosis Worm"; content: "filename=\"SETUP.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming BADASS Worm"; content: "|6E 61 6D 65 20 3D 22 42 41 44 41 53 53 2E 45 58 45 22|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Triplesix Worm"; content: "filename=\"666TEST.VBS""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Video Worm"; content: "filename=\"VIDEO.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Passion Worm"; content: "filename=\"ICQ_GREETINGS.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Common Sense Worm"; content: "|6E 61 6D 65 20 3D 22 54 48 45 5F 46 4C 59 2E 43 48 4D 22|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Babylonia - X-MAS.exe"; content: "|6E 61 6D 65 20 3D 22 58 2D 4D 41 53 2E 45 58 45 22|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Suppl Worm"; content:"filename=\"Suppl.doc""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Y2K Zelu Trojan"; content: "filename=\"Y2K.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming MyPics Worm"; content: "|6E 61 6D 65 20 3D 22 70 69 63 73 34 79 6F 75 2E 65 78 65 22|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Papa Worm"; content:"filename=\"XPASS.XLS""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NAIL Worm"; content:"|47 6F 6F 64 20 54 69 6D 65 73|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NAIL Worm"; content:"|4E 65 77 20 44 65 76 65 6C 6F 70 6D 65 6E 74 73|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NAIL Worm"; content: "|6E 61 6D 65 20 3D 22 57 57 49 49 49 21|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NAIL Worm"; content:"|4D 61 72 6B 65 74 20 73 68 61 72 65 20 74 69 70 6F 66 66|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Tune.vbs"; content: "filename=\"tune.vbs""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming wscript.KakWorm"; content: "filename=\"KAK.HTA""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Word Macro - VALE"; content: "filename=\"MONEY.DOC""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - irnglant.exe"; content: "filename=\"IRNGLANT.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming The_Fly Trojan"; content: "filename=\"THE_FLY.CHM""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - boss.exe"; content: "filename=\"BOSS.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Fix2001 Worm"; content:"filename=\"Fix2001.exe""; nocase;) alert tcp any any -> $HOME_NET 6667 (flags: PA; content: "USER "; nocase; offset:0; depth:5; content: " "; offset:11; depth:1; content: " "; offset: 18; depth:1; content: " :"; offset: 26; depth: 2; msg: "PrettyPark activity!";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Word Macro - VALE"; content: "filename=\"DINHEIRO.DOC""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - party.exe"; content: "filename=\"PARTY.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Bubbleboy Worm"; content:"BubbleBoy is back!";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming CheckThis Trojan"; content:"|6E 61 6D 65 20 3D 22 6C 69 6E 6B 73 2E 76 62 73 22|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Happy99 Virus"; content:"X-Spanska\:Yes";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming PrettyPark Trojan"; content:"\CoolProgs\";offset:300;depth:750;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming ToadieE-mail Trojan"; content:"filename=\"Toadie.exe""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - g-zilla.exe"; content: "filename=\"G-ZILLA.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - cooler3.exe"; content: "filename=\"COOLER3.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - cooler1.exe"; content: "filename=\"COOLER1.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - copier.exe"; content: "filename=\"COPIER.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - video.exe"; content: "filename=\"VIDEO.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - pirate.exe"; content: "filename=\"PIRATE.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - chestburst.exe"; content: "filename=\"CHESTBURST.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - hog.exe"; content: "filename=\"HOG.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - casper.exe"; content: "filename=\"CASPER.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - saddam.exe"; content: "filename=\"SADDAM.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - monica.exe"; content: "filename=\"MONICA.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - gadget.exe"; content: "filename=\"GADGET.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - farter.exe"; content: "filename=\"FARTER.EXE""; nocase;) alert tcp !$HOME_NET 110 -> $HOME_NET any (msg:"Virus - Possible Incoming IROK Worm"; content:"filename=\"irok.exe""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - panther.exe"; content: "filename=\"PANTHER.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - theobbq.exe"; content: "filename=\"THEOBBQ.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - goal.exe"; content: "filename=\"GOAL.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - baby.exe"; content: "filename=\"BABY.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - bboy.exe"; content: "filename=\"BBOY.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - cupid2.exe"; content: "filename=\"CUPID2.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - fborfw.exe"; content: "filename=\"FBORFW.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - goal1.exe"; content: "filename=\"GOAL1.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Video Worm"; content: "filename=\"VIDEO.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing wscript.KakWorm"; content: "filename=\"KAK.HTA""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Word Macro - VALE"; content: "filename=\"MONEY.DOC""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Word Macro - VALE"; content: "filename=\"DINHEIRO.DOC""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing The_Fly Trojan"; content: "filename=\"THE_FLY.CHM""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Fix2001 Worm"; content:"filename=\"Fix2001.exe""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - casper.exe"; content: "filename=\"CASPER.