# This file was created by s2b.pl on Mon Sep 20 13:14:53 2004. # This file is dynamically generated each time s2b.pl is run and therefore any # changes done manually will be overwritten. # $Id: signatures.sig 840 2004-11-30 22:33:48Z jason $ signature s2b-1292-8 { ip-proto == tcp event "ATTACK-RESPONSES directory listing" tcp-state established,responder payload /.*Volume Serial Number/ } signature s2b-495-7 { ip-proto == tcp src-port == http_ports event "ATTACK-RESPONSES command error" tcp-state established,responder payload /.*[bB][aA][dD] [cC][oO][mM][mM][aA][nN][dD] [oO][rR] [fF][iI][lL][eE][nN][aA][mM][eE]/ } signature s2b-497-8 { ip-proto == tcp src-port == http_ports event "ATTACK-RESPONSES file copied ok" tcp-state established,responder payload /.*1 [fF][iI][lL][eE]\x28[sS]\x29 [cC][oO][pP][iI][eE][dD]/ } signature s2b-1666-5 { ip-proto == tcp src-port == http_ports event "ATTACK-RESPONSES index of /cgi-bin/ response" tcp-state established,responder payload /.*[iI][nN][dD][eE][xX] [oO][fF] \/[cC][gG][iI]-[bB][iI][nN]\// requires-reverse-signature ! http_error } signature s2b-498-6 { event "ATTACK-RESPONSES id check returned root" payload /.*uid=0\x28root\x29/ } signature s2b-1882-10 { # Not supported: byte_test: 5,<,65537,0,relative,string,5,<,65537,0,relative,string event "ATTACK-RESPONSES id check returned userid" payload /.*uid=.{0,10} gid=/ requires-reverse-signature ! http_error } signature s2b-1464-3 { ip-proto == tcp src-port == 8002 event "ATTACK-RESPONSES oracle one hour install" tcp-state established,responder payload /.*Oracle Applications One-Hour Install/ requires-reverse-signature ! http_error } signature s2b-1900-10 { ip-proto == tcp src-port == 749 event "ATTACK-RESPONSES successful kadmind buffer overflow attempt" tcp-state established,responder payload /\*GOBBLE\*/ requires-reverse-signature ! http_error } signature s2b-1901-10 { ip-proto == tcp src-port == 751 event "ATTACK-RESPONSES successful kadmind buffer overflow attempt" tcp-state established,responder payload /\*GOBBLE\*/ } signature s2b-1810-9 { ip-proto == tcp src-port == 22 event "ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE" tcp-state established,responder payload /.*\*GOBBLE\*/ requires-reverse-signature ! http_error } signature s2b-1811-8 { ip-proto == tcp src-port == 22 event "ATTACK-RESPONSES successful gobbles ssh exploit uname" tcp-state established,responder payload /.*uname/ } signature s2b-2104-3 { ip-proto == tcp src-port == 512 event "ATTACK-RESPONSES rexec username too long response" tcp-state established,responder payload /username too long/ } signature s2b-2123-2 { ip-proto == tcp src-port < 21 src-port > 23 event "ATTACK-RESPONSES Microsoft cmd.exe banner" tcp-state established,responder payload /.*Microsoft Windows.*.*\x28C\x29 Copyright 1985-.*.*Microsoft Corp\./ requires-reverse-signature ! http_error } signature s2b-2412-3 { ip-proto == tcp event "ATTACK-RESPONSES successful cross site scripting forced download attempt" tcp-state established,originator payload /.*\x0AReferer\x3A res\x3A\/C\x3A/ } signature s2b-103-7 { ip-proto == tcp src-port == 27374 event "BACKDOOR subseven 22" tcp-state established,originator payload /.*\x0D\x0A\[RPL\]002\x0D\x0A/ } signature s2b-107-6 { ip-proto == tcp src-port == 16959 event "BACKDOOR subseven DEFCON8 2.1 access" tcp-state established,responder payload /.*PWD/ } signature s2b-109-5 { ip-proto == tcp src-port >= 12345 src-port <= 12346 event "BACKDOOR netbus active" tcp-state established,responder payload /.*NetBus/ } signature s2b-110-4 { ip-proto == tcp dst-port >= 12345 dst-port <= 12346 event "BACKDOOR netbus getinfo" tcp-state established,originator payload /.*GetInfo\x0D/ } signature s2b-115-5 { ip-proto == tcp src-port == 20034 event "BACKDOOR netbus active" tcp-state established,originator payload /.*NetBus/ } signature s2b-1980-1 { ip-proto == udp dst-port == 2140 event "BACKDOOR DeepThroat 3.1 Connection attempt" payload /00/ } signature s2b-195-5 { ip-proto == udp src-port == 2140 event "BACKDOOR DeepThroat 3.1 Server Response" payload /.*Ahhhh My Mouth Is Open/ } signature s2b-1981-1 { ip-proto == udp dst-port == 3150 event "BACKDOOR DeepThroat 3.1 Connection attempt [3150]" payload /00/ } signature s2b-1982-1 { ip-proto == udp src-port == 3150 event "BACKDOOR DeepThroat 3.1 Server Response [3150]" payload /.*Ahhhh My Mouth Is Open/ } signature s2b-1983-1 { ip-proto == udp dst-port == 4120 event "BACKDOOR DeepThroat 3.1 Connection attempt [4120]" payload /00/ } signature s2b-1984-1 { ip-proto == udp src-port == 4120 event "BACKDOOR DeepThroat 3.1 Server Response [4120]" payload /.*Ahhhh My Mouth Is Open/ } signature s2b-119-5 { ip-proto == tcp src-port == 6789 event "BACKDOOR Doly 2.0 access" tcp-state established,responder payload /.{0,23}Wtzup Use/ } signature s2b-104-7 { ip-proto == tcp src-port >= 1024 src-port <= 65535 dst-port == 2589 event "BACKDOOR - Dagger_1.4.0_client_connect" tcp-state established,originator payload /.{0,1}\x0B\x00\x00\x00\x07\x00\x00\x00Connect/ } signature s2b-105-7 { ip-proto == tcp src-port == 2589 dst-port >= 1024 dst-port <= 65535 event "BACKDOOR - Dagger_1.4.0" tcp-state established,responder payload /2\x00\x00\x00\x06\x00\x00\x00Drives\x24\x00/ } signature s2b-106-8 { ip-proto == tcp src-port == 80 dst-port == 1054 header tcp[8:4] == 101058054 header tcp[13:1] & 255 == 16 header tcp[4:4] == 101058054 event "BACKDOOR ACKcmdC trojan scan" tcp-state stateless } signature s2b-108-6 { ip-proto == tcp dst-port == 7597 event "BACKDOOR QAZ Worm Client Login access" tcp-state established,originator payload /.*qazwsx\.hsq/ } signature s2b-117-6 { ip-proto == tcp src-port == 146 dst-port >= 1024 dst-port <= 65535 event "BACKDOOR Infector.1.x" tcp-state established,responder payload /.*WHATISIT/ } signature s2b-118-5 { ip-proto == tcp src-port == 666 dst-port >= 1024 dst-port <= 65535 event "BACKDOOR SatansBackdoor.2.0.Beta" tcp-state established,responder payload /.*Remote\x3A You are connected to me\./ } signature s2b-120-5 { ip-proto == tcp src-port == 146 dst-port >= 1000 dst-port <= 1300 event "BACKDOOR Infector 1.6 Server to Client" tcp-state established,responder payload /.*WHATISIT/ } signature s2b-145-5 { ip-proto == tcp src-port != 80 dst-port == 21554 event "BACKDOOR GirlFriendaccess" tcp-state established,originator payload /.*Girl/ } signature s2b-146-5 { ip-proto == tcp src-port == 30100 event "BACKDOOR NetSphere access" tcp-state established,responder payload /.*NetSphere/ } signature s2b-147-5 { ip-proto == tcp src-port == 6969 event "BACKDOOR GateCrasher" tcp-state established,responder payload /.*GateCrasher/ } signature s2b-152-6 { ip-proto == tcp src-port >= 5401 src-port <= 5402 event "BACKDOOR BackConstruction 2.1 Connection" tcp-state established,responder payload /.*c\x3A\x5C/ } signature s2b-153-5 { ip-proto == tcp src-port == 23476 event "BACKDOOR DonaldDick 1.53 Traffic" tcp-state established,responder payload /.*pINg/ } signature s2b-155-5 { ip-proto == tcp src-port >= 30100 src-port <= 30102 event "BACKDOOR NetSphere 1.31.337 access" tcp-state established,responder payload /.*NetSphere/ } signature s2b-157-5 { ip-proto == tcp dst-port == 666 event "BACKDOOR BackConstruction 2.1 Client FTP Open Request" tcp-state established,originator payload /.*FTPON/ } signature s2b-158-5 { ip-proto == tcp src-port == 666 event "BACKDOOR BackConstruction 2.1 Server FTP Open Reply" tcp-state established,responder payload /.*FTP Port open/ } signature s2b-159-6 { ip-proto == tcp dst-port == 5032 dst-ip == local_nets event "BACKDOOR NetMetro File List" tcp-state established,originator payload /.*--/ } signature s2b-161-4 { ip-proto == udp src-port == 3344 dst-port == 3345 event "BACKDOOR Matrix 2.0 Client connect" payload /.*activate/ } signature s2b-162-4 { ip-proto == udp src-port == 3345 dst-port == 3344 event "BACKDOOR Matrix 2.0 Server access" payload /.*logged in/ } signature s2b-163-8 { ip-proto == tcp src-port == 5714 header tcp[13:1] & 255 == 18 event "BACKDOOR WinCrash 1.0 Server Active" tcp-state stateless payload /.*\xB4\xB4/ } signature s2b-185-5 { ip-proto == tcp dst-port == 79 event "BACKDOOR CDK" tcp-state established,originator payload /.{0,9}[yY][pP][iI]0[cC][aA]/ } signature s2b-208-5 { ip-proto == tcp src-port == 555 event "BACKDOOR PhaseZero Server Active on Network" tcp-state established,responder payload /.*phAse/ } signature s2b-209-4 { ip-proto == tcp dst-port == 23 event "BACKDOOR w00w00 attempt" tcp-state established,originator payload /.*w00w00/ } signature s2b-210-3 { ip-proto == tcp dst-port == 23 event "BACKDOOR attempt" tcp-state established,originator payload /.*[bB][aA][cC][kK][dD][oO][oO][rR]/ } signature s2b-211-3 { ip-proto == tcp dst-port == 23 event "BACKDOOR MISC r00t attempt" tcp-state established,originator payload /.*r00t/ } signature s2b-212-3 { ip-proto == tcp dst-port == 23 event "BACKDOOR MISC rewt attempt" tcp-state established,originator payload /.*rewt/ } signature s2b-213-4 { ip-proto == tcp dst-port == 23 event "BACKDOOR MISC Linux rootkit attempt" tcp-state established,originator payload /.*wh00t!/ } signature s2b-214-4 { ip-proto == tcp dst-port == 23 event "BACKDOOR MISC Linux rootkit attempt lrkr0x" tcp-state established,originator payload /.*lrkr0x/ } signature s2b-215-4 { ip-proto == tcp dst-port == 23 event "BACKDOOR MISC Linux rootkit attempt" tcp-state established,originator payload /.*[dD]13[hH][hH]\[/ } signature s2b-216-6 { ip-proto == tcp dst-port == 23 event "BACKDOOR MISC Linux rootkit satori attempt" tcp-state established,originator payload /.*satori/ } signature s2b-217-3 { ip-proto == tcp dst-port == 23 event "BACKDOOR MISC sm4ck attempt" tcp-state established,originator payload /.*hax0r/ } signature s2b-219-6 { ip-proto == tcp dst-port == 23 event "BACKDOOR HidePak backdoor attempt" tcp-state established,originator payload /.*StoogR/ } signature s2b-614-7 { ip-proto == tcp src-port == 31790 dst-port == 31789 header tcp[13:1] & 255 == 16 event "BACKDOOR hack-a-tack attempt" tcp-state stateless payload /A/ } signature s2b-1853-6 { ip-proto == udp dst-port == 35555 event "BACKDOOR win-trin00 connection attempt" payload /png \[\]\.\.Ks l44/ } signature s2b-1843-6 { ip-proto == tcp dst-port == 33270 event "BACKDOOR trinity connection attempt" tcp-state established,originator payload /!@\x23/ } signature s2b-2100-2 { ip-proto == tcp event "BACKDOOR SubSeven 2.1 Gold server connection response" tcp-state established,responder payload /connected\. time\/date\x3A .{1}.*version\x3A GOLD 2\.1/ } signature s2b-2124-3 { ip-proto == tcp dst-port == 34012 event "BACKDOOR Remote PC Access connection attempt" tcp-state established,originator payload /\x28\x00\x01\x00\x04\x00\x00\x00\x00\x00\x00\x00/ } signature s2b-2271-2 { ip-proto == tcp event "BACKDOOR FsSniffer connection attempt" tcp-state established,originator payload /.*RemoteNC Control Password\x3A/ } signature s2b-2375-3 { ip-proto == tcp dst-port >= 3127 dst-port <= 3199 event "BACKDOOR DoomJuice file upload attempt" tcp-state established,originator payload /^\x85\x13<\x9E\xA2/ } signature s2b-542-10 { ip-proto == tcp dst-port >= 6666 dst-port <= 7000 event "CHAT IRC nick change" tcp-state established,originator payload /.*NICK / } signature s2b-1639-6 { ip-proto == tcp dst-port >= 6666 dst-port <= 7000 event "CHAT IRC DCC file transfer request" tcp-state established,originator payload /.*[pP][rR][iI][vV][mM][sS][gG] / payload /.* \x3A\.[dD][cC][cC] [sS][eE][nN][dD]/ } signature s2b-1640-6 { ip-proto == tcp dst-port >= 6666 dst-port <= 7000 event "CHAT IRC DCC chat request" tcp-state established,originator payload /.*[pP][rR][iI][vV][mM][sS][gG] / payload /.* \x3A\.[dD][cC][cC] [cC][hH][aA][tT] [cC][hH][aA][tT]/ } signature s2b-1729-5 { ip-proto == tcp dst-port >= 6666 dst-port <= 7000 event "CHAT IRC channel join" tcp-state established,originator payload /.*[jJ][oO][iI][nN] \x3A \x23/ } signature s2b-1463-6 { ip-proto == tcp src-port >= 6666 src-port <= 7000 event "CHAT IRC message" tcp-state established payload /.*[pP][rR][iI][vV][mM][sS][gG] / } signature s2b-1789-3 { ip-proto == tcp dst-port >= 6666 dst-port <= 7000 event "CHAT IRC dns request" tcp-state established,originator payload /.*[uU][sS][eE][rR][hH][oO][sS][tT] / } signature s2b-1790-4 { ip-proto == tcp src-port >= 6666 src-port <= 7000 event "CHAT IRC dns response" tcp-state established,responder payload /.*\x3A/ payload /.* 302 / payload /.*=\+/ } signature s2b-221-3 { ip-proto == icmp header icmp[0:1] == 8 event "DDOS TFN Probe" header ip[4:2] == 678 payload /.*1234/ } signature s2b-222-2 { ip-proto == icmp header icmp[0:1] == 0 event "DDOS tfn2k icmp possible communication" header icmp[0:1] == 0,8 header icmp[4:2] == 0 payload /.*AAAAAAAAAA/ } signature s2b-223-3 { ip-proto == udp dst-port == 31335 event "DDOS Trin00 Daemon to Master PONG message detected" payload /.*PONG/ } signature s2b-228-3 { ip-proto == icmp header icmp[0:1] == 0 header icmp[0:1] == 0,8 header icmp[6:2] == 0 event "DDOS TFN client command BE" header icmp[0:1] == 0,8 header icmp[4:2] == 456 } signature s2b-230-5 { ip-proto == tcp src-port == 20432 event "DDOS shaft client login to handler" tcp-state established,responder payload /.*login\x3A/ } signature s2b-239-2 { ip-proto == udp dst-port == 18753 event "DDOS shaft handler to agent" payload /.*alive tijgu/ } signature s2b-240-2 { ip-proto == udp dst-port == 20433 event "DDOS shaft agent to handler" payload /.*alive/ } signature s2b-241-7 { ip-proto == tcp header tcp[13:1] & 255 == 2 header tcp[4:4] == 674711609 event "DDOS shaft synflood" tcp-state stateless } signature s2b-231-3 { ip-proto == udp dst-port == 31335 event "DDOS Trin00 Daemon to Master message detected" payload /.*l44/ } signature s2b-232-5 { ip-proto == udp dst-port == 31335 event "DDOS Trin00 Daemon to Master *HELLO* message detected" payload /.*\*HELLO\*/ } signature s2b-233-3 { ip-proto == tcp dst-port == 27665 event "DDOS Trin00 Attacker to Master default startup password" tcp-state established,originator payload /.*betaalmostdone/ } signature s2b-234-2 { ip-proto == tcp dst-port == 27665 event "DDOS Trin00 Attacker to Master default password" tcp-state established,originator payload /.*gOrave/ } signature s2b-235-2 { ip-proto == tcp dst-port == 27665 event "DDOS Trin00 Attacker to Master default mdie password" tcp-state established,originator payload /.*killme/ } signature s2b-237-2 { ip-proto == udp dst-port == 27444 event "DDOS Trin00 Master to Daemon default password attempt" payload /.*l44adsl/ } signature s2b-243-2 { ip-proto == udp dst-port == 6838 event "DDOS mstream agent to handler" payload /.*newserver/ } signature s2b-244-3 { ip-proto == udp dst-port == 10498 event "DDOS mstream handler to agent" payload /.*stream\// } signature s2b-245-3 { ip-proto == udp dst-port == 10498 event "DDOS mstream handler ping to agent" payload /.*ping/ } signature s2b-246-2 { ip-proto == udp dst-port == 10498 event "DDOS mstream agent pong to handler" payload /.*pong/ } signature s2b-247-4 { ip-proto == tcp dst-port == 12754 event "DDOS mstream client to handler" tcp-state established,originator payload /.*>/ } signature s2b-249-7 { ip-proto == tcp dst-port == 15104 header tcp[13:1] & 255 == 2 event "DDOS mstream client to handler" tcp-state stateless } signature s2b-250-4 { ip-proto == tcp src-port == 15104 event "DDOS mstream handler to client" tcp-state established,responder payload /.*>/ } signature s2b-251-3 { ip-proto == icmp header icmp[0:1] == 0 header icmp[0:1] == 0,8 header icmp[6:2] == 0 event "DDOS - TFN client command LE" header icmp[0:1] == 0,8 header icmp[4:2] == 51201 } signature s2b-224-3 { ip-proto == icmp src-ip == 3.3.3.3/32 header icmp[0:1] == 0 event "DDOS Stacheldraht server spoof" header icmp[0:1] == 0,8 header icmp[4:2] == 666 } signature s2b-225-6 { ip-proto == icmp header icmp[0:1] == 0 event "DDOS Stacheldraht gag server response" header icmp[0:1] == 0,8 header icmp[4:2] == 669 payload /.*sicken/ } signature s2b-226-6 { ip-proto == icmp header icmp[0:1] == 0 event "DDOS Stacheldraht server response" header icmp[0:1] == 0,8 header icmp[4:2] == 667 payload /.*ficken/ } signature s2b-227-6 { ip-proto == icmp header icmp[0:1] == 0 event "DDOS Stacheldraht client spoofworks" header icmp[0:1] == 0,8 header icmp[4:2] == 1000 payload /.*spoofworks/ } signature s2b-236-6 { ip-proto == icmp header icmp[0:1] == 0 event "DDOS Stacheldraht client check gag" header icmp[0:1] == 0,8 header icmp[4:2] == 668 payload /.