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NAIL Worm"; content:"|4D 61 72 6B 65 74 20 73 68 61 72 65 20 74 69 70 6F 66 66|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NAIL Worm"; content: "|6E 61 6D 65 20 3D 22 57 57 49 49 49 21|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NAIL Worm"; content: "|6E 61 6D 65 20 3D 22 57 57 49 49 49 21|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NAIL Worm"; content:"|4E 65 77 20 44 65 76 65 6C 6F 70 6D 65 6E 74 73|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NAIL Worm"; content:"|47 6F 6F 64 20 54 69 6D 65 73|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - theobbq.exe"; content: "filename=\"THEOBBQ.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Babylonia - X-MAS.exe"; content: "|6E 61 6D 65 20 3D 22 58 2D 4D 41 53 2E 45 58 45 22|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Y2K Zelu Trojan"; content: "filename=\"Y2K.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - irnglant.exe"; content: "filename=\"IRNGLANT.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Common Sense Worm"; content: "|6E 61 6D 65 20 3D 22 54 48 45 5F 46 4C 59 2E 43 48 4D 22|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - fborfw.exe"; content: "filename=\"FBORFW.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Passion Worm"; content: "filename=\"ICQ_GREETINGS.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing ExploreZip.B Worm"; content: "|6E 61 6D 65 20 3D 22 46 69 6C 65 5F 7A 69 70 70 61 74 69 2E 65 78 65 22|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Suppl Worm"; content:"filename=\"Suppl.doc""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing BADASS Worm"; content: "|6E 61 6D 65 20 3D 22 42 41 44 41 53 53 2E 45 58 45 22|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Simbiosis Worm"; content: "filename=\"SETUP.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Triplesix Worm"; content: "filename=\"666TEST.VBS""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Freelink Worm"; content:"|4C 49 4E 4B 53 2E 56 42 53|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing MyPics Worm"; content: "|6E 61 6D 65 20 3D 22 70 69 63 73 34 79 6F 75 2E 65 78 65 22|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Papa Worm"; content:"filename=\"XPASS.XLS""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - cooler1.exe"; content: "filename=\"COOLER1.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - hog.exe"; content: "filename=\"HOG.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - party.exe"; content: "filename=\"PARTY.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - saddam.exe"; content: "filename=\"SADDAM.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - monica.exe"; content: "filename=\"MONICA.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - boss.exe"; content: "filename=\"BOSS.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - chestburst.exe"; content: "filename=\"CHESTBURST.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - copier.exe"; content: "filename=\"COPIER.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possbile Incoming Zipped Files Trojan"; content:"|6E 61 6D 65 20 3D 22 5A 69 70 70 65 64 5F 46 69 6C 65 73 2E 45 58 45 22|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - goal.exe"; content: "filename=\"GOAL.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - baby.exe"; content: "filename=\"BABY.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - farter.exe"; content: "filename=\"FARTER.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Tune.vbs"; content: "filename=\"tune.vbs""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - video.exe"; content: "filename=\"VIDEO.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - cupid2.exe"; content: "filename=\"CUPID2.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - cooler3.exe"; content: "filename=\"COOLER3.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - g-zilla.exe"; content: "filename=\"G-ZILLA.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing ToadieE-mail Trojan"; content:"filename=\"Toadie.exe""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - bboy.exe"; content: "filename=\"BBOY.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing PrettyPark Trojan"; content:"\CoolProgs\";offset:300;depth:750;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Happy99 Virus"; content:"X-Spanska\:Yes";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing CheckThis Trojan"; content:"|6E 61 6D 65 20 3D 22 6C 69 6E 6B 73 2E 76 62 73 22|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing IROK Worm"; content:"filename=\"irok.exe""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Bubbleboy Worm"; content:"BubbleBoy is back!";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possbile Outgoing Zipped Files Trojan"; content:"|6E 61 6D 65 20 3D 22 5A 69 70 70 65 64 5F 46 69 6C 65 73 2E 45 58 45 22|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - pirate.exe"; content: "filename=\"PIRATE.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - panther.exe"; content: "filename=\"PANTHER.EXE""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - goal1.exe"; content: "filename=\"GOAL1.EXE""; nocase;) alert tcp $HOME_NET 80 -> !$HOME_NET any (msg:"IDS276 - Bugzilla 2.8 Exploit"; flags:PA; content: "blaat@blaat.com"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS232 - WEB-CGI-PHP CGI access attempt";flags:PA; content:"/php.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS128 - CVE-1999-0067 - CGI phf attempt";flags:PA; content:"/phf";flags:AP; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS228 - CVE-1999-0237 - Guestbook CGI access attempt";flags:PA; content:"/cgi-bin/guestbook.