*gesundheit!/ } signature s2b-229-5 { ip-proto == icmp header icmp[0:1] == 0 event "DDOS Stacheldraht client check skillz" header icmp[0:1] == 0,8 header icmp[4:2] == 666 payload /.*skillz/ } signature s2b-1854-7 { ip-proto == icmp header icmp[0:1] == 0 event "DDOS Stacheldraht handler->agent niggahbitch" header icmp[0:1] == 0,8 header icmp[4:2] == 9015 payload /.*niggahbitch/ } signature s2b-1855-7 { ip-proto == icmp header icmp[0:1] == 0 event "DDOS Stacheldraht agent->handler skillz" header icmp[0:1] == 0,8 header icmp[4:2] == 6666 payload /.*skillz/ } signature s2b-1856-7 { ip-proto == icmp header icmp[0:1] == 0 event "DDOS Stacheldraht handler->agent ficken" header icmp[0:1] == 0,8 header icmp[4:2] == 6667 payload /.*ficken/ } signature s2b-255-11 { ip-proto == tcp dst-port == 53 event "DNS zone transfer TCP" tcp-state established,originator payload /.{14}.*\x00\x00\xFC/ } signature s2b-1948-4 { ip-proto == udp dst-port == 53 event "DNS zone transfer UDP" payload /.{13}.*\x00\x00\xFC/ } signature s2b-1435-6 { ip-proto == tcp dst-port == 53 event "DNS named authors attempt" tcp-state established,originator payload /.{11}.*\x07[aA][uU][tT][hH][oO][rR][sS]/ payload /.{11}.*\x04[bB][iI][nN][dD]/ } signature s2b-256-5 { ip-proto == udp dst-port == 53 event "DNS named authors attempt" payload /.{11}.*\x07[aA][uU][tT][hH][oO][rR][sS]/ payload /.{11}.*\x04[bB][iI][nN][dD]/ } signature s2b-257-8 { ip-proto == tcp dst-port == 53 event "DNS named version attempt" tcp-state established,originator payload /.{11}.*\x07[vV][eE][rR][sS][iI][oO][nN]/ payload /.{11}.*\x04[bB][iI][nN][dD]/ } signature s2b-253-4 { ip-proto == udp src-port == 53 event "DNS SPOOF query response PTR with TTL of 1 min. and no authority" payload /.*\x85\x80\x00\x01\x00\x01\x00\x00\x00\x00/ payload /.*\xC0\x0C\x00\x0C\x00\x01\x00\x00\x00<\x00\x0F/ } signature s2b-254-4 { ip-proto == udp src-port == 53 event "DNS SPOOF query response with TTL of 1 min. and no authority" payload /.*\x81\x80\x00\x01\x00\x01\x00\x00\x00\x00/ payload /.*\xC0\x0C\x00\x01\x00\x01\x00\x00\x00<\x00\x04/ } signature s2b-303-11 { ip-proto == tcp dst-port == 53 event "DNS EXPLOIT named tsig overflow attempt" tcp-state established,originator payload /.*\xAB\xCD\x09\x80\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x00\x01 \x02a/ } signature s2b-314-9 { ip-proto == udp dst-port == 53 event "DNS EXPLOIT named tsig overflow attempt" payload /.*\x80\x00\x07\x00\x00\x00\x00\x00\x01\?\x00\x01\x02/ } signature s2b-259-7 { ip-proto == tcp dst-port == 53 event "DNS EXPLOIT named overflow ADM" tcp-state established,originator payload /.*thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool/ } signature s2b-260-9 { ip-proto == tcp dst-port == 53 event "DNS EXPLOIT named overflow ADMROCKS" tcp-state established,originator payload /.*ADMROCKS/ } signature s2b-261-6 { ip-proto == tcp dst-port == 53 event "DNS EXPLOIT named overflow attempt" tcp-state established,originator payload /.*\xCD\x80\xE8\xD7\xFF\xFF\xFF\/bin\/sh/ } signature s2b-262-6 { ip-proto == tcp dst-port == 53 event "DNS EXPLOIT x86 Linux overflow attempt" tcp-state established,originator payload /.*1\xC0\xB0\?1\xDB\xB3\xFF1\xC9\xCD\x801\xC0/ } signature s2b-264-6 { ip-proto == tcp dst-port == 53 event "DNS EXPLOIT x86 Linux overflow attempt" tcp-state established,originator payload /.*1\xC0\xB0\x02\xCD\x80\x85\xC0uL\xEBL\^\xB0/ } signature s2b-265-7 { ip-proto == tcp dst-port == 53 event "DNS EXPLOIT x86 Linux overflow attempt ADMv2" tcp-state established,originator payload /.*\x89\xF7\x29\xC7\x89\xF3\x89\xF9\x89\xF2\xAC<\xFE/ } signature s2b-266-6 { ip-proto == tcp dst-port == 53 event "DNS EXPLOIT x86 FreeBSD overflow attempt" tcp-state established,originator payload /.*\xEBn\^\xC6\x06\x9A1\xC9\x89N\x01\xC6F\x05/ } signature s2b-267-5 { ip-proto == tcp dst-port == 53 event "DNS EXPLOIT sparc overflow attempt" tcp-state established,originator payload /.*\x90\x1A\xC0\x0F\x90\x02 \x08\x92\x02 \x0F\xD0\x23\xBF\xF8/ } signature s2b-268-4 { payload-size == 408 event "DOS Jolt attack" header ip[6:1] & 224 == 32 } signature s2b-270-6 { ip-proto == udp event "DOS Teardrop attack" header ip[6:1] & 224 == 32 header ip[4:2] == 242 } signature s2b-271-4 { ip-proto == udp src-port == 7 dst-port == 19 event "DOS UDP echo+chargen bomb" } signature s2b-272-7 { header ip[9:1] == 2 event "DOS IGMP dos attack" header ip[6:1] & 224 == 32 payload /\x02\x00/ } signature s2b-273-7 { header ip[9:1] == 2 event "DOS IGMP dos attack" header ip[6:1] & 224 == 32 payload /\x00\x00/ } signature s2b-274-5 { ip-proto == icmp header icmp[0:1] == 8 event "DOS ath" payload /.*\+\+\+[aA][tT][hH]/ } signature s2b-275-10 { ip-proto == tcp header tcp[13:1] & 255 == 2 header tcp[4:4] == 6060842 event "DOS NAPTHA" tcp-state stateless header ip[4:2] == 413 } signature s2b-276-5 { ip-proto == tcp dst-port == 7070 event "DOS Real Audio Server" tcp-state established,originator payload /.*\xFF\xF4\xFF\xFD\x06/ } signature s2b-278-5 { ip-proto == tcp dst-port == 8080 event "DOS Real Server template.html" tcp-state established,originator payload /.*\/[vV][iI][eE][wW][sS][oO][uU][rR][cC][eE]\/[tT][eE][mM][pP][lL][aA][tT][eE]\.[hH][tT][mM][lL]\?/ } signature s2b-279-3 { ip-proto == udp dst-port == 161 payload-size == 0 event "DOS Bay/Nortel Nautica Marlin" } signature s2b-281-5 { ip-proto == udp dst-port == 9 event "DOS Ascend Route" payload /.{24}.{0,17}NAMENAME/ } signature s2b-282-7 { ip-proto == tcp dst-port == 617 payload-size > 1445 event "DOS arkiea backup" tcp-state established,originator } signature s2b-1257-8 { ip-proto == tcp dst-port >= 135 dst-port <= 139 header tcp[13:1] & 255 == 32 event "DOS Winnuke attack" tcp-state stateless } signature s2b-1408-8 { ip-proto == tcp dst-port == 3372 event "DOS MSDTC attempt" tcp-state established,originator payload-size == 1024 } signature s2b-1605-6 { ip-proto == tcp dst-port == 6004 dst-ip == local_nets event "DOS iParty DOS attempt" tcp-state established,originator payload /.*\xFF\xFF\xFF\xFF\xFF\xFF/ } signature s2b-1641-5 { ip-proto == tcp dst-port >= 6789 dst-port <= 6790 payload-size == 1 event "DOS DB2 dos attempt" tcp-state established,originator } signature s2b-1545-7 { ip-proto == tcp dst-port == 80 payload-size == 1 event "DOS Cisco attempt" tcp-state established,originator payload /\x13/ } signature s2b-2486-5 { ip-proto == udp dst-port == 500 # Not supported: byte_test: 2,>,4,30,2,<,8,30 event "DOS ISAKMP invalid identification payload attempt" payload /.{15}\x05/ } signature s2b-1324-6 { ip-proto == tcp dst-port == 22 event "EXPLOIT ssh CRC32 overflow /bin/sh" tcp-state established,originator payload /.*\/bin\/sh/ } signature s2b-1326-6 { ip-proto == tcp dst-port == 22 event "EXPLOIT ssh CRC32 overflow NOOP" tcp-state established,originator payload /.*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90/ } signature s2b-1327-7 { ip-proto == tcp dst-port == 22 event "EXPLOIT ssh CRC32 overflow" tcp-state established,originator payload /\x00\x01W\x00\x00\x00\x18/ payload /.{7}\xFF\xFF\xFF\xFF\x00\x00/ } signature s2b-283-10 { ip-proto == tcp src-port == 80 event "EXPLOIT Netscape 4.7 client overflow" tcp-state established,responder payload /.*3\xC9\xB1\x10\?\xE9\x06Q<\xFAG3\xC0P\xF7\xD0P/ } signature s2b-300-7 { ip-proto == tcp dst-port == 2766 event "EXPLOIT nlps x86 Solaris overflow" tcp-state established,originator payload /.*\xEB\x23\^3\xC0\x88F\xFA\x89F\xF5\x896/ } signature s2b-301-7 { ip-proto == tcp dst-port == 515 event "EXPLOIT LPRng overflow" tcp-state established,originator payload /.*C\x07\x89\[\x08\x8DK\x08\x89C\x0C\xB0\x0B\xCD\x801\xC0\xFE\xC0\xCD\x80\xE8\x94\xFF\xFF\xFF\/bin\/sh\x0A/ } signature s2b-302-6 { ip-proto == tcp dst-port == 515 event "EXPLOIT Redhat 7.0 lprd overflow" tcp-state established,originator payload /.*XXXX%\.172u%300\x24n/ } signature s2b-305-9 { ip-proto == tcp dst-port == 8080 payload-size > 1000 event "EXPLOIT delegate proxy overflow" tcp-state established,originator payload /.*[wW][hH][oO][iI][sS]\x3A\/\// } signature s2b-308-8 { ip-proto == tcp src-port == 21 event "EXPLOIT NextFTP client overflow" tcp-state established,responder payload /.*\xB4 \xB4!\x8B\xCC\x83\xE9\x04\x8B\x193\xC9f\xB9\x10/ } signature s2b-309-9 { ip-proto == tcp dst-port == 25 payload-size > 512 header tcp[13:1] & 255 == 16 event "EXPLOIT sniffit overflow" tcp-state stateless payload /.*[fF][rR][oO][mM]\x3A\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90/ } signature s2b-310-8 { ip-proto == tcp dst-port == 25 event "EXPLOIT x86 windows MailMax overflow" tcp-state established,originator payload /.*\xEBE\xEB \[\xFC3\xC9\xB1\x82\x8B\xF3\x80\+/ } signature s2b-311-11 { ip-proto == tcp dst-port == 80 event "EXPLOIT Netscape 4.7 unsucessful overflow" tcp-state established,originator payload /.*3\xC9\xB1\x10\?\xE9\x06Q<\xFAG3\xC0P\xF7\xD0P/ } signature s2b-313-4 { ip-proto == udp dst-port == 518 event "EXPLOIT ntalkd x86 Linux overflow" payload /.*\x01\x03\x00\x00\x00\x00\x00\x01\x00\x02\x02\xE8/ } signature s2b-315-6 { ip-proto == udp dst-port == 635 event "EXPLOIT x86 Linux mountd overflow" payload /.*\^\xB0\x02\x89\x06\xFE\xC8\x89F\x04\xB0\x06\x89F/ } signature s2b-316-6 { ip-proto == udp dst-port == 635 event "EXPLOIT x86 Linux mountd overflow" payload /.*\xEBV\^VVV1\xD2\x88V\x0B\x88V\x1E/ } signature s2b-317-6 { ip-proto == udp dst-port == 635 event "EXPLOIT x86 Linux mountd overflow" payload /.*\xEB@\^1\xC0@\x89F\x04\x89\xC3@\x89\x06/ } signature s2b-1240-5 { ip-proto == tcp dst-port == 2224 event "EXPLOIT MDBMS overflow" tcp-state established,originator payload /.*\x011\xDB\xCD\x80\xE8\[\xFF\xFF\xFF/ } signature s2b-1261-10 { ip-proto == tcp dst-port == 4242 payload-size > 1000 event "EXPLOIT AIX pdnsd overflow" tcp-state established,originator payload /.*\x7F\xFF\xFBx\x7F\xFF\xFBx\x7F\xFF\xFBx\x7F\xFF\xFBx/ payload /.*@\x8A\xFF\xC8@\x82\xFF\xD8\x3B6\xFE\x03\x3Bv\xFE\x02/ } signature s2b-1398-10 { ip-proto == tcp dst-port == 6112 event "EXPLOIT CDE dtspcd exploit attempt" tcp-state established,originator payload /.{9}1/ payload /.{10}/ } signature s2b-1751-5 { ip-proto == tcp dst-port >= 32772 dst-port <= 34000 payload-size > 720 event "EXPLOIT cachefsd buffer overflow attempt" tcp-state established,originator payload /.*\x00\x01\x87\x86\x00\x00\x00\x01\x00\x00\x00\x05/ } signature s2b-1894-8 { ip-proto == tcp dst-port == 749 event "EXPLOIT kadmind buffer overflow attempt" tcp-state established,originator payload /.*\x00\xC0\x05\x08\x00\xC0\x05\x08\x00\xC0\x05\x08\x00\xC0\x05\x08/ } signature s2b-1895-8 { ip-proto == tcp dst-port == 751 event "EXPLOIT kadmind buffer overflow attempt" tcp-state established,originator payload /.*\x00\xC0\x05\x08\x00\xC0\x05\x08\x00\xC0\x05\x08\x00\xC0\x05\x08/ } signature s2b-1896-8 { ip-proto == tcp dst-port == 749 event "EXPLOIT kadmind buffer overflow attempt" tcp-state established,originator payload /.*\xFF\xFFKADM0\.0A\x00\x00\xFB\x03/ } signature s2b-1897-8 { ip-proto == tcp dst-port == 751 event "EXPLOIT kadmind buffer overflow attempt" tcp-state established,originator payload /.*\xFF\xFFKADM0\.0A\x00\x00\xFB\x03/ } signature s2b-1898-8 { ip-proto == tcp dst-port == 749 event "EXPLOIT kadmind buffer overflow attempt" tcp-state established,originator payload /.*\/shh\/\/bi/ } signature s2b-1899-8 { ip-proto == tcp dst-port == 751 event "EXPLOIT kadmind buffer overflow attempt" tcp-state established,originator payload /.*\/shh\/\/bi/ } signature s2b-1812-5 { ip-proto == tcp dst-port == 22 event "EXPLOIT gobbles SSH exploit attempt" tcp-state established,originator payload /.*GOBBLES/ } signature s2b-1821-7 { ip-proto == tcp dst-port == 515 event "EXPLOIT LPD dvips remote command execution attempt" tcp-state established,originator payload /.*psfile=\x22`/ } signature s2b-1838-8 { ip-proto == tcp src-port == 22 # Not supported: pcre: /^SSH-\s[^\n]{200}/ism event "EXPLOIT SSH server banner overflow" tcp-state established,responder # Not supported: isdataat: 200,relative payload /((^)|(\n+))[sS][sS][hH]-[\x20\x09\x0b][^\n]{200}/ } signature s2b-307-9 { ip-proto == tcp dst-port >= 6666 dst-port <= 7000 event "EXPLOIT CHAT IRC topic overflow" tcp-state established,responder payload /.*\xEBK\[S2\xE4\x83\xC3\x0BK\x88\x23\xB8Pw/ } signature s2b-1382-9 { ip-proto == tcp dst-port >= 6666 dst-port <= 7000 # Not supported: pcre: /^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi event "EXPLOIT CHAT IRC Ettercap parse overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative payload /((^)|(\n+))[pP][rR][iI][vV][mM][sS][gG][\x20\x09\x0b]+[nN][iI][cC][kK][sS][eE][rR][vV][\x20\x09\x0b]+[iI][dD][eE][nN][tT][iI][fF][yY][\x20\x09\x0b][^\n]{100}/ } signature s2b-292-8 { ip-proto == tcp dst-port == 139 event "EXPLOIT x86 Linux samba overflow" tcp-state established,originator payload /.*\xEB\/_\xEBJ\^\x89\xFB\x89>\x89\xF2/ } signature s2b-2319-1 { ip-proto == tcp dst-port == 1655 # Not supported: pcre: /^PASS\s[^\n]{49}/smi event "EXPLOIT ebola PASS overflow attempt" tcp-state established,originator payload /((^)|(\n+))[uU][sS][eE][rR][\x20\x09\x0b][^\n]{49}/ } signature s2b-2320-1 { ip-proto == tcp dst-port == 1655 # Not supported: pcre: /^USER\s[^\n]{49}/smi event "EXPLOIT ebola USER overflow attempt" tcp-state established,originator payload /((^)|(\n+))[uU][sS][eE][rR][^\x0a]{49}/ } signature s2b-2376-3 { ip-proto == udp dst-port == 500 # Not supported: byte_test: 4,>,2043,24,2,>,2043,30 event "EXPLOIT ISAKMP first payload certificate request length overflow attempt" payload /.{15}\x07/ } signature s2b-2377-3 { ip-proto == udp dst-port == 500 # Not supported: byte_test: 4,>,2043,24,2,>,2043,-2,relative # Not supported: byte_jump: 2,30 event "EXPLOIT ISAKMP second payload certificate request length overflow attempt" payload /.{27}\x07/ } signature s2b-2378-3 { ip-proto == udp dst-port == 500 # Not supported: byte_test: 4,>,2043,24,2,>,2043,-2,relative # Not supported: byte_jump: 2,30,relative,2,1,relative event "EXPLOIT ISAKMP third payload certificate request length overflow attempt" payload /\x07/ } signature s2b-2379-3 { ip-proto == udp dst-port == 500 # Not supported: byte_test: 4,>,2043,24,2,>,2043,-2,relative # Not supported: byte_jump: 2,30,relative,2,-2,relative,2,1,relative event "EXPLOIT ISAKMP forth payload certificate request length overflow attempt" payload /\x07/ } signature s2b-2380-3 { ip-proto == udp dst-port == 500 # Not supported: byte_test: 4,>,2043,24,2,>,2043,-2,relative # Not supported: byte_jump: 2,30,relative,2,-2,relative,2,-2,relative,2,1,relative event "EXPLOIT ISAKMP fifth payload certificate request length overflow attempt" payload /\x07/ } signature s2b-2413-7 { ip-proto == udp dst-port == 500 event "EXPLOIT ISAKMP delete hash with empty hash attempt" payload /.{15}\x08/ payload /.{27}\x0C/ payload /.{29}\x00\x04/ } signature s2b-2414-7 { ip-proto == udp dst-port == 500 event "EXPLOIT ISAKMP initial contact notification without SPI attempt" payload /.{15}\x0B/ payload /.{29}\x00\x0C\x00\x00\x00\x01\x01\x00\x06\x02/ } signature s2b-2415-7 { ip-proto == udp dst-port == 500 # Not supported: byte_jump: 2,30 event "EXPLOIT ISAKMP second payload initial contact notification without SPI attempt" payload /.{27}\x0B\x00\x0C\x00\x00\x00\x01\x01\x00`\x02/ } signature s2b-2443-4 { ip-proto == udp src-port == 4000 # Not supported: byte_test: 1,>,1,12,relative,2,>,128,18,relative,little event "EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt" payload /\x05\x00.{5}\x12\x02.*.*\x05\x00.{5}n\x00/ payload /.*\x05\x00.{5}\xDE\x03/ } signature s2b-2444-4 { ip-proto == udp src-port == 4000 # Not supported: byte_jump: 2,18,relative,little event "EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt" # Not supported: byte_test: 1,>,1,12,relative,2,>,128,0,relative,little payload /\x05\x00.{5}\x12\x02.*.*\x05\x00.{5}n\x00/ payload /.*\x05\x00.{5}\xDE\x03/ } signature s2b-2445-4 { ip-proto == udp src-port == 4000 # Not supported: byte_test: 2,>,128,0,relative,little,1,>,1,12,relative event "EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt" # Not supported: byte_jump: 2,18,relative,little,2,0,relative,little payload /\x05\x00.{5}\x12\x02.*.*\x05\x00.{5}n\x00/ payload /.*\x05\x00.{5}\xDE\x03/ } signature s2b-2446-4 { ip-proto == udp src-port == 4000 # Not supported: byte_jump: 2,0,relative,little,2,18,relative,little,2,0,relative,little event "EXPLOIT ICQ SRV_MULTI/SRV_META_USER email overflow attempt" # Not supported: byte_test: 2,>,128,0,relative,little,1,>,1,12,relative payload /\x05\x00.{5}\x12\x02.*.