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS235 - CVE-1999-0148 - CGI-HANDLERprobe!"; flags:PA; content:"/handler"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Htmlscript CGI access attempt";flags:PA; content:"/htmlscript"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Info2 www CGI access attempt";flags:PA; content:"/info2www"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Maillist CGI access attempt";flags:PA; content:"/maillist.pl"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS224 - CVE-1999-0045 - NPH CGI access attempt";flags:PA; content:"nph-test-cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS221 - CVE-1999-0612 - Finger CGI access attempt";flags:PA; content:"cgi-bin/finger"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Perlshop CGI access attempt";flags:PA; content:"/perlshop.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Files CGI access attempt";flags:PA; content:"/files.pl"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Rguest CGI access attempt";flags:PA; content:"/rguest.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-rwwwshell CGI access attempt";flags:PA; content:"rwwwshell.pl"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Survey CGI access attempt";flags:PA; content:"survey.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS218 - CVE-1999-0070 - TEST-CGI probe"; flags:PA; content:"test-cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Textcounter CGI access attempt";flags:PA; content:"textcounter.pl"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Upload CGI access attempt";flags:PA; content:"uploader.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Webdist CGI access attempt";flags:PA; content:"webdist.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-NPH-publish CGI access attempt";flags:PA; content:"nph-publish"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-CGI pf display access attempt";flags:PA; content:"/pfdisplay.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Count.cgi probe!"; flags:PA; content:"cgi-bin/Count.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Aglimpse CGI access attempt";flags:PA; content:"/aglimpse"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS225 - CVE-1999-0066 - CGI-AnyForm access attempt";flags:PA; content:"/AnForm2"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Args CGI access attempt";flags:PA; content:"/args.bat"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-AT-admin CGI access attempt";flags:PA; content:"/AT-admin.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Bnbform CGI access attempt";flags:PA; content:"/bnbform.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Campas CGI access attempt";flags:PA; content:"/campas"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Glimpse CGI access attempt";flags:PA; content:"/glimpse"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS219 - WEB-CGI-Perl access attempt";flags:PA; content:"perl.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Wguest CGI access attempt";flags:PA; content:"wguest.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-CGI view-source access attempt";flags:PA; content:"/view-source?../../../../../../../etc/passwd"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Cgichk Pf display access attempt";flags:PA; content:"/pfdispaly.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS234 - WEB-CGI-Cgiwrap CGI access attempt";flags:PA; content:"cgiwrap"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Classifieds CGI access attempt";flags:PA; content:"cgi-bin/classifieds.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Edit CGI access attempt";flags:PA; content:"/edit.pl"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Environ CGI access attempt";flags:PA; content:"/environ.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Faxsurvey probe"; flags:PA; content:"/faxsurvey"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Filemail CGI access attempt";flags:PA; content:"/filemail.pl"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-CGI Man access attempt";flags:PA; content:"/man.sh"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-rsh";flags:PA; content:"/rsh"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-dumpenv.pl";flags:PA; content:"/dumpenv.pl"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-visadmin.exe";flags:PA; content:"visadmin.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-bash shell";flags:PA; content:"/bash"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-csh shell";flags:PA; content:"cgi-bin/csh"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-day5datacopier.cgi";flags:PA; content:"/day5datacopier.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-day5datanotifier.cgi";flags:PA; content:"/day5datanotifier.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-ksh shell";flags:PA; content:"/ksh"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Webgais CGI access attempt";flags:PA; content:"webgais"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-rksh";flags:PA; content:"/rksh"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-AnyForm2";flags:PA; content:"/AnyForm2"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS220 - WEB-CGI-snork.bat";flags:PA; content:"snork.bat"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-snorkerz.cmd";flags:PA; content:"snorkerz.cmd"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-survey";flags:PA; content:"survey.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-tsch shell";flags:PA; content:"tcsh"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS227 - Web-CGI-Scriptalias"; flags: PA; content: "///";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS211 - Web-CGI-w3-msql-solx86"; flags: PA; content: "/bin/shA-cA/usr/openwin"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS231 - CVE-1999-0178 - CGI-win-c-sample"; flags: PA; content: "win-c-sample.