*\x05\x00.{5}n\x00/ payload /.*\x05\x00.{5}\xDE\x03/ } signature s2b-2462-6 { # Not supported: byte_test: 1,>,63,0,1,<,67,0,1,>,16,12 header ip[9:1] == 2 event "EXPLOIT IGMP IGAP account overflow attempt" } signature s2b-2463-6 { # Not supported: byte_test: 1,>,63,0,1,<,67,0,1,>,64,13 header ip[9:1] == 2 event "EXPLOIT IGMP IGAP message overflow attempt" } signature s2b-2464-6 { # Not supported: byte_test: 1,>,32,44 header ip[9:1] == 88 event "EXPLOIT EIGRP prefix length overflow attempt" } signature s2b-2489-2 { ip-proto == tcp dst-port == 80 event "EXPLOIT esignal STREAMQUOTE buffer overflow attempt" tcp-state established,originator # Not supported: isdataat: 1024,relative payload /.*<[sS][tT][rR][eE][aA][mM][qQ][uU][oO][tT][eE]>/ } signature s2b-2490-3 { ip-proto == tcp dst-port == 80 event "EXPLOIT esignal SNAPQUOTE buffer overflow attempt" tcp-state established,originator # Not supported: isdataat: 1024,relative payload /.*<[sS][nN][aA][pP][qQ][uU][oO][tT][eE]>/ } signature s2b-2545-4 { ip-proto == tcp dst-port == 548 # Not supported: byte_jump: 2,1,relative,2,1,relative event "EXPLOIT AFP FPLoginExt username buffer overflow attempt" tcp-state established,originator # Not supported: isdataat: 2,relative payload /\x00\x02.{14}\?/ payload /.*[cC][lL][eE][aA][rR][tT][xX][tT] [pP][aA][sS][sS][wW][rR][dD]/ } signature s2b-2550-2 { ip-proto == tcp src-port == 80 event "EXPLOIT winamp XM module name overflow" tcp-state established,responder # Not supported: isdataat: 20,relative payload /.*[eE][xX][tT][eE][nN][dD][eE][dD] [mM][oO][dD][uU][lL][eE]\x3A[^\x1A]{21}/ } signature s2b-2551-2 { ip-proto == tcp dst-port >= 7777 dst-port <= 7778 # Not supported: pcre: /^GET[^s]{432}/sm event "EXPLOIT Oracle Web Cache GET overflow attempt" tcp-state established,originator payload /.*GET/ payload /((^)|(\n+))GET[^s]{432}/ } signature s2b-2552-2 { ip-proto == tcp dst-port >= 7777 dst-port <= 7778 # Not supported: pcre: /^HEAD[^s]{432}/sm event "EXPLOIT Oracle Web Cache HEAD overflow attempt" tcp-state established,originator payload /.*HEAD/ payload /((^)|(\n+))HEAD[^s]{432}/ } signature s2b-2553-2 { ip-proto == tcp dst-port >= 7777 dst-port <= 7778 # Not supported: pcre: /^PUT[^s]{432}/sm event "EXPLOIT Oracle Web Cache PUT overflow attempt" tcp-state established,originator payload /((^)|(\n+))PUT[^s]{432}/ } signature s2b-2554-2 { ip-proto == tcp dst-port >= 7777 dst-port <= 7778 # Not supported: pcre: /^POST[^s]{432}/sm event "EXPLOIT Oracle Web Cache POST overflow attempt" tcp-state established,originator payload /((^)|(\n+))POST[^s]{432}/ } signature s2b-2555-2 { ip-proto == tcp dst-port >= 7777 dst-port <= 7778 # Not supported: pcre: /^TRACE[^s]{432}/sm event "EXPLOIT Oracle Web Cache TRACE overflow attempt" tcp-state established,originator payload /((^)|(\n+))TRACE[^s]{432}/ } signature s2b-2556-2 { ip-proto == tcp dst-port >= 7777 dst-port <= 7778 # Not supported: pcre: /^DELETE[^s]{432}/sm event "EXPLOIT Oracle Web Cache DELETE overflow attempt" tcp-state established,originator payload /.*DELETE/ payload /((^)|(\n+))DELETE[^s]{432}/ } signature s2b-2557-2 { ip-proto == tcp dst-port >= 7777 dst-port <= 7778 # Not supported: pcre: /^LOCK[^s]{432}/sm event "EXPLOIT Oracle Web Cache LOCK overflow attempt" tcp-state established,originator payload /((^)|(\n+))LOCK[^s]{432}/ } signature s2b-2558-2 { ip-proto == tcp dst-port >= 7777 dst-port <= 7778 # Not supported: pcre: /^MKCOL[^s]{432}/sm event "EXPLOIT Oracle Web Cache MKCOL overflow attempt" tcp-state established,originator payload /((^)|(\n+))MKCOL[^s]{432}/ } signature s2b-2559-2 { ip-proto == tcp dst-port >= 7777 dst-port <= 7778 # Not supported: pcre: /^COPY[^s]{432}/sm event "EXPLOIT Oracle Web Cache COPY overflow attempt" tcp-state established,originator payload /((^)|(\n+))COPY[^s]{432}/ } signature s2b-2560-2 { ip-proto == tcp dst-port >= 7777 dst-port <= 7778 # Not supported: pcre: /^MOVE[^s]{432}/sm event "EXPLOIT Oracle Web Cache MOVE overflow attempt" tcp-state established,originator payload /((^)|(\n+))MOVE[^s]{432}/ } signature s2b-320-9 { ip-proto == tcp dst-port == 79 event "FINGER cmd_rootsh backdoor attempt" tcp-state established,originator payload /.*cmd_rootsh/ } signature s2b-321-5 { ip-proto == tcp dst-port == 79 event "FINGER account enumeration attempt" tcp-state established,originator payload /.*[aA] [bB] [cC] [dD] [eE] [fF]/ } signature s2b-322-10 { ip-proto == tcp dst-port == 79 event "FINGER search query" tcp-state established,originator payload /.*search/ } signature s2b-323-5 { ip-proto == tcp dst-port == 79 event "FINGER root query" tcp-state established,originator payload /.*root/ } signature s2b-324-5 { ip-proto == tcp dst-port == 79 event "FINGER null request" tcp-state established,originator payload /.*\x00/ } signature s2b-326-9 { ip-proto == tcp dst-port == 79 event "FINGER remote command execution attempt" tcp-state established,originator payload /.*\x3B/ } signature s2b-327-8 { ip-proto == tcp dst-port == 79 event "FINGER remote command pipe execution attempt" tcp-state established,originator payload /.*\x7C/ } signature s2b-328-8 { ip-proto == tcp dst-port == 79 event "FINGER bomb attempt" tcp-state established,originator payload /.*@@/ } signature s2b-330-9 { ip-proto == tcp dst-port == 79 event "FINGER redirection attempt" tcp-state established,originator payload /.*@/ } signature s2b-331-10 { ip-proto == tcp dst-port == 79 event "FINGER cybercop query" tcp-state established,originator payload /.{0,4}\x0A / } signature s2b-332-8 { ip-proto == tcp dst-port == 79 event "FINGER 0 query" tcp-state established,originator payload /.*0/ } signature s2b-333-8 { ip-proto == tcp dst-port == 79 event "FINGER . query" tcp-state established,originator payload /.*\./ } signature s2b-1541-4 { ip-proto == tcp dst-port == 79 event "FINGER version query" tcp-state established,originator payload /.*version/ } signature s2b-2546-1 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^MDTM\s[^\n]{100}/smi event "FTP MDTM overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error payload /((^)|(\n+))[mM][dD][tT][mM][\x20\x09\x0b][^\n]{100}/ } signature s2b-2373-1 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^XMKD\s[^\n]{100}/smi event "FTP XMKD overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error payload /((^)|(\n+))[xXmMkKdD][\x20\x09\x0b][^\n]{100}/ eval dataSizeG100 } signature s2b-2374-4 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^NLST\s[^\n]{100}/smi event "FTP NLST overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[nNlLsStT][\x20\x09\x0b][^\n]{100}/ eval dataSizeG100 } signature s2b-2449-1 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^ALLO\s[^\n]{100}/smi event "FTP ALLO overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error payload /((^)|(\n+))[aAlLlLoO][\x20\x09\x0b][^\n]{100}/ } signature s2b-2389-4 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^RNTO\s[^\n]{100}/smi event "FTP RNTO overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[rR][nN][tT][oO][\x20\x09\x0b][^\n]{100}/ eval dataSizeG100 } signature s2b-2390-4 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^STOU\s[^\n]{100}/smi event "FTP STOU overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error payload /((^)|(\n+))[sS][tT][oO][uU][\x20\x09\x0b][^\n]{100}/ eval dataSizeG100 } signature s2b-2391-4 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^APPE\s[^\n]{100}/smi event "FTP APPE overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error payload /((^)|(\n+))[aA][pP][pP][eE][\x20\x09\x0b][^\n]{100}/ eval dataSizeG100 } signature s2b-2392-4 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^RETR\s[^\n]{100}/smi event "FTP RETR overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[rR][eE][tT][rR][\x20\x09\x0b][^\n]{100}/ eval dataSizeG100 } signature s2b-2343-1 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^STOR\s[^\n]{100}/smi event "FTP STOR overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[sS][tT][oO][rR][\x20\x09\x0b][^\n]{100}/ eval dataSizeG100 } signature s2b-337-10 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^CEL\s[^\n]{100}/smi event "FTP CEL overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[cC][eE][lL][\x20\x09\x0b][^\n]{100}/ eval dataSizeG100 } signature s2b-2344-1 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^XCWD\s[^\n]{100}/smi event "FTP XCWD overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[xX][cC][wW][dD][\x20\x09\x0b][^\n]{100}/ eval dataSizeG100 } signature s2b-1919-12 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^CWD\s[^\n]{100}/smi event "FTP CWD overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[cC][wW][dD][\x20\x09\x0b][^\n]{100}/ eval dataSizeG100 } signature s2b-1621-10 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^CMD\s[^\n]{100}/smi event "FTP CMD overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[cC][mM][dD][\x20\x09\x0b][^\n]{100}/ eval dataSizeG100 } signature s2b-1379-7 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^STAT\s[^\n]{100}/smi event "FTP STAT overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[sS][tT][aA][tT][\x20\x09\x0b][^\n]{100}/ eval dataSizeG100 } signature s2b-2340-4 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^SITE\s+CHMOD\s[^\n]{100}/smi event "FTP SITE CHMOD overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[cC][hH][mM][oO][dD][\x20\x09\x0b][^\n]{100}/ eval dataSizeG100 } signature s2b-1562-11 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^SITE\s+CHOWN\s[^\n]{100}/smi event "FTP SITE CHOWN overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[cC][hH][oO][wW][nN][\x20\x09\x0b][^\n]{100}/ eval dataSizeG100 } signature s2b-1920-6 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^SITE\s+NEWER\s[^\n]{100}/smi event "FTP SITE NEWER overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[nN][eE][wW][eE][rR][\x20\x09\x0b][^\n]{100}/ eval dataSizeG100 } signature s2b-1888-8 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^SITE\s+CPWD\s[^\n]{100}/smi event "FTP SITE CPWD overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[cC][pP][wW][dD][\x20\x09\x0b][^\n]{100}/ eval dataSizeG100 } signature s2b-1971-4 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/smi event "FTP SITE EXEC format string attempt" tcp-state established,originator requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[eE][xX][eE][cC][\x20\x09\x0b][^\n]*?%[^\n]*?%/ } signature s2b-1529-10 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^SITE\s[^\n]{100}/smi event "FTP SITE overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b][^\n]{100}/ eval dataSizeG100 } signature s2b-1734-16 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^USER\s[^\n]{100}/smi event "FTP USER overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[uU][sS][eE][rR][\x20\x09\x0b][^\n]{100}/ eval dataSizeG100 } signature s2b-1972-10 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^PASS\s[^\n]{100}/smi event "FTP PASS overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[pP][aA][sS][sS][\x20\x09\x0b][^\n]{100}/ eval dataSizeG100 } signature s2b-1942-4 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^RMDIR\s[^\n]{100}/smi event "FTP RMDIR overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[rR][mM][dD][iI][rR][\x20\x09\x0b][^\n]{100}/ eval dataSizeG100 } signature s2b-1973-6 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^MKD\s[^\n]{100}/smi event "FTP MKD overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[mM][kK][dD][\x20\x09\x0b][^\n]{100}/ eval dataSizeG100 } signature s2b-1974-6 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^REST\s[^\n]{100}/smi event "FTP REST overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[rR][eE][sS][tT][\x20\x09\x0b][^\n]{100}/ eval dataSizeG100 } signature s2b-1975-6 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^DELE\s[^\n]{100}/smi event "FTP DELE overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[dD][eE][lL][eE][\x20\x09\x0b][^\n]{100}/ eval dataSizeG100 } signature s2b-1976-6 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^RMD\s[^\n]{100}/smi event "FTP RMD overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[rR][mM][dD][\x20\x09\x0b][^\n]{100}/ eval dataSizeG100 } signature s2b-1623-6 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^MODE\s+[^ABSC]{1}/msi event "FTP invalid MODE" tcp-state established,originator requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[mM][oO][dD][eE][\x20\x09\x0b]+[^aAbBsScC]{1}/ } signature s2b-1624-5 { ip-proto == tcp dst-port == 21 payload-size == 10 event "FTP large PWD command" tcp-state established,originator payload /.*[pP][wW][dD]/ requires-reverse-signature ! ftp_server_error } signature s2b-2125-8 { ip-proto == tcp dst-port == 21 event "FTP CWD Root directory transversal attempt" tcp-state established,originator payload /.*[cC][wW][dD].{1}.*C\x3A\x5C/ requires-reverse-signature ! ftp_server_error } signature s2b-1921-5 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^SITE\s+ZIPCHK\s[^\n]{100}/smi event "FTP SITE ZIPCHK overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[zZ][iI][pP][cC][hH][kK][\x20\x09\x0b][^\n]{100}/ eval dataSizeG100 } signature s2b-1864-7 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^SITE\s+NEWER/smi event "FTP SITE NEWER attempt" tcp-state established,originator requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[nN][eE][wW][eE][rR]/ } signature s2b-361-12 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^SITE\s+EXEC/smi event "FTP SITE EXEC attempt" tcp-state established,originator payload /.*[sS][iI][tT][eE].*.*[eE][xX][eE][cC]/ requires-reverse-signature ! ftp_server_error } signature s2b-1777-4 { ip-proto == tcp dst-port == 21 event "FTP EXPLOIT STAT * dos attempt" tcp-state established,originator payload /.*[sS][tT][aA][tT].{1}.*\*/ requires-reverse-signature ! ftp_server_error } signature s2b-1778-4 { ip-proto == tcp dst-port == 21 event "FTP EXPLOIT STAT ? dos attempt" tcp-state established,originator payload /.*[sS][tT][aA][tT].{1}.*\?/ requires-reverse-signature ! ftp_server_error } signature s2b-362-12 { ip-proto == tcp dst-port == 21 event "FTP tar parameters" tcp-state established,originator payload /.* --[uU][sS][eE]-[cC][oO][mM][pP][rR][eE][sS][sS]-[pP][rR][oO][gG][rR][aA][mM] / requires-reverse-signature ! ftp_server_error } signature s2b-336-10 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^CWD\s+~root/smi event "FTP CWD ~root attempt" tcp-state established,originator requires-reverse-signature ! ftp_server_error payload /((^)|(\n+))[cC][wW][dD][\x20\x09\x0b]+~[rR][oO][oO][tT]/ } signature s2b-1229-7 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^CWD\s[^\n]*?\.\.\./smi event "FTP CWD ..." tcp-state established,originator requires-reverse-signature ! ftp_server_error payload /((^)|(\n+))[cC][wW][dD][\x20\x09\x0b][^\n]*?\.\.\./ } signature s2b-1672-10 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^CWD\s+~/smi event "FTP CWD ~ attempt" tcp-state established,originator requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))CWD[\x20\x09\x0b]+~/ } signature s2b-360-7 { ip-proto == tcp dst-port == 21 event "FTP serv-u directory transversal" tcp-state established,originator payload /.*\.%20\./ requires-reverse-signature ! ftp_server_error } signature s2b-1378-14 { ip-proto == tcp dst-port == 21 event "FTP wu-ftp bad file completion attempt {" tcp-state established,originator ftp /.{2,} ~.?\{/ } signature s2b-1992-5 { ip-proto == tcp dst-port == 21 event "FTP LIST directory traversal attempt" tcp-state established,originator payload /.*LIST.{1}.*\.\..{1}.*\.\./ requires-reverse-signature ! ftp_server_error } signature s2b-334-5 { ip-proto == tcp dst-port == 21 event "FTP .forward" tcp-state established,originator payload /.*\.forward/ requires-reverse-signature ! ftp_server_error } signature s2b-335-5 { ip-proto == tcp dst-port == 21 event "FTP .rhosts" tcp-state established,originator ftp /.*\.rhosts/ requires-reverse-signature ! ftp_server_error } signature s2b-1927-2 { ip-proto == tcp dst-port == 21 event "FTP authorized_keys" tcp-state established,originator payload /.*authorized_keys/ requires-reverse-signature ! ftp_server_error } signature s2b-356-5 { ip-proto == tcp dst-port == 21 event "FTP passwd retrieval attempt" tcp-state established,originator payload /.*[rR][eE][tT][rR]/ payload /[\x20\x09\x0b\/.]*passwd[\x20\x09\x0b]*$/ requires-reverse-signature ! ftp_server_error } signature s2b-1928-3 { ip-proto == tcp dst-port == 21 event "FTP shadow retrieval attempt" tcp-state established,originator payload /.