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-post-query";flags:PA; content:"/post-query"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS210 - WEB-CGI-w3-msql";flags:PA; content:"w3-msql"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Wrap CGI access attempt";flags:PA; content:"wrap"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-WWWboard CGI access attempt";flags:PA; content:"wwwboard.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-WWW-SQL CGI access attempt";flags:PA; content:"www-sql"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-LWGate Attempt";flags:PA; content:"/LWGate"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-archie";flags:PA; content:"/archie"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-calendar";flags:PA; content:"cgi-bin/calendar"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-flexform";flags:PA; content:"/flexform"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-bb-hist.sh";flags:PA; content:"/bb-hist.sh"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-redirectt";flags:PA; content:"/redirect"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-MachineInfo";flags:PA; content:"/MachineInfo"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-w2tvars";flags:PA; content:"w3tvars.pm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-wais";flags:PA; content:"wais.pl";nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-wwwadmin";flags:PA; content:"wwwadmin.pl"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-ppdscgi";flags:PA; content:"/ppdscgi.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-sendform.cgi";flags:PA; content:"sendform.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-upload.pl";flags:PA; content:"upload.pl"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-wwwuploader.exe";flags:PA; content:"cgi-win/wwwuploader.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Websendmail CGI access attempt";flags:PA; content:"websendmail"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS226 - CVE-1999-0172 - CGI-formmail";flags:PA; content:"/formmail"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-get odbc dsn";flags:PA; content:"CFUSION_GETODBCDSN()"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-admin-encrypt";flags:PA; content:"CFUSION_ENCRYPT()"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-datasource";flags:PA; content:"CF_ISCOLDFUSIONDATASOURCE()"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-datasourcepassword";flags:PA; content:"CF_SETDATASOURCEPASSWORD()"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-datasourceusername";flags:PA; content:"CF_SETDATASOURCEUSERNAME()"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-db connections flush";flags:PA; content:"CFUSION_DBCONNECTIONS_FLUSH()"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-display";flags:PA; content:"cfdocs/expeval/displayopenedfile.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-evaluate";flags:PA; content:"cfdocs/snippets/evaluate.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-Example-beaninfo";flags:PA; content:"cfdocs/examples/cvbeans/beaninfo.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-Example-cfappman";flags:PA; content:"/cfappman/index.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-Example-parks";flags:PA; content:"cfdocs/examples/parks/detail.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0455 - ColdFusion-exprcalc";flags:PA; content:"cfdocs/expeval/exprcalc.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-admin-decrypt";flags:PA; content:"CFUSION_DECRYPT()"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-get datasourceusername";flags:PA; content:"CF_GETDATASOURCEUSERNAME()"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS269 - CAN-2000-0189 - Coldfusion onrequestend.cfm"; flags: PA; content: "onrequestend.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-get odbc ini";flags:PA; content:"CFUSION_GETODBCINI()"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-gettempdirectory";flags:PA; content:"cfdocs/snippets/gettempdirectory.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-mainframeset";flags:PA; content:"cfdocs/examples/mainframeset.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS250 - CAN-1999-0477 - ColdFusion-openfile";flags:PA; content:"cfdocs/expeval/openfile.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-sendmail";flags:PA; content:"cfdocs/expeval/sendmail.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-set odbc ini";flags:PA; content:"CFUSION_SETODBCINI()"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-settings refresh";flags:PA; content:"CFUSION_SETTINGS_REFRESH()"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-sourcewindow";flags:PA; content:"cfdocs/exampleapp/docs/sourcewindow.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-verify mail";flags:PA; content:"CFUSION_VERIFYMAIL()"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-viewexample";flags:PA; content:"cfdocs/snippets/viewexample.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-COLDFUSION-cfmlsyntaxcheck";flags:PA; content:"cfdocs/cfmlsyntaxcheck.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS268 - CAN-2000-0189 - Coldfusion application.cfm"; flags: PA; content: "application.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-fileexists";flags:PA; content:"cfdocs/snippets/fileexists.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-register.txt";flags:PA; content:"_private/register.txt"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-admin.pl";flags:PA; content:"admin.pl"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-administrators.pwd";flags:PA; content:"administrators.pwd"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-author.exe";flags:PA; content:"_vti_bin/_vti_aut/author.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-authors.pwd";flags:PA; content:"authors.pwd"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-cfgwiz.exe";flags:PA; content:"cfgqiz.