*[rR][eE][tT][rR]/ payload /.*shadow/ requires-signature got_ftp_root requires-reverse-signature ! ftp_server_error } signature s2b-144-9 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^USER\s+w0rm/smi event "FTP ADMw0rm ftp login attempt" tcp-state established,originator payload /.*[uU][sS][eE][rR].{1}.*[wW]0[rR][mM]/ requires-reverse-signature ! ftp_server_error } signature s2b-353-6 { ip-proto == tcp dst-port == 21 event "FTP adm scan" tcp-state established,originator payload /.*PASS ddd@\x0A/ requires-reverse-signature ! ftp_server_error } signature s2b-354-5 { ip-proto == tcp dst-port == 21 event "FTP iss scan" tcp-state established,originator payload /.*pass -iss@iss/ requires-reverse-signature ! ftp_server_error } signature s2b-355-5 { ip-proto == tcp dst-port == 21 event "FTP pass wh00t" tcp-state established,originator payload /.*[pP][aA][sS][sS] [wW][hH]00[tT]/ requires-reverse-signature ! ftp_server_error } signature s2b-357-5 { ip-proto == tcp dst-port == 21 event "FTP piss scan" tcp-state established,originator payload /.*pass -cklaus/ requires-reverse-signature ! ftp_server_error } signature s2b-358-5 { ip-proto == tcp dst-port == 21 event "FTP saint scan" tcp-state established,originator payload /.*pass -saint/ requires-reverse-signature ! ftp_server_error } signature s2b-359-5 { ip-proto == tcp dst-port == 21 event "FTP satan scan" tcp-state established,originator payload /.*pass -satan/ requires-reverse-signature ! ftp_server_error } signature s2b-2178-13 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^USER\s[^\n]*?%[^\n]*?%/smi event "FTP USER format string attempt" tcp-state established,originator requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[uU][sS][eE][rR][\x20\x09\x0b][^\n]*?%[^\n]*?%/ } signature s2b-2179-4 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^PASS\s[^\n]*?%[^\n]*?%/smi event "FTP PASS format string attempt" tcp-state established,originator requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[pP][aA][sS][sS]\x20\x09\x0b][^\n]*?%[^\n]*?%/ } signature s2b-2332-1 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^MKDIR\s[^\n]*?%[^\n]*?%/smi event "FTP MKDIR format string attempt" tcp-state established,originator requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[mM][kK][dD][iI][rR][\x20\x09\x0b][^\n]*?%[^\n]*?%/ } signature s2b-2333-1 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^RENAME\s[^\n]*?%[^\n]*?%/smi event "FTP RENAME format string attempt" tcp-state established,originator requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[rR][eE][nN][aA][mM][eE][\x20\x09\x0b][^\n]*?%[^\n]*?%/ } signature s2b-2338-5 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^LIST\s[^\n]{100,}/smi event "FTP LIST buffer overflow attempt" tcp-state established,originator requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[lL][iI][sS][tT][\x20\x09\x0b][^\n]{100,}/ } signature s2b-2272-4 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^LIST\s+\x22-W\s+\d+/smi event "FTP LIST integer overflow attempt" tcp-state established,originator requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[lL][iI][sS][tT][\x20\x09\x0b]+\x22-W[\x20\x09\x0b]+[0-9]+/ } signature s2b-2334-2 { ip-proto == tcp dst-port == 3535 # Not supported: pcre: /^USER\s+y049575046/smi event "FTP Yak! FTP server default account login attempt" tcp-state established,originator requires-reverse-signature ! ftp_server_error payload /((^)|(\n+))USER[\x20\x09\x0b]+y049575046/ } signature s2b-2335-2 { ip-proto == tcp dst-port == 3535 # Not supported: pcre: /^RMD\s+\x2f$/smi event "FTP RMD / attempt" tcp-state established,originator payload /.*[rR][mM][dD]/ requires-reverse-signature ! ftp_server_error } signature s2b-2416-1 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^MDTM \d+[-+]\D/smi event "FTP invalid MDTM command attempt" tcp-state established,originator requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[mMdDtTmM][0-9]+[-+][^0-9]/ } signature s2b-2417-1 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /\s+.*?%.*?%/smi event "FTP format string attempt" tcp-state established,originator payload /.*%/ ftp /[\x20\x09\x0b]+.*?%.*?%/ requires-reverse-signature ! ftp_server_error } signature s2b-2574-1 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^RETR\s[^\n]*?%[^\n]*?%/smi event "FTP RETR format string attempt" tcp-state established,originator requires-reverse-signature ! ftp_server_error ftp /((^)|(\n+))[rR][eE][tT][rR][\x20\x09\x0b][^\n]*?%[^\n]*?%/ } signature s2b-377-7 { ip-proto == icmp header icmp[0:1] == 8 event "ICMP PING Network Toolbox 3 Windows" payload /.{0,16}================/ } signature s2b-465-3 { ip-proto == icmp header icmp[0:1] == 8 event "ICMP ISS Pinger" payload /.{0,24}ISSPNGRQ/ } signature s2b-467-3 { ip-proto == icmp payload-size == 20 header icmp[0:1] == 8 header icmp[0:1] == 0,8 header icmp[6:2] == 0 event "ICMP Nemesis v1.1 Echo" header icmp[0:1] == 0,8 header icmp[4:2] == 0 payload /\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00/ } signature s2b-471-3 { ip-proto == icmp payload-size == 0 header icmp[0:1] == 8 header icmp[0:1] == 0,8 header icmp[6:2] == 0 event "ICMP icmpenum v1.1.1" header ip[4:2] == 666 header icmp[0:1] == 0,8 header icmp[4:2] == 666 } signature s2b-472-4 { ip-proto == icmp header icmp[1:1] == 1 header icmp[0:1] == 5 event "ICMP redirect host" } signature s2b-475-3 { ip-proto == icmp header icmp[0:1] == 0 event "ICMP traceroute ipopts" ip-options rr } signature s2b-476-4 { ip-proto == icmp header icmp[1:1] == 0 header icmp[0:1] == 8 event "ICMP webtrends scanner" payload /.*\x00\x00\x00\x00EEEEEEEEEEEE/ } signature s2b-478-3 { ip-proto == icmp payload-size == 4 header icmp[0:1] == 8 header icmp[0:1] == 0,8 header icmp[6:2] == 0 event "ICMP Broadscan Smurf Scanner" header icmp[0:1] == 0,8 header icmp[4:2] == 0 } signature s2b-481-5 { ip-proto == icmp header icmp[0:1] == 8 event "ICMP TJPingPro1.1Build 2 Windows" payload /.{0,16}TJPingPro by Jim/ } signature s2b-484-4 { ip-proto == icmp header icmp[0:1] == 8 event "ICMP PING Sniffer Pro/NetXRay network scan" payload /.{0,13}Cinco Network, Inc\./ } signature s2b-1813-5 { ip-proto == icmp event "ICMP digital island bandwidth query" payload /mailto\x3Aops@digisle\.com/ } signature s2b-1993-4 { ip-proto == tcp dst-port == 143 # Not supported: pcre: /\sLOGIN\s[^\n]*?\s\{/smi # Not supported: byte_test: 5,>,256,0,string,dec,relative event "IMAP login literal buffer overflow attempt" tcp-state established,originator payload /((^)|(\n+))[lL][oO][gG][iI][nN][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/ } signature s2b-1842-9 { ip-proto == tcp dst-port == 143 # Not supported: pcre: /\sLOGIN\s[^\n]{100}/smi event "IMAP login buffer overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative payload /((^)|(\n+))[\x20\x09\x0b]LOGIN[\x20\x09\x0b][^\n]{100}/ } signature s2b-2105-4 { ip-proto == tcp dst-port == 143 # Not supported: pcre: /\sAUTHENTICATE\s[^\n]*?\s\{/smi # Not supported: byte_test: 5,>,256,0,string,dec,relative event "IMAP authenticate literal overflow attempt" tcp-state established,originator payload /((^)|(\n+))[\x20\x09\x0b][aA][uU][tT][hH][eE][nN][tT][iI][cC][aA][tT][eE][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/ } signature s2b-1844-9 { ip-proto == tcp dst-port == 143 # Not supported: pcre: /\sAUTHENTICATE\s[^\n]{100}/smi event "IMAP authenticate overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative payload /((^)|(\n+))[\x20\x09\x0b][aA][uU][tT][hH][eE][nN][tT][iI][cC][aA][tT][eE][\x20\x09\x0b][^\n]{100}/ } signature s2b-1930-3 { ip-proto == tcp dst-port == 143 # Not supported: byte_test: 5,>,256,0,string,dec,relative event "IMAP auth literal overflow attempt" tcp-state established,originator payload /.* [aA][uU][tT][hH]/ payload /.*\{/ } signature s2b-2330-1 { ip-proto == tcp dst-port == 143 # Not supported: pcre: /AUTH\s[^\n]{100}/smi event "IMAP auth overflow attempt" tcp-state established,originator payload /((^)|(\n+))[aA][uU][tT][hH][\x20\x09\x0b][^\n]{100}/ } signature s2b-1902-9 { ip-proto == tcp dst-port == 143 # Not supported: pcre: /\sLSUB\s[^\n]*?\s\{/smi # Not supported: byte_test: 5,>,256,0,string,dec,relative event "IMAP lsub literal overflow attempt" tcp-state established,originator payload /((^)|(\n+))[\x20\x09\x0b][lL][sS][uU][bB][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/ } signature s2b-2106-7 { ip-proto == tcp dst-port == 143 # Not supported: pcre: /\sLSUB\s[^\n]{100}/smi event "IMAP lsub overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative payload /((^)|(\n+))[\x20\x09\x0b][lL][sS][uU][bB][\x20\x09\x0b][^\n]{100}/ } signature s2b-1845-15 { ip-proto == tcp dst-port == 143 # Not supported: pcre: /\sLIST\s[^\n]*?\s\{/smi # Not supported: byte_test: 5,>,256,0,string,dec,relative event "IMAP list literal overflow attempt" tcp-state established,originator payload /((^)|(\n+))[\x20\x09\x0b][lL][iI][sS][tT][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/ } signature s2b-2118-6 { ip-proto == tcp dst-port == 143 # Not supported: pcre: /\sLIST\s[^\n]{100}/smi event "IMAP list overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative payload /((^)|(\n+))[\x20\x09\x0b][lL][iI][sS][tT][\x20\x09\x0b][^\n]{100}/ } signature s2b-2119-5 { ip-proto == tcp dst-port == 143 # Not supported: pcre: /\sRENAME\s[^\n]*?\s\{/smi # Not supported: byte_test: 5,>,256,0,string,dec,relative event "IMAP rename literal overflow attempt" tcp-state established,originator payload /((^)|(\n+))[\x20\x09\x0b][rR][eE][nN][aA][mM][eE][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/ } signature s2b-1903-8 { ip-proto == tcp dst-port == 143 # Not supported: pcre: /\sRENAME\s[^\n]{100}/smi event "IMAP rename overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative payload /((^)|(\n+))[\x20\x09\x0b][rR][eE][nN][aA][mM][eE][\x20\x09\x0b][^\n]{100}/ } signature s2b-1904-7 { ip-proto == tcp dst-port == 143 # Not supported: pcre: /\sFIND\s[^\n]{100}/smi event "IMAP find overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative payload /((^)|(\n+))[\x20\x09\x0b][fF][iI][nN][dD][\x20\x09\x0b][^\n]{100}/ } signature s2b-1755-14 { ip-proto == tcp dst-port == 143 # Not supported: pcre: /\sPARTIAL.*BODY\[[^\]]{1024}/smi event "IMAP partial body buffer overflow attempt" tcp-state established,originator payload /((^)|(\n+))[\x20\x09\x0b][pP][aA][rR][tT][iI][aA][lL].*[bB][oO][dD][yY]\[[^\]]{1024}/ } signature s2b-2046-6 { ip-proto == tcp dst-port == 143 # Not supported: pcre: /\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi event "IMAP partial body.peek buffer overflow attempt" tcp-state established,originator payload /((^)|(\n+))[\x20\x09\x0b][pP][aA][rR][tT][iI][aA][lL].*[bB][oO][dD][yY]\.[pP][eE][eE][kK]\[[^\]]{1024}/ } signature s2b-2107-3 { ip-proto == tcp dst-port == 143 # Not supported: pcre: /\sCREATE\s[^\n]{1024}/smi event "IMAP create buffer overflow attempt" tcp-state established,originator # Not supported: isdataat: 1024,relative payload /((^)|(\n+))[\x20\x09\x0b][cC][rR][eE][aA][tT][eE][\x20\x09\x0b][^\n]{1024}/ } signature s2b-2120-3 { ip-proto == tcp dst-port == 143 # Not supported: pcre: /\sCREATE\s*\{/smi # Not supported: byte_test: 5,>,256,0,string,dec,relative event "IMAP create literal buffer overflow attempt" tcp-state established,originator payload /((^)|(\n+))[\x20\x09\x0b][cC][rR][eE][aA][tT][eE][\x20\x09\x0b][^\n]*?\s\{/ } signature s2b-2497-6 { ip-proto == tcp dst-port == 993 event "IMAP SSLv3 invalid data version attempt" tcp-state established,originator payload /\x16\x03/ payload /.{4}\x01/ payload /.{8}[^\x03]*/ } signature s2b-2517-10 { ip-proto == tcp dst-port == 993 # Not supported: byte_test: 2,>,0,6,2,!,0,8,2,!,16,8,2,>,20,10,2,>,32768,0,relative event "IMAP PCT Client_Hello overflow attempt" tcp-state established,originator payload /.{1}\x01/ payload /.{10}\x8F/ } signature s2b-2530-3 { ip-proto == tcp src-port == 993 # Not supported: flowbits: isset,sslv3.client_hello.request,set,sslv3.server_hello.request,noalert event "IMAP SSLv3 Server_Hello request" tcp-state established,responder payload /\x16\x03/ payload /.{4}\x02/ } signature s2b-489-7 { ip-proto == tcp dst-port == 21 # Not supported: pcre: /^PASS\s*\n/smi event "INFO FTP no password" tcp-state established,originator ftp /((^)|(\n+))[\x20\x09\x0b][pP][aA][sS][sS][\x20\x09\x0b]*\n/ } signature s2b-491-8 { ip-proto == tcp src-port == 21 # Not supported: pcre: /^530\s+(Login|User)/smi event "INFO FTP Bad login" tcp-state established,responder ftp /((^)|(\n+))530[\x20\x09\x0b]+([lL][oO][gG][iI][nN]|[uU][sS][eE][rR])/ } signature s2b-1251-6 { ip-proto == tcp src-port == 23 event "INFO TELNET Bad Login" tcp-state established,responder payload /.*[lL][oO][gG][iI][nN] [iI][nN][cC][oO][rR][rR][eE][cC][tT]/ } signature s2b-500-4 { event "MISC source route lssr" ip-options lsrr } signature s2b-501-4 { event "MISC source route lssre" ip-options lsrre } signature s2b-502-2 { event "MISC source route ssrr" ip-options ssrr } signature s2b-503-6 { ip-proto == tcp src-port == 20 dst-port >= 0 dst-port <= 1023 header tcp[13:1] & 255 == 2 event "MISC Source Port 20 to <1024" tcp-state stateless } signature s2b-504-6 { ip-proto == tcp src-port == 53 dst-port >= 0 dst-port <= 1023 header tcp[13:1] & 255 == 2 event "MISC source port 53 to <1024" tcp-state stateless } signature s2b-505-5 { ip-proto == tcp dst-port == 1417 event "MISC Insecure TIMBUKTU Password" tcp-state established,originator payload /.{0,13}\x05\x00>/ } signature s2b-507-4 { ip-proto == tcp dst-port == 5631 event "MISC PCAnywhere Attempted Administrator Login" tcp-state established,originator payload /.*ADMINISTRATOR/ } signature s2b-508-7 { ip-proto == tcp dst-port == 70 event "MISC gopher proxy" tcp-state established,originator payload /.*[fF][tT][pP]\x3A/ payload /.*@\// } signature s2b-512-4 { ip-proto == tcp src-port >= 5631 src-port <= 5632 event "MISC PCAnywhere Failed Login" tcp-state established,responder payload /.{0,3}Invalid login/ } signature s2b-513-10 { ip-proto == tcp src-port == 7161 header tcp[13:1] & 255 == 18 event "MISC Cisco Catalyst Remote Access" tcp-state stateless } signature s2b-514-5 { ip-proto == tcp dst-port == 27374 event "MISC ramen worm" tcp-state established,originator payload /.{0,4}[gG][eE][tT] / } signature s2b-516-3 { ip-proto == udp dst-port == 161 event "MISC SNMP NT UserList" payload /.*\+\x06\x10@\x14\xD1\x02\x19/ } signature s2b-517-1 { ip-proto == udp dst-port == 177 event "MISC xdmcp query" payload /.*\x00\x01\x00\x03\x00\x01\x00/ } signature s2b-1867-1 { ip-proto == udp dst-port == 177 event "MISC xdmcp info query" payload /.*\x00\x01\x00\x02\x00\x01\x00/ } signature s2b-522-2 { header ip[6:1] & 224 == 32 payload-size < 25 event "MISC Tiny Fragments" } signature s2b-1384-8 { ip-proto == udp dst-port == 1900 event "MISC UPnP malformed advertisement" payload /.*[nN][oO][tT][iI][fF][yY] \* / } signature s2b-1388-12 { ip-proto == udp dst-port == 1900 # Not supported: pcre: /^Location\:[^\n]{128}/smi event "MISC UPnP Location overflow" payload /((^)|(\n+))[lL][oO][cC][aA][tT][iI][oO][nN]\x3a[^\n]{128}/ } signature s2b-1393-12 { ip-proto == tcp event "MISC AIM AddGame attempt" tcp-state established,responder payload /.*[aA][iI][mM]\x3A[aA][dD][dD][gG][aA][mM][eE]\?/ } signature s2b-1752-4 { ip-proto == tcp event "MISC AIM AddExternalApp attempt" tcp-state established,responder payload /.*[aA][iI][mM]\x3A[aA][dD][dD][eE][xX][tT][eE][rR][nN][aA][lL][aA][pP][pP]\?/ } signature s2b-1636-8 { ip-proto == tcp dst-port == 32000 # Not supported: pcre: /^Username\:[^\n]{100}/smi payload-size > 500 event "MISC Xtramail Username overflow attempt" tcp-state established,originator # Not supported: isdataat: 100,relative payload /((^)|(\n+))[uU][sS][eE][rR][nN][aA][mM][eE]\:[^\n]{100}/ } signature s2b-1887-3 { ip-proto == tcp dst-port == 443 event "MISC OpenSSL Worm traffic" tcp-state established,originator payload /.*[tT][eE][rR][mM]=[xX][tT][eE][rR][mM]/ } signature s2b-1889-5 { ip-proto == udp src-port == 2002 dst-port == 2002 event "MISC slapper worm admin traffic" payload /\x00\x00E\x00\x00E\x00\x00@\x00/ } signature s2b-1447-11 { ip-proto == tcp dst-port == 3389 event "MISC MS Terminal server request RDP" tcp-state established,originator payload /\x03\x00\x00\x0B\x06\xE0\x00\x00\x00\x00\x00/ } signature s2b-1448-10 { ip-proto == tcp dst-port == 3389 event "MISC MS Terminal server request" tcp-state established,originator payload /\x03\x00\x00/ payload /.