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-contents.htm";flags:PA; content:"admcgi/contents.htm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-form_results";flags:PA; content:"_private/form_results.txt"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-form_results.htm";flags:PA; content:"_private/form_results.htm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-Fpadmcgi.exe";flags:PA; content:"scripts/Fpadmcgi.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-fpadmin.htm";flags:PA; content:"admisapi/fpadmin.htm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-fpremadm.exe";flags:PA; content:"fpremadm.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-fpsrvadm.exe";flags:PA; content:"fpsrvadm.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-orders.htm";flags:PA; content:"_private/orders.htm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-access.cnf";flags:PA; content:"_vti_pvt/access.cnf"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-services.cnf";flags:PA; content:"_vti_pvt/services.cnf"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS237 - Web-Frontpage .htw"; flags: PA; content: ".htw"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS248 - Web-Frontpage pwd fourdots request"; flags: PA; content: "..../"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-writeto.cnf";flags:PA; content:"_vti_pvt/writeto.cnf"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-users.pwd";flags:PA; content:"users.pwd"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-svcacl.cnf";flags:PA; content:"_vti_pvt/svcacl.cnf"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-orders.txt";flags:PA; content:"_private/orders.txt"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-shtml.dll";flags:PA; content:"_vti_bin/shtml.dll"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-register.htm";flags:PA; content:"_private/register.htm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-service.stp";flags:PA; content:"_vti_pvt/service.stp"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-service.pwd";flags:PA; content:"service.pwd"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-service.cnf";flags:PA; content:"_vti_pvt/service.cnf"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-registrations.txt";flags:PA; content:"_private/registrations.txt"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-registrations.htm";flags:PA; content:"_private/registrations.htm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS271 - WEB-FrontPage - dvwssr request"; flags: PA; content: "dvwssr.dll"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-shtml.exe";flags:PA; content:"_vti_bin/shtml.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"Attempt to retrieve ASP contents"; flags:PA; content:"GET /null.htw?CiWebHitsFile";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"Attempt to retrieve ASP contents"; flags:PA; content:"%20&CiRestriction=none&CiHiliteType=Full HTTP/1.0";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-IIS ISM.DLL Exploit Attempt"; flags:PA; content:"%20%20%20%20%20.htr"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-getdrvrs";flags:PA; content:"scripts/tools/getdrvrs.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-cmd?";flags:PA; content:".cmd?&"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0449 - IIS-codebrowser Exair";flags:PA; content:"iissamples/exair/howitworks/codebrws.asp"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-codebrowser SDK";flags:PA; content:"iissamples/sdk/asp/docs/codebrws.asp"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-ctguestb.idc";flags:PA; content:"scripts/samples/ctguestb.idc"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-del";flags:PA; content:"&del+/s+c|3a|\*.*"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-details.idc";flags:PA; content:"scripts/samples/details.idc"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-CGImail";flags:PA; content:"scripts/CGImail.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-fpcount";flags:PA; content:"scripts/fpcount.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-bdir";flags:PA; content:"scripts/iisadmin/bdir.htr"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-idc-srch";flags:PA; content:"#filename=*.idc"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-iisadmpwd";flags:PA; content:"iisadmpwd/aexp3.htr"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-isc$data";flags:PA; content:".idc|3a3a|$data"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-exec-srch";flags:PA; content:"#filename=*.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-admin-dll-serv";flags:PA; content:"scripts/iisadmin/ism.dll?http/serv"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-*.idc";flags:PA; content:"*.idc"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-_Site Server Config";flags:PA; content:"adsamples/config/site.csc"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-_vti_inf";flags:PA; content:"_vti_inf.html"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-adctest.asp";flags:PA; content:"msadc/samples/adctest.asp"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-admin";flags:PA; content:"scripts/iisadmin"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-catalog_type";flags:PA; content:"AdvWorks/equipment/catalog_type.asp"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-admin-dll";flags:PA; content:"scripts/iisadmin/ism.dll?http/dir"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-msadc/msadcs.dll";flags:PA; content:"msadc/msadcs.dll"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0278 - IIS-asp$data";flags:PA; content:".asp|3a3a|$data"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-asp-dot";flags:PA; content:".asp."; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-asp-srch";flags:PA; content:"#filename=*.asp"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-bat?";flags:PA; content:".bat?