{4}\xE0\x00\x00\x00\x00\x00/ } signature s2b-2418-3 { ip-proto == tcp dst-port == 3389 event "MISC MS Terminal Server no encryption session initiation attmept" tcp-state established,originator payload /\x03\x00\x01/ payload /.{287}\x00/ } signature s2b-1819-5 { ip-proto == tcp dst-port == 2533 event "MISC Alcatel PABX 4400 connection attempt" tcp-state established,originator payload /\x00\x01C/ } signature s2b-1939-4 { ip-proto == udp dst-port == 67 # Not supported: byte_test: 1,>,6,2 event "MISC bootp hardware address length overflow" payload /\x01/ } signature s2b-1940-3 { ip-proto == udp dst-port == 67 # Not supported: byte_test: 1,>,7,1 event "MISC bootp invalid hardware type" payload /\x01/ } signature s2b-2039-4 { ip-proto == udp dst-port == 67 event "MISC bootp hostname format string attempt" payload /\x01.{240}.*\x0C.*.*%.{1}.{0,7}%.{1}.{0,7}%/ } signature s2b-1966-2 { ip-proto == udp dst-port == 27155 event "MISC GlobalSunTech Access Point Information Disclosure attempt" payload /.*gstsearch/ } signature s2b-1987-6 { ip-proto == tcp dst-port == 7100 payload-size > 512 event "MISC xfs overflow attempt" tcp-state established,originator payload /B\x00\x02/ } signature s2b-2041-2 { ip-proto == udp src-port == 49 event "MISC xtacacs failed login response" payload /\x80\x02.{4}.*\x02/ } signature s2b-2043-2 { ip-proto == udp src-port == 500 dst-port == 500 event "MISC isakmp login failed" payload /.{16}\x10\x05.{13}\x00\x00\x00\x01\x01\x00\x00\x18/ } signature s2b-2048-2 { ip-proto == tcp dst-port == 873 # Not supported: byte_test: 2,>,4000,0 event "MISC rsyncd overflow attempt" tcp-state originator payload /.{1}\x00\x00/ } signature s2b-2008-4 { ip-proto == tcp src-port == 2401 event "MISC CVS invalid user authentication response" tcp-state established,responder payload /.*E Fatal error, aborting\./ payload /.*\x3A no such user/ } signature s2b-2009-2 { ip-proto == tcp src-port == 2401 src-ip == local_nets event "MISC CVS invalid repository response" tcp-state established,responder payload /.*error / payload /.*\x3A no such repository/ payload /.*I HATE YOU/ } signature s2b-2010-4 { ip-proto == tcp src-port == 2401 event "MISC CVS double free exploit attempt response" tcp-state established,responder payload /.*free\x28\x29\x3A warning\x3A chunk is already free/ } signature s2b-2011-4 { ip-proto == tcp src-port == 2401 event "MISC CVS invalid directory response" tcp-state established,responder payload /.*E protocol error\x3A invalid directory syntax in/ } signature s2b-2012-2 { ip-proto == tcp src-port == 2401 event "MISC CVS missing cvsroot response" tcp-state established,responder payload /.*E protocol error\x3A Root request missing/ } signature s2b-2013-2 { ip-proto == tcp src-port == 2401 event "MISC CVS invalid module response" tcp-state established,responder payload /.*cvs server\x3A cannot find module.{1}.*error/ } signature s2b-2317-4 { ip-proto == tcp src-port == 2401 event "MISC CVS non-relative path error response" tcp-state established,responder payload /.*E cvs server\x3A warning\x3A cannot make directory CVS in \// } signature s2b-2318-3 { ip-proto == tcp dst-port == 2401 # Not supported: pcre: m?^Argument\s+/?smi,/^Directory/smiR event "MISC CVS non-relative path access attempt" tcp-state established,originator payload /((^)|(\n+))[aA][Rr][Gg][Uu}[Mm][Ee][Nn][Tt][\x20\x09\x0b]]+/ payload /.*[Dd][Ii][Rr][Ee][Cc][Tt][Oo][Rr][Yy]/ } signature s2b-2159-8 { ip-proto == tcp src-port == 179 event "MISC BGP invalid type 0" tcp-state stateless payload /\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF.{2}\x00/ } signature s2b-2500-4 { ip-proto == tcp dst-port == 636 event "MISC LDAP SSLv3 invalid data version attempt" tcp-state established,originator payload /\x16\x03/ payload /.{4}\x01/ payload /.{8}[^\x03]*/ } signature s2b-2516-10 { ip-proto == tcp dst-port == 639 # Not supported: byte_test: 2,>,0,6,2,!,0,8,2,!,16,8,2,>,20,10,2,>,32768,0,relative event "MISC LDAP PCT Client_Hello overflow attempt" tcp-state established,originator payload /.{1}\x01/ payload /.{10}\x8F/ } signature s2b-2533-5 { ip-proto == tcp src-port == 639 # Not supported: flowbits: isset,sslv3.client_hello.request,set,sslv3.server_hello.request,noalert event "MISC LDAP SSLv3 Server_Hello request" tcp-state established,responder payload /\x16\x03/ payload /.{4}\x02/ } signature s2b-2534-3 { ip-proto == tcp dst-port == 639 # Not supported: flowbits: isset,sslv3.server_hello.request event "MISC LDAP SSLv3 invalid Client_Hello attempt" tcp-state established,originator payload /\x16\x03/ payload /.{4}\x01/ } signature s2b-2547-2 { ip-proto == tcp dst-port == 8000 event "MISC HP Web JetAdmin remote file upload attempt" tcp-state established,originator payload /.*\/[pP][lL][uU][gG][iI][nN][sS]\/[hH][pP][jJ][wW][jJ][aA]\/[sS][cC][rR][iI][pP][tT]\/[dD][eE][vV][iI][cC][eE][sS]_[uU][pP][dD][aA][tT][eE]_[pP][rR][iI][nN][tT][eE][rR]_[fF][wW]_[uU][pP][lL][oO][aA][dD]\.[hH][tT][sS]/ payload /.*[cC][oO][nN][tT][eE][nN][tT]-[tT][yY][pP][eE]\x3A.*.*[mM][uU][lL][tT][iI][pP][aA][rR][tT]/ } signature s2b-2548-1 { ip-proto == tcp dst-port == 8000 event "MISC HP Web JetAdmin setinfo access" tcp-state established,originator payload /.*\/[pP][lL][uU][gG][iI][nN][sS]\/[hH][pP][jJ][dD][wW][mM]\/[sS][cC][rR][iI][pP][tT]\/[tT][eE][sS][tT]\/[sS][eE][tT][iI][nN][fF][oO]\.[hH][tT][sS]/ } signature s2b-2549-1 { ip-proto == tcp dst-port == 8000 event "MISC HP Web JetAdmin file write attempt" tcp-state established,originator payload /.*\/[pP][lL][uU][gG][iI][nN][sS]\/[fF][rR][aA][mM][eE][wW][oO][rR][kK]\/[sS][cC][rR][iI][pP][tT]\/[tT][rR][eE][eE]\.[xX][mM][sS]/ payload /.*[wW][rR][iI][tT][eE][tT][oO][fF][iI][lL][eE]/ } signature s2b-2561-2 { ip-proto == tcp dst-port == 873 # Not supported: pcre: /--backup-dir\s+\x2e\x2e\x2f/ event "MISC rsync backup-dir directory traversal attempt" tcp-state established,originator payload /--backup-dir[\x20\x09\x0b]+\x2e\x2e\x2f/ } signature s2b-1428-5 { ip-proto == tcp dst-ip == 64.245.58.0/23 event "MULTIMEDIA audio galaxy keepalive" tcp-state established payload /E_\x00\x03\x05/ } signature s2b-2423-2 { ip-proto == tcp dst-port == http_ports # Not supported: flowbits: set,realplayer.playlist,noalert event "MULTIMEDIA realplayer .rp playlist download attempt" tcp-state established,originator http /((^)|(\n+))[tT][aA][kK][eE][tT][hH][iI][sS].*?[pP][Aa][Tt][Hh]\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/ } signature s2b-1775-2 { ip-proto == tcp dst-port == 3306 event "MYSQL root login attempt" tcp-state established,originator payload /.*\x0A\x00\x00\x01\x85\x04\x00\x00\x80root\x00/ } signature s2b-1776-2 { ip-proto == tcp dst-port == 3306 event "MYSQL show databases attempt" tcp-state established,originator payload /.*\x0F\x00\x00\x00\x03show databases/ } signature s2b-537-11 { ip-proto == tcp dst-port == 139 # Not supported: byte_test: 1,<,128,6,relative event "NETBIOS SMB IPC$ share access" tcp-state established,originator payload /\x00/ payload /.{3}\xFFSMBu.{32}.*[iI][pP][cC]\x24\x00/ } signature s2b-538-10 { ip-proto == tcp dst-port == 139 # Not supported: byte_test: 1,>,127,6,relative event "NETBIOS SMB IPC$ share unicode access" tcp-state established,originator payload /\x00/ payload /.{3}\xFFSMBu.{32}.*[iI]\x00[pP]\x00[cC]\x00\x24\x00\x00/ } signature s2b-2465-3 { ip-proto == tcp dst-port == 445 # Not supported: byte_test: 1,<,128,6,relative event "NETBIOS SMB-DS IPC$ share access" tcp-state established,originator payload /\x00/ payload /.{3}\xFFSMBu.{32}.*[iI][pP][cC]\x24\x00/ } signature s2b-2466-3 { ip-proto == tcp dst-port == 445 # Not supported: byte_test: 1,>,127,6,relative event "NETBIOS SMB-DS IPC$ share unicode access" tcp-state established,originator payload /\x00/ payload /.{3}\xFFSMBu.{32}.*[iI]\x00[pP]\x00[cC]\x00\x24\x00\x00/ } signature s2b-536-7 { ip-proto == tcp dst-port == 139 # Not supported: byte_test: 1,<,128,6,relative event "NETBIOS SMB D$ share access" tcp-state established,originator payload /\x00/ payload /.{3}\xFFSMBu.{32}.*[dD]\x24\x00/ } signature s2b-2467-3 { ip-proto == tcp dst-port == 139 # Not supported: byte_test: 1,>,127,6,relative event "NETBIOS SMB D$ share unicode access" tcp-state established,originator payload /\x00/ payload /.{3}\xFFSMBu.{32}.*[dD]\x00\x24\x00\x00/ } signature s2b-2468-3 { ip-proto == tcp dst-port == 445 # Not supported: byte_test: 1,<,128,6,relative event "NETBIOS SMB-DS D$ share access" tcp-state established,originator payload /\x00/ payload /.{3}\xFFSMBu.{32}.*[dD]\x24\x00/ } signature s2b-2469-3 { ip-proto == tcp dst-port == 445 # Not supported: byte_test: 1,>,127,6,relative event "NETBIOS SMB-DS D$ share unicode access" tcp-state established,originator payload /\x00/ payload /.{3}\xFFSMBu.{32}.*[dD]\x00\x24\x00\x00/ } signature s2b-533-8 { ip-proto == tcp dst-port == 139 # Not supported: byte_test: 1,<,128,6,relative event "NETBIOS SMB C$ share access" tcp-state established,originator payload /\x00/ payload /.{3}\xFFSMBu.{32}.*[cC]\x24\x00/ } signature s2b-2470-3 { ip-proto == tcp dst-port == 139 # Not supported: byte_test: 1,>,127,6,relative event "NETBIOS SMB C$ share unicode access" tcp-state established,originator payload /\x00/ payload /.{3}\xFFSMBu.{32}.*[cC]\x00\x24\x00\x00/ } signature s2b-2471-3 { ip-proto == tcp dst-port == 445 # Not supported: byte_test: 1,<,128,6,relative event "NETBIOS SMB-DS C$ share access" tcp-state established,originator payload /\x00/ payload /.{3}\xFFSMBu.{32}.*[cC]\x24\x00/ } signature s2b-2472-3 { ip-proto == tcp dst-port == 445 # Not supported: byte_test: 1,>,127,6,relative event "NETBIOS SMB-DS C$ share unicode access" tcp-state established,originator payload /\x00/ payload /.{3}\xFFSMBu.{32}.*[cC]\x00\x24\x00\x00/ } signature s2b-532-8 { ip-proto == tcp dst-port == 139 # Not supported: byte_test: 1,<,128,6,relative event "NETBIOS SMB ADMIN$ share access" tcp-state established,originator payload /\x00/ payload /.{3}\xFFSMBu.{32}.*[aA][dD][mM][iI][nN]\x24\x00/ } signature s2b-2473-3 { ip-proto == tcp dst-port == 139 # Not supported: byte_test: 1,>,127,6,relative event "NETBIOS SMB ADMIN$ share unicode access" tcp-state established,originator payload /\x00/ payload /.{3}\xFFSMBu.{32}.*[aA]\x00[dD]\x00[mM]\x00[iI]\x00[nN]\x00\x24\x00\x00/ } signature s2b-2474-3 { ip-proto == tcp dst-port == 445 # Not supported: byte_test: 1,<,128,6,relative event "NETBIOS SMB-DS ADMIN$ share access" tcp-state established,originator payload /\x00/ payload /.{3}\xFFSMBu.{32}.*[aA][dD][mM][iI][nN]\x24\x00/ } signature s2b-2475-3 { ip-proto == tcp dst-port == 445 # Not supported: byte_test: 1,>,127,6,relative event "NETBIOS SMB-DS ADMIN$ share unicode access" tcp-state established,originator payload /\x00/ payload /.{3}\xFFSMBu.{32}.*[aA]\x00[dD]\x00[mM]\x00[iI]\x00[nN]\x00\x24\x00\x00/ } signature s2b-2174-4 { ip-proto == tcp dst-port == 139 event "NETBIOS SMB winreg access" tcp-state established,originator payload /\x00/ payload /.{3}\xFFSMB\xA2/ payload /.{84}.*\x5C[wW][iI][nN][rR][eE][gG]\x00/ } signature s2b-2175-5 { ip-proto == tcp dst-port == 139 event "NETBIOS SMB winreg unicode access" tcp-state established,originator payload /\x00/ payload /.{3}\xFFSMB\xA2/ payload /.{84}.*\x5C\x00[wW]\x00[iI]\x00[nN]\x00[rR]\x00[eE]\x00[gG]\x00/ } signature s2b-2476-3 { ip-proto == tcp dst-port == 445 # Not supported: flowbits: set,smb.winreg.create # Not supported: byte_test: 1,>,127,6,relative event "NETBIOS SMB-DS Create AndX Request winreg attempt" tcp-state established,originator payload /\x00/ payload /.{3}\xFFSMB\xA2.{79}\x5C[wW][iI][nN][rR][eE][gG]\x00/ } signature s2b-2477-3 { ip-proto == tcp dst-port == 445 # Not supported: flowbits: set,smb.winreg.create # Not supported: byte_test: 1,>,127,6,relative event "NETBIOS SMB-DS Create AndX Request winreg unicode attempt" tcp-state established,originator payload /\x00/ payload /.{3}\xFFSMB\xA2.{79}\x5C\x00[wW]\x00[iI]\x00[nN]\x00[rR]\x00[eE]\x00[gG]\x00\x00\x00/ } signature s2b-2478-3 { ip-proto == tcp dst-port == 445 # Not supported: flowbits: set,smb.dce.bind.winreg,isset,smb.winreg.create # Not supported: byte_test: 1,<,128,6,relative,1,&,16,1,relative event "NETBIOS SMB-DS DCERPC bind winreg attempt" tcp-state established,originator payload /\x00/ payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{5}\x5C[pP][iI][pP][eE]\x5C\x00\x05\x00\x0B.{29}\x01\xD0\x8C3D\x22\xF11\xAA\xAA\x90\x008\x00\x10\x03/ } signature s2b-2480-3 { ip-proto == tcp dst-port == 445 # Not supported: flowbits: isset,smb.dce.bind.winreg # Not supported: byte_test: 1,>,127,6,relative,1,&,16,1,relative event "NETBIOS SMB-DS DCERPC shutdown unicode attempt" tcp-state established,originator payload /\x00/ payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{5}\x5C\x00[pP]\x00[iI]\x00[pP]\x00[eE]\x00\x5C\x00\x00\x00\x05\x00\x00.{19}\x18\x00/ } signature s2b-2481-3 { ip-proto == tcp dst-port == 445 # Not supported: flowbits: isset,smb.dce.bind.winreg # Not supported: byte_test: 1,>,127,6,relative,1,<,16,1,relative event "NETBIOS SMB-DS DCERPC shutdown unicode little endian attempt" tcp-state established,originator payload /\x00/ payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{5}\x5C\x00[pP]\x00[iI]\x00[pP]\x00[eE]\x00\x5C\x00\x00\x00\x05\x00\x00.{19}\x00\x18/ } signature s2b-1293-10 { ip-proto == tcp dst-port == 139 event "NETBIOS nimda .eml" tcp-state established,originator payload /.*\x00\.\x00E\x00M\x00L/ } signature s2b-1294-10 { ip-proto == tcp dst-port == 139 event "NETBIOS nimda .nws" tcp-state established,originator payload /.*\x00\.\x00N\x00W\x00S/ } signature s2b-1295-9 { ip-proto == tcp dst-port == 139 event "NETBIOS nimda RICHED20.DLL" tcp-state established,originator payload /.*R\x00I\x00C\x00H\x00E\x00D\x002\x000/ } signature s2b-529-7 { ip-proto == tcp dst-port == 139 event "NETBIOS DOS RFPoison" tcp-state established,originator payload /.*\x5C\x00\x5C\x00\*\x00S\x00M\x00B\x00S\x00E\x00R\x00V\x00E\x00R\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00/ } signature s2b-530-10 { ip-proto == tcp dst-port == 139 event "NETBIOS NT NULL session" tcp-state established,originator payload /.*\x00\x00\x00\x00W\x00i\x00n\x00d\x00o\x00w\x00s\x00 \x00N\x00T\x00 \x001\x003\x008\x001/ } signature s2b-1239-5 { ip-proto == tcp dst-port == 139 event "NETBIOS RFParalyze Attempt" tcp-state established,originator payload /.*BEAVIS/ payload /.*yep yep/ } signature s2b-534-6 { ip-proto == tcp dst-port == 139 event "NETBIOS SMB CD.." tcp-state established,originator payload /.*\x5C\.\.\/\x00\x00\x00/ } signature s2b-535-6 { ip-proto == tcp dst-port == 139 event "NETBIOS SMB CD..." tcp-state established,originator payload /.*\x5C\.\.\.\x00\x00\x00/ } signature s2b-2176-4 { ip-proto == tcp dst-port == 139 event "NETBIOS SMB startup folder access" tcp-state established,originator payload /\x00/ payload /.{3}\xFFSMB2.*.*[dD][oO][cC][uU][mM][eE][nN][tT][sS] [aA][nN][dD] [sS][eE][tT][tT][iI][nN][gG][sS]\x5C[aA][lL][lL] [uU][sS][eE][rR][sS]\x5C[sS][tT][aA][rR][tT] [mM][eE][nN][uU]\x5C[pP][rR][oO][gG][rR][aA][mM][sS]\x5C[sS][tT][aA][rR][tT][uU][pP]\x00/ } signature s2b-2177-4 { ip-proto == tcp dst-port == 139 event "NETBIOS SMB startup folder unicode access" tcp-state established,originator payload /\x00/ payload /.{3}\xFFSMB2.*.*\x5C\x00[sS]\x00[tT]\x00[aA]\x00[rR]\x00[tT]\x00 \x00[mM]\x00[eE]\x00[nN]\x00[uU]\x00\x5C\x00[pP]\x00[rR]\x00[oO]\x00[gG]\x00[rR]\x00[aA]\x00[mM]\x00[sS]\x00\x5C\x00[sS]\x00[tT]\x00[aA]\x00[rR]\x00[tT]\x00[uU]\x00[pP]/ } signature s2b-2101-9 { ip-proto == tcp dst-port == 139 event "NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt" tcp-state established,originator payload /\x00/ payload /.{3}\xFFSMB%/ payload /.{42}\x00\x00\x00\x00/ } signature s2b-2103-9 { ip-proto == tcp dst-port == 139 # Not supported: byte_test: 2,>,256,0,relative,little event "NETBIOS SMB trans2open buffer overflow attempt" tcp-state established,originator payload /\x00/ payload /.{3}\xFFSMB2/ payload /.{59}\x00\x14/ } signature s2b-2190-3 { ip-proto == tcp dst-port == 135 # Not supported: byte_test: 1,&,1,0,relative event "NETBIOS DCERPC invalid bind attempt" tcp-state established,originator payload /\x05.{1}\x0B.{21}\x00/ } signature s2b-2191-3 { ip-proto == tcp dst-port == 445 # Not supported: byte_test: 1,&,1,0,relative event "NETBIOS SMB DCERPC invalid bind attempt" tcp-state established,originator payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{5}\x5C\x00[pP]\x00[iI]\x00[pP]\x00[eE]\x00\x5C\x00.{2}\x05.{1}\x0B.{21}\x00/ } signature s2b-2192-8 { ip-proto == tcp dst-port == 135 # Not supported: flowbits: set,dce.isystemactivator.bind.attempt,noalert event "NETBIOS DCERPC ISystemActivator bind attempt" # Not supported: byte_test: 1,&,1,0,relative tcp-state established,originator payload /\x05.{1}\x0B.{29}\xA0\x01\x00\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00F/ } signature s2b-2193-9 { ip-proto == tcp dst-port == 445 # Not supported: flowbits: set,dce.isystemactivator.bind.call.attempt event "NETBIOS SMB-DS DCERPC ISystemActivator bind attempt" # Not supported: byte_test: 1,&,1,0,relative tcp-state established,originator payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{5}\x5C\x00[pP]\x00[iI]\x00[pP]\x00[eE]\x00\x5C\x00\x05.{1}\x0B.{29}\xA0\x01\x00\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00F/ } signature s2b-2493-5 { ip-proto == tcp dst-port == 139 # Not supported: flowbits: set,dce.isystemactivator.bind.call.attempt event "NETBIOS SMB DCERPC ISystemActivator unicode bind attempt" # Not supported: byte_test: 2,&,1,5,relative,1,&,16,1,relative tcp-state established,originator payload /\x00/ payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{4}\x5C\x00P\x00I\x00P\x00E\x00\x5C\x00\x05\x00\x0B.{29}\xA0\x01\x00\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00F/ } signature s2b-2251-11 { ip-proto == tcp dst-port == 135 # Not supported: byte_test: 1,&,1,0,relative event "NETBIOS DCERPC Remote Activation bind attempt" tcp-state established,originator payload /\x05.{1}\x0B.{29}\xB8J\x9FM\x1C\}\xCF\x11\x86\x1E\x00 \xAFn\x7CW/ } signature s2b-2252-11 { ip-proto == tcp dst-port == 445 # Not supported: byte_test: 1,&,1,0,relative event "NETBIOS SMB-DS DCERPC Remote Activation bind attempt" tcp-state established,originator payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{5}\x5C\x00[pP]\x00[iI]\x00[pP]\x00[eE]\x00\x5C\x00\x05.{1}\x0B.{29}\xB8J\x9FM\x1C\}\xCF\x11\x86\x1E\x00 \xAFn\x7CW/ } signature s2b-2257-5 { ip-proto == udp dst-port == 135 # Not supported: byte_test: 1,>,15,2,relative,4,>,1024,0,little,relative # Not supported: byte_jump: 4,86,little,align,relative,4,8,little,align,relative event "NETBIOS DCERPC Messenger Service buffer overflow attempt" payload /\x04\x00/ } signature s2b-2258-6 { ip-proto == tcp dst-port == 445 # Not supported: byte_test: 1,>,15,2,relative,4,>,1024,0,little,relative # Not supported: byte_jump: 4,86,little,align,relative,4,8,little,align,relative event "NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt" tcp-state established,originator payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{5}\x5C\x00[pP]\x00[iI]\x00[pP]\x00[eE]\x00\x5C\x00\x04\x00/ } signature s2b-2308-6 { ip-proto == tcp dst-port == 139 # Not supported: byte_test: 2,&,1,5,relative,1,&,16,1,relative event "NETBIOS SMB DCERPC Workstation Service unicode bind attempt" tcp-state established,originator payload /\x00/ payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{4}\x5C\x00P\x00I\x00P\x00E\x00\x5C\x00\x05\x00\x0B.{29}\x98\xD0\xFFk\x12\xA1\x106\x983F\xC3\xF8~4Z/ } signature s2b-2309-6 { ip-proto == tcp dst-port == 139 # Not supported: byte_test: 2,^,1,5,relative,1,&,16,1,relative event "NETBIOS SMB DCERPC Workstation Service bind attempt" tcp-state established,originator payload /\x00/ payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{4}\x5CPIPE\x5C\x00\x05\x00\x0B.{29}\x98\xD0\xFFk\x12\xA1\x106\x983F\xC3\xF8~4Z/ } signature s2b-2310-8 { ip-proto == tcp dst-port == 445 # Not supported: byte_test: 2,&,1,5,relative,1,&,16,1,relative event "NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt" tcp-state established,originator payload /\x00/ payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{4}\x5C\x00P\x00I\x00P\x00E\x00\x5C\x00\x05\x00\x0B.{29}\x98\xD0\xFFk\x12\xA1\x106\x983F\xC3\xF8~4Z/ } signature s2b-2311-7 { ip-proto == tcp dst-port == 445 # Not supported: byte_test: 2,^,1,5,relative,1,&,16,1,relative event "NETBIOS SMB-DS DCERPC Workstation Service bind attempt" tcp-state established,originator payload /\x00/ payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{4}\x5CPIPE\x5C\x00\x05\x00\x0B.{29}\x98\xD0\xFFk\x12\xA1\x106\x983F\xC3\xF8~4Z/ } signature s2b-2315-6 { ip-proto == tcp dst-port >= 1024 dst-port <= 65535 # Not supported: byte_test: 1,&,16,1,relative event "NETBIOS DCERPC Workstation Service direct service bind attempt" tcp-state established,originator payload /\x05\x00\x0B.{29}\x98\xD0\xFFk\x12\xA1\x106\x983F\xC3\xF8~4Z/ } signature s2b-2316-6 { ip-proto == udp dst-port >= 1024 dst-port <= 65535 # Not supported: byte_test: 1,&,16,2,relative event "NETBIOS DCERPC Workstation Service direct service access attempt" payload /\x04\x00.{22}\x98\xD0\xFFk\x12\xA1\x106\x983F\xC3\xF8~4Z/ } signature s2b-2348-6 { ip-proto == tcp dst-port == 445 # Not supported: flowbits: set,dce.printer.bind,noalert # Not supported: byte_test: 1,&,16,1,relative event "NETBIOS SMB-DS DCERPC print spool bind attempt" tcp-state established,originator payload /\x00/ payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{5}\x5C\x00P\x00I\x00P\x00E\x00\x5C\x00\x00\x00\x05\x00\x0B.{29}xV4\x124\x12\xCD\xAB\xEF\x00\x01\x23Eg\x89\xAB/ } signature s2b-2382-8 { ip-proto == tcp dst-port == 139 event "NETBIOS SMB NTLMSSP invalid mechtype attempt" tcp-state established,originator payload /.{3}\xFF[sS][mM][bB][sS]/ payload /.{62}`.{1}\x06\x06\+\x06\x01\x05\x05\x02.*.*\x06\x0A\+\x06\x01\x04\x01\x827\x02\x02\x0A.*.*\xA1\x05\x23\x03\x03\x01\x07/ } signature s2b-2383-9 { ip-proto == tcp dst-port == 445 event "NETBIOS SMB-DS DCERPC NTLMSSP invalid mechtype attempt" tcp-state established,originator payload /.{3}\xFF[sS][mM][bB][sS]/ payload /.{62}`.{1}\x06\x06\+\x06\x01\x05\x05\x02.*.*\x06\x0A\+\x06\x01\x04\x01\x827\x02\x02\x0A.*.*\xA1\x05\x23\x03\x03\x01\x07/ } signature s2b-2384-8 { ip-proto == tcp dst-port == 139 event "NETBIOS SMB NTLMSSP invalid mechlistMIC attempt" tcp-state established,originator payload /.{3}\xFF[sS][mM][bB][sS]/ payload /.{62}`.{1}\x00\x00\x00b\x06\x83\x00\x00\x06\+\x06\x01\x05\x05\x02.*.*\x06\x0A\+\x06\x01\x04\x01\x827\x02\x02\x0A.*.*\xA3>0<\xA00/ } signature s2b-2385-9 { ip-proto == tcp dst-port == 445 event "NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt" tcp-state established,originator payload /.{3}\xFF[sS][mM][bB][sS]/ payload /.{62}`.{1}\x00\x00\x00b\x06\x83\x00\x00\x06\+\x06\x01\x05\x05\x02.*.*\x06\x0A\+\x06\x01\x04\x01\x827\x02\x02\x0A.*.*\xA3>0<\xA00/ } signature s2b-2401-4 { ip-proto == tcp dst-port == 139 # Not supported: byte_test: 2,>,322,2,1,<,128,6,relative,2,>,255,8,relative,little event "NETBIOS SMB Session Setup AndX request username overflow attempt" tcp-state established,originator payload /\x00/ payload /.{3}\xFF[sS][mM][bB][sS].{42}\x00\x00\x00\x00.{10}[^\x00]{255}/ } signature s2b-2402-5 { ip-proto == tcp dst-port == 445 # Not supported: byte_test: 2,>,322,2,1,<,128,6,relative,2,>,255,8,relative,little event "NETBIOS SMB-DS Session Setup AndX request username overflow attempt" tcp-state established,originator payload /\x00/ payload /.{3}\xFF[sS][mM][bB][sS].{42}\x00\x00\x00\x00.{10}[^\x00]{255}/ } signature s2b-2403-4 { ip-proto == tcp dst-port == 139 # Not supported: byte_test: 2,>,322,2,1,&,128,6,relative,2,>,255,54,relative,little event "NETBIOS SMB Session Setup AndX request unicode username overflow attempt" tcp-state established,originator payload /.*.*\x00\x00.*.*\x00\x00/ payload /\x00/ payload /.{3}\xFF[sS][mM][bB][sS].{56}.*\x00.{255}.*\x00\x00.*.*\x00\x00/ } signature s2b-2404-5 { ip-proto == tcp dst-port == 445 # Not supported: byte_test: 2,>,322,2,1,&,128,6,relative,2,>,255,54,relative,little event "NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt" tcp-state established,originator payload /.*.*\x00\x00.*.*\x00\x00/ payload /\x00/ payload /.{3}\xFF[sS][mM][bB][sS].{56}.*\x00.{255}.*\x00\x00.*.*\x00\x00/ } signature s2b-2495-5 { ip-proto == tcp dst-port == 139 # Not supported: threshold: type both, track by_dst, count 20, seconds 60 # Not supported: flowbits: isset,dce.isystemactivator.bind.call.attempt # Not supported: byte_test: 1,&,1,0,relative event "NETBIOS SMB DCEPRC ORPCThis request flood attempt" tcp-state established,originator payload /\x05.{1}\x00.{21}\x05/ payload /.*MEOW/ } signature s2b-2524-7 { ip-proto == tcp dst-port == 135 # Not supported: flowbits: set,netbios.lsass.bind.attempt,noalert event "NETBIOS DCERPC LSASS direct bind attempt" tcp-state established,originator payload /\x00/ payload /.{3}\xFF[sS][mM][bB]/ payload /.*\x05.{1}\x0B.{29}j\x28\x199\x0C\xB1\xD0\x11\x9B\xA8\x00\xC0O\xD9\.\xF5/ } signature s2b-2514-7 { ip-proto == tcp dst-port == 445 # Not supported: flowbits: isset,netbios.lsass.bind.attempt event "NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt" tcp-state established,originator payload /.{3}\xFF[sS][mM][bB].{59}.*\x05.{1}\x00.{19}\x09\x00/ } signature s2b-2564-4 { ip-proto == udp src-port == 137 dst-port == 137 # Not supported: byte_test: 1,>,127,2 payload-size < 56 event "NETBIOS NS lookup short response attempt" payload /.{5}\x00\x01/ } signature s2b-1792-8 { ip-proto == tcp src-port == 119 # Not supported: pcre: /^200\s[^\n]{64}/smi event "NNTP return code buffer overflow attempt" tcp-state established,originator # Not supported: isdataat: 64,relative payload /((^)|(\n+))200[\x20\x09\x0b][^\n]{64}/ } signature s2b-1538-13 { ip-proto == tcp dst-port == 119 # Not supported: pcre: /^AUTHINFO\s+USER\s[^\n]{200}/smi event "NNTP AUTHINFO USER overflow attempt" tcp-state established,originator # Not supported: isdataat: 200,relative payload /((^)|(\n+))[aA][uU][tT][hH][iI][nN][fF][oO][\x20\x09\x0b]+[uU][sS][eE][rR][\x20\x09\x0b][^\n]{200}/ } signature s2b-2424-3 { ip-proto == tcp dst-port == 119 # Not supported: pcre: /^sendsys\x3a[^\n]{21}/smi event "NNTP sendsys overflow attempt" tcp-state established,originator payload /((^)|(\n+))[sS][eE][nN][dD][sS][yY][sS]\x3a[^\n]{21}/ } signature s2b-2425-3 { ip-proto == tcp dst-port == 119 # Not supported: pcre: /^senduuname\x3a[^\n]{21}/smi event "NNTP senduuname overflow attempt" tcp-state established,originator payload /((^)|(\n+))[sS][eE][nN][dD][uU][uU][nN][aA][mM][eE]\x3a[^\n]{21}/ } signature s2b-2426-3 { ip-proto == tcp dst-port == 119 # Not supported: pcre: /^version\x3a[^\n]{21}/smi event "NNTP version overflow attempt" tcp-state established,originator payload /((^)|(\n+))[vV][eE][rR][sS][iI][oO][nN]\x3a[^\n]{21}/ } signature s2b-2427-3 { ip-proto == tcp dst-port == 119 # Not supported: pcre: /^checkgroups\x3a[^\n]{21}/smi event "NNTP checkgroups overflow attempt" tcp-state established,originator payload /((^)|(\n+))[cC][hH][eE][cC][kK][gG][rR][oO][uU][pP][sS]\x3a[^\n]{21}/ } signature s2b-2428-3 { ip-proto == tcp dst-port == 119 # Not supported: pcre: /^ihave\x3a[^\n]{21}/smi event "NNTP ihave overflow attempt" tcp-state established,originator payload /((^)|(\n+))[iI][hH][aA][vV][eE]\x3a[^\n]{21}/ } signature s2b-2429-3 { ip-proto == tcp dst-port == 119 # Not supported: pcre: /^sendme\x3a[^\n]{21}/smi event "NNTP sendme overflow attempt" tcp-state established,originator payload /((^)|(\n+))[sS][eE][nN][dD][mM][eE]\x3a[^\n]{21}/ } signature s2b-2430-3 { ip-proto == tcp dst-port == 119 # Not supported: pcre: /^newgroup\x3a[^\n]{21}/smi event "NNTP newgroup overflow attempt" tcp-state established,originator payload /((^)|(\n+))[nN][eE][wW][gG][rR][oO][uU][pP]\x3a[^\n]{21}/ } signature s2b-2431-3 { ip-proto == tcp dst-port == 119 # Not supported: pcre: /^rmgroup\x3a[^\n]{21}/smi event "NNTP rmgroup overflow attempt" tcp-state established,originator payload /((^)|(\n+))[rR][mM][gG][rR][oO][uU][pP]\x3a[^\n]{21}/ } signature s2b-1673-3 { ip-proto == tcp dst-port == oracle_ports event "ORACLE EXECUTE_SYSTEM attempt" tcp-state established,originator payload /.*[eE][xX][eE][cC][uU][tT][eE]_[sS][yY][sS][tT][eE][mM]/ } signature s2b-1674-5 { ip-proto == tcp dst-port == oracle_ports event "ORACLE connect_data remote version detection attempt" tcp-state established,originator payload /.*[cC][oO][nN][nN][eE][cC][tT]_[dD][aA][tT][aA]\x28[cC][oO][mM][mM][aA][nN][dD]=[vV][eE][rR][sS][iI][oO][nN]\x29/ } signature s2b-1675-4 { ip-proto == tcp dst-port == oracle_ports event "ORACLE misparsed login response" tcp-state established,responder payload /.*[dD][eE][sS][cC][rR][iI][pP][tT][iI][oO][nN]=\x28/ payload /.*/ payload /.*/ } signature s2b-1676-3 { ip-proto == tcp dst-port == oracle_ports event "ORACLE select union attempt" tcp-state established,originator payload /.*[sS][eE][lL][eE][cC][tT] / payload /.* [uU][nN][iI][oO][nN] / } signature s2b-1677-3 { ip-proto == tcp dst-port == oracle_ports event "ORACLE select like '%' attempt" tcp-state established,originator payload /.* [wW][hH][eE][rR][eE] / payload /.* [lL][iI][kK][eE] '%'/ } signature s2b-1678-5 { ip-proto == tcp dst-port == oracle_ports event "ORACLE select like '%' attempt backslash escaped" tcp-state established,originator payload /.* [wW][hH][eE][rR][eE] / payload /.* [lL][iI][kK][eE] \x22%\x22/ } signature s2b-1680-3 { ip-proto == tcp dst-port == oracle_ports event "ORACLE all_constraints access" tcp-state established,originator payload /.*[aA][lL][lL]_[cC][oO][nN][sS][tT][rR][aA][iI][nN][tT][sS]/ } signature s2b-1681-3 { ip-proto == tcp dst-port == oracle_ports event "ORACLE all_views access" tcp-state established,originator payload /.*[aA][lL][lL]_[vV][iI][eE][wW][sS]/ } signature s2b-1682-3 { ip-proto == tcp dst-port == oracle_ports event "ORACLE all_source access" tcp-state established,originator payload /.*[aA][lL][lL]_[sS][oO][uU][rR][cC][eE]/ } signature s2b-1683-3 { ip-proto == tcp dst-port == oracle_ports event "ORACLE all_tables access" tcp-state established,originator payload /.*[aA][lL][lL]_[tT][aA][bB][lL][eE][sS]/ } signature s2b-1684-3 { ip-proto == tcp dst-port == oracle_ports event "ORACLE all_tab_columns access" tcp-state established,originator payload /.*[aA][lL][lL]_[tT][aA][bB]_[cC][oO][lL][uU][mM][nN][sS]/ } signature s2b-1685-4 { ip-proto == tcp dst-port == oracle_ports event "ORACLE all_tab_privs access" tcp-state established,originator payload /.*[aA][lL][lL]_[tT][aA][bB]_[pP][rR][iI][vV][sS]/ } signature s2b-1686-3 { ip-proto == tcp dst-port == oracle_ports event "ORACLE dba_tablespace access" tcp-state established,originator payload /.*[dD][bB][aA]_[tT][aA][bB][lL][eE][sS][pP][aA][cC][eE]/ } signature s2b-1687-3 { ip-proto == tcp dst-port == oracle_ports event "ORACLE dba_tables access" tcp-state established,originator payload /.*[dD][bB][aA]_[tT][aA][bB][lL][eE][sS]/ } signature s2b-1688-3 { ip-proto == tcp dst-port == oracle_ports event "ORACLE user_tablespace access" tcp-state established,originator payload /.*[uU][sS][eE][rR]_[tT][aA][bB][lL][eE][sS][pP][aA][cC][eE]/ } signature s2b-1689-3 { ip-proto == tcp dst-port == oracle_ports event "ORACLE sys.all_users access" tcp-state established,originator payload /.*[sS][yY][sS]\.[aA][lL][lL]_[uU][sS][eE][rR][sS]/ } signature s2b-1690-3 { ip-proto == tcp dst-port == oracle_ports event "ORACLE grant attempt" tcp-state established,originator payload /.*[gG][rR][aA][nN][tT] / payload /.* [tT][oO] / } signature s2b-1691-3 { ip-proto == tcp dst-port == oracle_ports event "ORACLE ALTER USER attempt" tcp-state established,originator payload /.*[aA][lL][tT][eE][rR] [uU][sS][eE][rR]/ payload /.* [iI][dD][eE][nN][tT][iI][fF][iI][eE][dD] [bB][yY] / } signature s2b-1692-3 { ip-proto == tcp dst-port == oracle_ports event "ORACLE drop table attempt" tcp-state established,originator payload /.*[dD][rR][oO][pP] [tT][aA][bB][lL][eE]/ } signature s2b-1693-4 { ip-proto == tcp dst-port == oracle_ports event "ORACLE create table attempt" tcp-state established,originator payload /.*[cC][rR][eE][aA][tT][eE] [tT][aA][bB][lL][eE]/ } signature s2b-1694-3 { ip-proto == tcp dst-port == oracle_ports event "ORACLE alter table attempt" tcp-state established,originator payload /.*[aA][lL][tT][eE][rR] [tT][aA][bB][lL][eE]/ } signature s2b-1695-3 { ip-proto == tcp dst-port == oracle_ports event "ORACLE truncate table attempt" tcp-state established,originator payload /.*[tT][rR][uU][nN][cC][aA][tT][eE] [tT][aA][bB][lL][eE]/ } signature s2b-1696-3 { ip-proto == tcp dst-port == oracle_ports event "ORACLE create database attempt" tcp-state established,originator payload /.*[cC][rR][eE][aA][tT][eE] [dD][aA][tT][aA][bB][aA][sS][eE]/ } signature s2b-1697-3 { ip-proto == tcp dst-port == oracle_ports event "ORACLE alter database attempt" tcp-state established,originator payload /.