&"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-Overflow-htr";flags:PA; content:"BBBB.htrHTTP"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-carbo.dll";flags:PA; content:"carbo.dll"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-admin-default";flags:PA; content:"scripts/iisadmin/default.htm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CAN-1999-0407 - IIS-aexp.htr Attempt";flags:PA; content:"iisadmpwd/aexp.htr"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB IIS - Index Server File Sourcecode Request"; flags:PA; content:"?CiWebHitsFile=/"; content:"&CiRestriction=none&CiHiliteType=Full";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS200 - Web-IIS Encoding"; flags:PA; content: "|25 31 75|";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS - Possible Attempt at FPCOUNT.EXE DoS"; flags:PA; content:"fpcount.exe"; content:"Digits=-"; nocase;) alert tcp !$HOME_NET 1024: -> $HOME_NET 1031:1035 (msg:"IIS - Possible Attempt at NT INETINFO.EXE 100% CPU Utilization"; flags:S;) alert tcp !$HOME_NET 1024: -> $HOME_NET 1029 (msg:"IIS - Possible Attempt at NT DNS.EXE 100% CPU Utilization"; flags:S;) alert tcp !$HOME_NET 1024: -> $HOME_NET 1091 (msg:"IIS - Possible Attempt at NT DNS.EXE 100% CPU Utilization"; flags:S;) alert tcp !$HOME_NET 1024: -> $HOME_NET 1043 (msg:"IIS - Possible Attempt at NT WINS.EXE 100% CPU Utilization"; flags:S;) alert tcp !$HOME_NET 1024: -> $HOME_NET 1038 (msg:"IIS - Possible Attempt at NT TCPSVCS.EXE 100% CPU Utilization"; flags:S;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-getdrvs.exe";flags:PA; content:"scripts/tools/getdrvs.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CAN-1999-0407 - IIS-anot3.htr Attempt";flags:PA; content:"iisadmpwd/anot3.htr"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CAN-1999-0407 - IIS-anot.htr Attempt";flags:PA; content:"iisadmpwd/anot.htr"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CAN-1999-0407 - IIS-aexp4b.htr Attempt";flags:PA; content:"iisadmpwd/aexp4b.htr"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CAN-1999-0407 - IIS-aexp4.htr Attempt";flags:PA; content:"iisadmpwd/aexp4.htr"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-MSProxy";flags:PA; content:"scripts/proxy/w3proxy.dll"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CAN-1999-0736 - IIS-showcode";flags:PA; content:"/selector/showcode.asp"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0191 - IIS-newdsn";flags:PA; content:"scripts/tools/newdsn.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-perl";flags:PA; content:"scripts/perl?"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-perl-browse0a";flags:PA; content:"%0a.pl"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-perl-browse20";flags:PA; content:"%20.pl"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-SAM Attempt";flags:PA; content:"sam._"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CAN-1999-0407 - IIS-aexp2b.htr Attempt";flags:PA; content:"iisadmpwd/aexp2b.htr"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-search97";flags:PA; content:"search97.vts";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CAN-1999-0407 - IIS-aexp2.htr Attempt";flags:PA; content:"iisadmpwd/aexp2.htr"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-srch.asp";flags:PA; content:"/issamples/query.asp"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-srch.htm";flags:PA; content:"samples/isapi/srch.htm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-srchadm";flags:PA; content:"srchadm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-uploadn";flags:PA; content:"scripts/uploadn.asp"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-achg.htr Attempt";flags:PA; content:"iisadmpwd/achg.htr"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CAN-1999-0253 - IIS-%2E-asp";flags:PA; content:"%2e.asp"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-scripts-browse";flags:PA; content:"scripts/|20|"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC - /cgi-bin/jj attempt"; content:"cgi-bin/jj"; nocase; flags:PA; ) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC - architext_query.pl attempt"; content:"/ews/architext_query.pl"; nocase; flags:PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC - wwwboard.pl attempt"; content:"cgi-bin/wwwboard.pl"; nocase; flags:PA; ) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC - Cart 32 AdminPwd Access"; flags:PA; content:"c32web.exe/ChangeAdminPassword"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-PageService";flags:PA; content:"?PageServices"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-etc/passwd";flags:PA; content:"etc/passwd"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-ICQ webserver";flags:PA; content:".html/......"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Lotus-DelDoc";flags:PA; content:"?DeleteDocument"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Lotus-EditDoc";flags:PA; content:"?EditDocument"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-ls%20-l";flags:PA; content:"ls%20-l"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-mlog";flags:PA; content:"mlog.phtml?"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-mylog";flags:PA; content:"mylog.phtml?"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Ecommerce-import.txt";flags:PA; content:"orders/import.txt"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-OReilly win-c-sample.exe";flags:PA; content:"cgi-shl/win-c-sample.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Ecommerce-check.txt";flags:PA; content:"config/check.txt"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-prefix-get //";flags:PA; content:"get //"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-webcart";flags:PA; content:"/webcart/"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC-AuthChangeUrl";flags:PA; content:"_AuthChangeUrl?"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC-convert.bas Attempt";flags:PA; content:"scripts/convert.bas"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-OReilly args.bat";flags:PA; content:"cgi-dos/args.bat"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-count.cgi";flags:PA; content:"count.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CAN-1999-0229 - IIS WEB-..\..";flags:PA; content:"|2e2e5c2e2e|";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-/....";flags:PA; content:"|2f2e2e2e2e|";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-///cgi-bin";flags:PA; content:"///cgi-bin"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-~root";flags:PA; content:"~root"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-ApacheDOS";flags:PA; content:"|2f2f2f2f2f2f2f2f|";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-cat%20";flags:PA; content:"cat%20"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Ecommerce-import.txt";flags:PA; content:"config/import.txt"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-cgi-bin///";flags:PA; content:"cgi-bin///"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC-cpshost.dll Attempt";flags:PA; content:"scripts/cpshost.dll"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Domino-catalog.nsf";flags:PA; content:"catalog.nsf"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Domino-domcfg.nsf";flags:PA; content:"domcfg.nsf"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Domino-domlog.nsf";flags:PA; content:"domlog.nsf"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Domino-log.nsf";flags:PA; content:"log.nsf"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Domino-names.nsf";flags:PA; content:"names.nsf"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC-.wwwacl";flags:PA; content:"secure/wwwacl"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Ecommerce-checks.txt";flags:PA; content:"orders/checks.txt"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-cd..";flags:PA; content:"cd.."; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"MISC WEB - BizDB Script Exploit"; flags:PA; content:"bizdb1-search.cgi"; content:"mail"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC-cmd.exe Attempt";flags:PA; content:"scripts/../../cmd.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-html-rend"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1057 - Trend Micro OfficeScan Access"; flags:PA; content:"officescan/cgi/jdkRqNotify.exe?"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1053 - Oracle Web Listener Batch Access"; flags:PA; content:"ows-bin/&"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1052 - Sojourn File Access"; flags:PA; content:"/sojourn.cgi?cat="; content:"%00"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1031 - SGI InfoSearch fname Access"; flags:PA; content:"infosrch.cgi?"; content:"fname="; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-stop-ver"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"MISC WEB - SalesLogix Eviewer Web Shutdown"; flags:PA; content:"/slxweb.dll/admin?command="; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-start-ver";nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"MISC WEB - Netscape PublishingXpert 2 Exploit"; flags:PA; content:"/PSUser/PSCOErrPage.htm?"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC - windmail.exe Access Detected"; content:"windmail.exe?-n"; content:"mail"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC - Webplus Access Detected"; content:"webplus?script"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS270 - WEB MISC - Netscape dir index wp"; flags:PA; content: "?wp-"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS272 - Piranha Passwd.php3"; flags:PA; content: "passwd.php3";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC - Novell Groupwise gwweb.exe access"; flags:PA; content:"GWWEB.EXE?HELP="; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1036 - Caldera OpenLinux rpm_query Access"; flags:PA; content:"cgi-bin/rmp_query"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS258 - Web cgi get32.exe"; flags:PA; content: "get32.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC-.htaccess";flags:PA; content:".htaccess"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 457 (msg:"IDS180 - WEB-netscape-overflow-unixware"; flags: AP; content: "|eb 5f 9a ff ff ff ff 07 ff c3 5e 31 c0 89 46 9d|";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS205 - WEB-MISC - Phorum Admin"; flags: AP; content:"admin.php3"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS206 - WEB-MISC - Phorum Auth"; flags: AP; content:"PHP_AUTH_USER=boogieman"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS207 - WEB-MISC - Phorum Code"; flags: AP; content:"code.php3"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS208 - WEB-MISC - Phorum Read"; flags: AP; content:"read.php3"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-uncheckout"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 2301 (msg:"IDS244 - CVE-1999-0771 - Compaq-insight-dot-dot"; content: "../";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-../..";flags:PA; content:"|2e2e2f2e2e|";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS265 - Web cgi cgitest"; content: "cgitest.exe|0d0a|user"; nocase; flags: AP; offset: "4";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-cs-dump";nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-ver-info";nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-usr-prop";nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-ver-diff";nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-verify-link";nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS209 - WEB-MISC - Phorum Violation"; flags: AP; content:"violation.php3"; nocase;) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Kill Window Client Request"; content:"38";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Server Response"; content:"Ahhhh My Mouth Is Open";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Rehash Client Request"; content:"911";) alert udp !