*[aA][lL][tT][eE][rR] [dD][aA][tT][aA][bB][aA][sS][eE]/ } signature s2b-2576-2 { ip-proto == tcp dst-port == oracle_ports # Not supported: pcre: /(package|procedure)_prefix[\s\r\n]*=>[\s\r\n]*('[^']{1000,}|"[^"]{1000,})/Rsmi event "ORACLE generate_replication_support prefix overflow attempt" tcp-state established,originator payload /.*[gG][eE][nN][eE][rR][aA][tT][eE]_[rR][eE][pP][lL][iI][cC][aA][tT][iI][oO][nN]_[sS][uU][pP][pP][oO][rR][tT]/ payload /([pP][aA][cC][kK][aA][gG][eE]|[pP][rR][oO][cC][eE][dD][uU][rR][eE])_[pP][rR][eE][fF][iI][xX][\x20\x09\x0b\r\n]*=>[\x20\x09\x0b\r\n]*('[^']{1000,}|"[^"]{1000,})/ } signature s2b-1760-3 { ip-proto == tcp src-port == 902 event "OTHER-IDS ISS RealSecure 6 event collector connection attempt" tcp-state established,responder payload /.{29}6[iI][sS][sS] [eE][cC][nN][rR][aA] [bB][uU][iI][lL][tT]-[iI][nN] [pP][rR][oO][vV][iI][dD][eE][rR], [sS][tT][rR][oO][nN][gG] [eE][nN][cC][rR][yY][pP][tT][iI][oO][nN]/ } signature s2b-1761-3 { ip-proto == tcp src-port == 2998 event "OTHER-IDS ISS RealSecure 6 daemon connection attempt" tcp-state established,responder payload /.{29}6[iI][sS][sS] [eE][cC][nN][rR][aA] [bB][uU][iI][lL][tT]-[iI][nN] [pP][rR][oO][vV][iI][dD][eE][rR], [sS][tT][rR][oO][nN][gG] [eE][nN][cC][rR][yY][pP][tT][iI][oO][nN]/ } signature s2b-1629-6 { ip-proto == tcp event "OTHER-IDS SecureNetPro traffic" tcp-state established payload /\x00g\x00\x01\x00\x03/ } signature s2b-1934-6 { ip-proto == tcp dst-port == 109 # Not supported: pcre: /^FOLD\s[^\n]{256}/smi event "POP2 FOLD overflow attempt" tcp-state established,originator # Not supported: isdataat: 256,relative requires-reverse-signature ! pop_return_error payload /((^)|(\n+))[fF][oO][lL][dD][\x20\x09\x0b][^\n]{256}/ } signature s2b-1935-4 { ip-proto == tcp dst-port == 109 # Not supported: pcre: /^FOLD\s+\//smi event "POP2 FOLD arbitrary file attempt" tcp-state established,originator requires-reverse-signature ! pop_return_error payload /((^)|(\n+))[fF][oO][lL][dD][\x20\x09\x0b]+\// } signature s2b-284-6 { ip-proto == tcp dst-port == 109 event "POP2 x86 Linux overflow" tcp-state established,originator payload /.*\xEB,\[\x89\xD9\x80\xC1\x069\xD9\x7C\x07\x80\x01/ requires-reverse-signature ! pop_return_error } signature s2b-285-6 { ip-proto == tcp dst-port == 109 event "POP2 x86 Linux overflow" tcp-state established,originator payload /.*\xFF\xFF\xFF\/BIN\/SH\x00/ requires-reverse-signature ! pop_return_error } signature s2b-2121-8 { ip-proto == tcp dst-port == 110 # Not supported: pcre: /^DELE\s+-\d/smi event "POP3 DELE negative arguement attempt" tcp-state established,originator requires-reverse-signature ! pop_return_error payload /((^)|(\n+))[dD][eE][lL][eE]+-[0-9]/ } signature s2b-2122-7 { ip-proto == tcp dst-port == 110 # Not supported: pcre: /^UIDL\s+-\d/smi event "POP3 UIDL negative arguement attempt" tcp-state established,originator requires-reverse-signature ! pop_return_error payload /((^)|(\n+))[uU][iI][dD][lL][\x20\x09\x0b]+-[0-9]/ } signature s2b-1866-10 { ip-proto == tcp dst-port == 110 # Not supported: pcre: /^USER\s[^\n]{50,}/smi event "POP3 USER overflow attempt" tcp-state established,originator # Not supported: isdataat: 50,relative requires-reverse-signature ! pop_return_error payload /((^)|(\n+))[uU][sS][eE][rR][\x20\x09\x0b][^\n]{50,}/ } signature s2b-2108-3 { ip-proto == tcp dst-port == 110 # Not supported: pcre: /^CAPA\s[^\n]{10}/smi event "POP3 CAPA overflow attempt" tcp-state established,originator # Not supported: isdataat: 10,relative requires-reverse-signature ! pop_return_error payload /((^)|(\n+))[cC][aA][pP][aA][\x20\x09\x0b][^\n]{10}/ } signature s2b-2109-3 { ip-proto == tcp dst-port == 110 # Not supported: pcre: /^TOP\s[^\n]{10}/smi event "POP3 TOP overflow attempt" tcp-state established,originator # Not supported: isdataat: 10,relative requires-reverse-signature ! pop_return_error payload /((^)|(\n+))[tT][oO][pP][\x20\x09\x0b][^\n]{10}/ } signature s2b-2110-3 { ip-proto == tcp dst-port == 110 # Not supported: pcre: /^STAT\s[^\n]{10}/smi event "POP3 STAT overflow attempt" tcp-state established,originator # Not supported: isdataat: 10,relative requires-reverse-signature ! pop_return_error payload /((^)|(\n+))[sS][tT][aA][tT][\x20\x09\x0b][^\n]{10}/ } signature s2b-2111-3 { ip-proto == tcp dst-port == 110 # Not supported: pcre: /^DELE\s[^\n]{10}/smi event "POP3 DELE overflow attempt" tcp-state established,originator # Not supported: isdataat: 10,relative requires-reverse-signature ! pop_return_error payload /((^)|(\n+))[dD][eE][lL][eE][\x20\x09\x0b][^\n]{10}/ } signature s2b-2112-3 { ip-proto == tcp dst-port == 110 # Not supported: pcre: /^RSET\s[^\n]{10}/smi event "POP3 RSET overflow attempt" tcp-state established,originator # Not supported: isdataat: 10,relative requires-reverse-signature ! pop_return_error payload /((^)|(\n+))[rR][sS][eE][tT][\x20\x09\x0b][^\n]{10}/ } signature s2b-1936-4 { ip-proto == tcp dst-port == 110 # Not supported: pcre: /^AUTH\s[^\n]{50}/smi event "POP3 AUTH overflow attempt" tcp-state established,originator # Not supported: isdataat: 50,relative requires-reverse-signature ! pop_return_error payload /((^)|(\n+))[aA][uU][tT][hH][\x20\x09\x0b][^\n]{50}/ } signature s2b-1937-5 { ip-proto == tcp dst-port == 110 # Not supported: pcre: /^LIST\s[^\n]{10}/smi event "POP3 LIST overflow attempt" tcp-state established,originator # Not supported: isdataat: 10,relative requires-reverse-signature ! pop_return_error payload /((^)|(\n+))[lL][iI][sS][tT][\x20\x09\x0b][^\n]{10}/ } signature s2b-1938-4 { ip-proto == tcp dst-port == 110 # Not supported: pcre: /^XTND\s[^\n]{50}/smi event "POP3 XTND overflow attempt" tcp-state established,originator # Not supported: isdataat: 50,relative payload /.*[xX][tT][nN][dD]/ requires-reverse-signature ! pop_return_error payload /((^)|(\n+))[xX][tT][nN][dD][\x20\x09\x0b][^\n]{50}/ } signature s2b-1634-11 { ip-proto == tcp dst-port == 110 # Not supported: pcre: /^PASS\s[^\n]{50}/smi event "POP3 PASS overflow attempt" tcp-state established,originator # Not supported: isdataat: 50,relative requires-reverse-signature ! pop_return_error payload /((^)|(\n+))[pP][aA][sS][sS][\x20\x09\x0b][^\n]{50}/ } signature s2b-1635-13 { ip-proto == tcp dst-port == 110 # Not supported: pcre: /^APOP\s[^\n]{256}/smi event "POP3 APOP overflow attempt" tcp-state established,originator # Not supported: isdataat: 256,relative requires-reverse-signature ! pop_return_error payload /((^)|(\n+))[aA][pP][oO][pP][\x20\x09\x0b][^\n]{256}/ } signature s2b-286-9 { ip-proto == tcp dst-port == 110 event "POP3 EXPLOIT x86 BSD overflow" tcp-state established,originator payload /.*\^\x0E1\xC0\xB0\x3B\x8D~\x0E\x89\xFA\x89\xF9/ requires-reverse-signature ! pop_return_error } signature s2b-287-6 { ip-proto == tcp dst-port == 110 event "POP3 EXPLOIT x86 BSD overflow" tcp-state established,originator payload /.*h\]\^\xFF\xD5\xFF\xD4\xFF\xF5\x8B\xF5\x90f1/ requires-reverse-signature ! pop_return_error } signature s2b-288-6 { ip-proto == tcp dst-port == 110 event "POP3 EXPLOIT x86 Linux overflow" tcp-state established,originator payload /.*\xD8@\xCD\x80\xE8\xD9\xFF\xFF\xFF\/bin\/sh/ requires-reverse-signature ! pop_return_error } signature s2b-289-6 { ip-proto == tcp dst-port == 110 event "POP3 EXPLOIT x86 SCO overflow" tcp-state established,originator payload /.*V\x0E1\xC0\xB0\x3B\x8D~\x12\x89\xF9\x89\xF9/ requires-reverse-signature ! pop_return_error } signature s2b-290-7 { ip-proto == tcp dst-port == 110 event "POP3 EXPLOIT qpopper overflow" tcp-state established,originator payload /.*\xE8\xD9\xFF\xFF\xFF\/bin\/sh/ requires-reverse-signature ! pop_return_error } signature s2b-2250-1 { ip-proto == tcp dst-port == 110 event "POP3 USER format string attempt" tcp-state established,originator payload /.*[uU][sS][eE][rR].{1}.*%.{1}.*%/ requires-reverse-signature ! pop_return_error } signature s2b-2409-1 { ip-proto == tcp dst-port == 110 # Not supported: pcre: /^APOP\s+USER\s[^\n]{256}/smi event "POP3 APOP USER overflow attempt" tcp-state established,originator # Not supported: isdataat: 256,relative requires-reverse-signature ! pop_return_error payload /((^)|(\n+))[aA][pP][oO][pP][\x20\x09\x0b]+[uU][sS][eE][rR][\x20\x09\x0b][^\n]{2,56}/ } signature s2b-2502-7 { ip-proto == tcp dst-port == 995 event "POP3 SSLv3 invalid data version attempt" tcp-state established,originator payload /\x16\x03/ payload /.{4}\x01/ payload /.{8}[^\x03]*/ requires-reverse-signature ! pop_return_error } signature s2b-2518-10 { ip-proto == tcp dst-port == 995 # Not supported: byte_test: 2,>,0,6,2,!,0,8,2,!,16,8,2,>,20,10,2,>,32768,0,relative event "PO3 PCT Client_Hello overflow attempt" tcp-state established,originator payload /.{1}\x01/ payload /.{10}\x8F/ requires-reverse-signature ! pop_return_error } signature s2b-2536-3 { ip-proto == tcp src-port == 995 # Not supported: flowbits: isset,sslv3.client_hello.request,set,sslv3.server_hello.request,noalert event "POP3 SSLv3 Server_Hello request" tcp-state established,responder payload /\x16\x03/ payload /.{4}\x02/ requires-reverse-signature ! pop_return_error } signature s2b-2537-3 { ip-proto == tcp dst-port == 993 # Not supported: flowbits: isset,sslv3.server_hello.request event "POP3 SSLv3 invalid Client_Hello attempt" tcp-state established,originator payload /\x16\x03/ payload /.{4}\x01/ requires-reverse-signature ! pop_return_error } signature s2b-2093-5 { ip-proto == tcp dst-port == 111 # Not supported: byte_test: 4,>,2048,12,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap proxy integer overflow attempt TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0\x00.{3}\x00\x00\x00\x05/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-1922-6 { ip-proto == tcp dst-port == 111 event "RPC portmap proxy attempt TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x05/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-1923-6 { ip-proto == udp dst-port == 111 event "RPC portmap proxy attempt UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x05/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1280-9 { ip-proto == udp dst-port == 111 event "RPC portmap listing UDP 111" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x04/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-598-12 { ip-proto == tcp dst-port == 111 event "RPC portmap listing TCP 111" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x04/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-1949-5 { ip-proto == tcp dst-port == 111 event "RPC portmap SET attempt TCP 111" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x01/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-1950-5 { ip-proto == udp dst-port == 111 event "RPC portmap SET attempt UDP 111" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x01/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-2014-5 { ip-proto == tcp dst-port == 111 event "RPC portmap UNSET attempt TCP 111" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x02/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-2015-5 { ip-proto == udp dst-port == 111 event "RPC portmap UNSET attempt UDP 111" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x02/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-599-11 { ip-proto == tcp dst-port == 32771 event "RPC portmap listing TCP 32771" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x04/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-1281-7 { ip-proto == udp dst-port == 32771 event "RPC portmap listing UDP 32771" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x04/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1746-11 { ip-proto == udp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap cachefsd request UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x8B/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1747-11 { ip-proto == tcp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap cachefsd request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x8B/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-1732-9 { ip-proto == udp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap rwalld request UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA8/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1733-9 { ip-proto == tcp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap rwalld request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA8/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-575-8 { ip-proto == udp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap admind request UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xF7/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-576-8 { ip-proto == udp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap amountd request UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x03/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1263-11 { ip-proto == tcp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap amountd request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x03/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-1264-13 { ip-proto == tcp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap bootparam request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xBA/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-580-9 { ip-proto == udp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap nisd request UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\xCC/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1267-11 { ip-proto == tcp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap nisd request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\xCC/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-581-9 { ip-proto == udp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap pcnfsd request UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x02I\xF1/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1268-12 { ip-proto == tcp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap pcnfsd request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x02I\xF1/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-582-8 { ip-proto == udp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap rexd request UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB1/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1269-10 { ip-proto == tcp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap rexd request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB1/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-584-11 { ip-proto == udp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap rusers request UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA2/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1271-14 { ip-proto == tcp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap rusers request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA2/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-612-6 { ip-proto == udp event "RPC rusers query UDP" payload /.{11}\x00\x01\x86\xA2.{4}\x00\x00\x00\x02/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-586-8 { ip-proto == udp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap selection_svc request UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xAF/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1273-10 { ip-proto == tcp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap selection_svc request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xAF/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-587-8 { ip-proto == udp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap status request UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB8/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-2016-6 { ip-proto == tcp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap status request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB8/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-593-18 { ip-proto == tcp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap snmpXdmi request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x99/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-1279-14 { ip-proto == udp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap snmpXdmi request UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x99/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-569-14 { ip-proto == tcp # Not supported: byte_test: 4,>,1024,20,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC snmpXdmi overflow attempt TCP" tcp-state established,originator payload /.{15}\x00\x01\x87\x99.