$HOME_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Server Rehash Client Request"; content:"shutd0wnM0therF***eR";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 ICQ Alert ON Client Request"; content: "40";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 ICQ Alert OFF Client Request"; content:"88";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Server Password Change Client Request"; content:"91";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 All Window List Client Request"; content:"370";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 RAS Passwords Client Request"; content:"17";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Disable Window Client Request"; content:"23";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Enable Window Client Request"; content:"24";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Change Window Title Client Request"; content:"60";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Hide Window Client Request"; content:"26";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Show Window Client Request"; content:"25";) alert udp $HOME_NET 3150 -> !$HOME_NET 60000 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Wrong Password"; content:"Wrong Password";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Visible Window List Client Request"; content:"37";) alert udp $HOME_NET 2140 -> !$HOME_NET 60000 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Server Status From Server"; content:"Host";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 System Info Client Request"; content:"13";) alert udp $HOME_NET 3150 -> !$HOME_NET 60000 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Wrong Password";: content:"Wrong Password";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 System Info Client Request"; content:"13";) alert udp $HOME_NET 2140 -> !$HOME_NET 60000 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 System Info From Server"; content:"Comp Name";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Drive Info Client Request"; content:"130";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Server Password Remove Client Request"; content:"92";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Server Status Client Request"; content:"10";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Show Picture Client Request"; content:"22";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 E-Mail Info Client Request"; content:"12";) alert udp $HOME_NET 2140 -> !$HOME_NET 60000 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 E-Mail Info From Server"; content:"Retreaving";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 FTP Status Client Request"; content:"09";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Server FTP Port Change Client Request"; content:"21";) alert udp $HOME_NET 2140 -> !$HOME_NET 60000 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Server FTP Port Change From Server"; content:"FTP Server changed to";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Cached Passwords Client Request"; content:"16";) alert udp $HOME_NET 2140 -> !$HOME_NET 60000 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Drive Info From Server"; content:"C - ";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Resolution Change Client Request"; content:"125";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Send Text to Window Client Request"; content:"63";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Swap Mouse Buttons Client Request"; content:"34";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request"; content:"110";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Freeze Mouse Client Request"; content:"35";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Show Dialog Box Client Request"; content:"70";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Hide/Show Clock Client Request"; content:"32";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Monitor on/off Client Request"; content:"07";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Hide/Show Systray Client Request"; content:"30";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Keylogger on Server ON"; content:"KeyLogger Is Enabled On port";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Keylogger on Server OFF"; content:"KeyLogger Shut Down";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Send to URL Client Request"; content:"12";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 FTP Server Port Client Request"; content:"21";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Process List Client request"; content:"64";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Close Port Scan Client Request"; content:"121";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Show Replyable Dialog Box Client Request"; content:"71";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Find File Client Request"; content:"117";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Create Directory Client Request"; content:"39";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Change Wallpaper Client Request"; content:"20";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Delete File Client Request"; content:"41";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Play Sound Client Request"; content:"36";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Run Program Normal Client Request"; content:"14";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Hide/Show Desktop Client Request"; content:"33";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Get NET File Client Request"; content:"100";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Registry Add Client Request"; content:"89";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Find File Client Request"; content:"118";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 HUP Modem Client Request"; content:"199";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 CD ROM Open Client Request"; content:"02";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 CD ROM Close Client Request"; content:"03";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"04";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"31";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR BETA SIGNATURE - DeepThroat 3.1 Run Program Hidden Client Request"; content:"15";)