{4}\x00\x00\x01\x01/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-2045-8 { ip-proto == udp # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC snmpXdmi overflow attempt UDP" # Not supported: byte_test: 4,>,1024,20,relative payload /.{11}\x00\x01\x87\x99.{4}\x00\x00\x01\x01/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-2017-12 { ip-proto == udp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap espd request UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x05\xF7u/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-595-16 { ip-proto == tcp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap espd request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x05\xF7u/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-1890-8 { ip-proto == udp dst-port >= 1024 dst-port <= 65535 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC status GHBN format string attack" payload /.{11}\x00\x01\x86\xB8.{4}\x00\x00\x00\x02.{0,251}%x %x/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1891-8 { ip-proto == tcp dst-port >= 1024 dst-port <= 65535 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC status GHBN format string attack" tcp-state established,originator payload /.{15}\x00\x01\x86\xB8.{4}\x00\x00\x00\x02.{0,251}%x %x/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-579-8 { ip-proto == udp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap mountd request UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA5/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1266-10 { ip-proto == tcp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap mountd request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA5/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-574-8 { ip-proto == tcp event "RPC mountd TCP export request" tcp-state established,originator payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x05/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-1924-6 { ip-proto == udp event "RPC mountd UDP export request" payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x05/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1926-6 { ip-proto == udp event "RPC mountd UDP exportall request" payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x06/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-2184-7 { ip-proto == tcp # Not supported: byte_test: 4,>,1023,0,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC mountd TCP mount path overflow attempt" tcp-state established,originator payload /.{15}\x00\x01\x86\xA5\x00.{3}\x00\x00\x00\x01/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-2185-7 { ip-proto == udp # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC mountd UDP mount path overflow attempt" # Not supported: byte_test: 4,>,1023,0,relative payload /.{11}\x00\x01\x86\xA5\x00.{3}\x00\x00\x00\x01/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1951-5 { ip-proto == tcp event "RPC mountd TCP mount request" tcp-state established,originator payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x01/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-1952-5 { ip-proto == udp event "RPC mountd UDP mount request" payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x01/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-2018-4 { ip-proto == tcp event "RPC mountd TCP dump request" tcp-state established,originator payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x02/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-2019-4 { ip-proto == udp event "RPC mountd UDP dump request" payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x02/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-2020-4 { ip-proto == tcp event "RPC mountd TCP unmount request" tcp-state established,originator payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x03/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-2021-4 { ip-proto == udp event "RPC mountd UDP unmount request" payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x03/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-2022-4 { ip-proto == tcp event "RPC mountd TCP unmountall request" tcp-state established,originator payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x04/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-2023-4 { ip-proto == udp event "RPC mountd UDP unmountall request" payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x04/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1905-8 { ip-proto == udp dst-port >= 500 dst-port <= 65535 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC AMD UDP amqproc_mount plog overflow attempt" # Not supported: byte_test: 4,>,512,0,relative payload /.{11}\x00\x04\x93\xF3.{4}\x00\x00\x00\x07/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1906-8 { ip-proto == tcp dst-port >= 500 dst-port <= 65535 # Not supported: byte_test: 4,>,512,0,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC AMD TCP amqproc_mount plog overflow attempt" tcp-state established,originator payload /.{15}\x00\x04\x93\xF3.{4}\x00\x00\x00\x07/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-1953-5 { ip-proto == tcp dst-port >= 500 dst-port <= 65535 event "RPC AMD TCP pid request" tcp-state established,originator payload /.{15}\x00\x04\x93\xF3.{4}\x00\x00\x00\x09/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-1954-5 { ip-proto == udp dst-port >= 500 dst-port <= 65535 event "RPC AMD UDP pid request" payload /.{11}\x00\x04\x93\xF3.{4}\x00\x00\x00\x09/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1955-6 { ip-proto == tcp dst-port >= 500 dst-port <= 65535 event "RPC AMD TCP version request" tcp-state established,originator payload /.{15}\x00\x04\x93\xF3.{4}\x00\x00\x00\x08/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-578-8 { ip-proto == udp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap cmsd request UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xE4/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1265-9 { ip-proto == tcp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap cmsd request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xE4/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-1907-10 { ip-proto == udp # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC CMSD UDP CMSD_CREATE buffer overflow attempt" # Not supported: byte_test: 4,>,1024,0,relative payload /.{11}\x00\x01\x86\xE4.{4}\x00\x00\x00\x15/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1908-9 { ip-proto == tcp # Not supported: byte_test: 4,>,1024,0,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC CMSD TCP CMSD_CREATE buffer overflow attempt" tcp-state established,originator payload /.{15}\x00\x01\x86\xE4.{4}\x00\x00\x00\x15/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-2094-6 { ip-proto == udp # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC CMSD UDP CMSD_CREATE array buffer overflow attempt" # Not supported: byte_test: 4,>,1024,20,relative payload /.{11}\x00\x01\x86\xE4.{4}\x00\x00\x00\x15/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-2095-6 { ip-proto == tcp # Not supported: byte_test: 4,>,1024,20,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC CMSD TCP CMSD_CREATE array buffer overflow attempt" tcp-state established,originator payload /.{15}\x00\x01\x86\xE4.{4}\x00\x00\x00\x15/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-1909-10 { ip-proto == tcp # Not supported: byte_test: 4,>,1000,28,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align event "RPC CMSD TCP CMSD_INSERT buffer overflow attempt" tcp-state established,originator payload /.{15}\x00\x01\x86\xE4.{4}\x00\x00\x00\x06/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-1910-10 { ip-proto == udp # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align event "RPC CMSD udp CMSD_INSERT buffer overflow attempt" # Not supported: byte_test: 4,>,1000,28,relative payload /.{11}\x00\x01\x86\xE4.{4}\x00\x00\x00\x06/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1272-10 { ip-proto == tcp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap sadmind request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x88/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-585-7 { ip-proto == udp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap sadmind request UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x88/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1911-10 { ip-proto == udp # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,124,relative,align,4,20,relative,align event "RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt" # Not supported: byte_test: 4,>,512,4,relative payload /.{11}\x00\x01\x87\x88.{4}\x00\x00\x00\x01/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1912-9 { ip-proto == tcp # Not supported: byte_test: 4,>,512,4,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,124,relative,align,4,20,relative,align event "RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt" tcp-state established,originator payload /.{15}\x00\x01\x87\x88.{4}\x00\x00\x00\x01/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-1957-5 { ip-proto == udp event "RPC sadmind UDP PING" payload /.{11}\x00\x01\x87\x88.{4}\x00\x00\x00\x00/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1958-5 { ip-proto == tcp event "RPC sadmind TCP PING" tcp-state established,originator payload /.{15}\x00\x01\x87\x88.{4}\x00\x00\x00\x00/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-583-9 { ip-proto == udp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap rstatd request UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA1/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1270-11 { ip-proto == tcp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap rstatd request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA1/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-1913-10 { ip-proto == udp # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC STATD UDP stat mon_name format string exploit attempt" # Not supported: byte_test: 4,>,100,0,relative payload /.{11}\x00\x01\x86\xB8.{4}\x00\x00\x00\x01/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1914-10 { ip-proto == tcp # Not supported: byte_test: 4,>,100,0,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC STATD TCP stat mon_name format string exploit attempt" tcp-state established,originator payload /.{15}\x00\x01\x86\xB8.{4}\x00\x00\x00\x01/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-1915-9 { ip-proto == udp # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC STATD UDP monitor mon_name format string exploit attempt" # Not supported: byte_test: 4,>,100,0,relative payload /.{11}\x00\x01\x86\xB8.{4}\x00\x00\x00\x02/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1916-9 { ip-proto == tcp # Not supported: byte_test: 4,>,100,0,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC STATD TCP monitor mon_name format string exploit attempt" tcp-state established,originator payload /.{15}\x00\x01\x86\xB8.{4}\x00\x00\x00\x02/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-1277-9 { ip-proto == udp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap ypupdated request UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xBC/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-591-10 { ip-proto == tcp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap ypupdated request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xBC/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-2088-5 { ip-proto == udp # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC ypupdated arbitrary command attempt UDP" payload /.{11}\x00\x01\x86\xBC.{4}\x00\x00\x00\x01.{4}.*\x7C/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-2089-5 { ip-proto == tcp # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC ypupdated arbitrary command attempt TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xBC.{4}\x00\x00\x00\x01.{4}.*\x7C/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-1959-7 { ip-proto == udp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap NFS request UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA3/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1960-7 { ip-proto == tcp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap NFS request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA3/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-1961-7 { ip-proto == udp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap RQUOTA request UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xAB/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1962-7 { ip-proto == tcp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap RQUOTA request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xAB/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-1963-9 { ip-proto == udp # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC RQUOTA getquota overflow attempt UDP" # Not supported: byte_test: 4,>,128,0,relative payload /.{11}\x00\x01\x86\xAB.{4}\x00\x00\x00\x01/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-2024-8 { ip-proto == tcp # Not supported: byte_test: 4,>,128,0,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC RQUOTA getquota overflow attempt TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xAB.{4}\x00\x00\x00\x01/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-588-17 { ip-proto == udp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap ttdbserv request UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xF3/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1274-17 { ip-proto == tcp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap ttdbserv request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xF3/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-1964-8 { ip-proto == udp # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC tooltalk UDP overflow attempt" # Not supported: byte_test: 4,>,128,0,relative payload /.{11}\x00\x01\x86\xF3.{4}\x00\x00\x00\x07/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1965-8 { ip-proto == tcp # Not supported: byte_test: 4,>,128,0,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC tooltalk TCP overflow attempt" tcp-state established,originator payload /.{15}\x00\x01\x86\xF3.{4}\x00\x00\x00\x07/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-589-8 { ip-proto == udp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap yppasswd request UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA9/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1275-10 { ip-proto == tcp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap yppasswd request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA9/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-2027-5 { ip-proto == udp # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align # Not supported: byte_test: 4,>,64,0,relative event "RPC yppasswd old password overflow attempt UDP" payload /.{11}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-2028-5 { ip-proto == tcp # Not supported: byte_test: 4,>,64,0,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC yppasswd old password overflow attempt TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-2025-9 { ip-proto == udp # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align event "RPC yppasswd username overflow attempt UDP" # Not supported: byte_test: 4,>,64,0,relative payload /.{11}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-2026-9 { ip-proto == tcp # Not supported: byte_test: 4,>,64,0,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align event "RPC yppasswd username overflow attempt TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-2029-5 { ip-proto == udp # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align,4,0,relative,align # Not supported: byte_test: 4,>,64,0,relative event "RPC yppasswd new password overflow attempt UDP" payload /.{11}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-2030-6 { ip-proto == tcp # Not supported: byte_test: 4,>,64,0,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align,4,0,relative,align event "RPC yppasswd new password overflow attempt TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-2031-5 { ip-proto == udp event "RPC yppasswd user update UDP" payload /.{11}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-2032-5 { ip-proto == tcp event "RPC yppasswd user update TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-590-12 { ip-proto == udp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap ypserv request UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA4/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-1276-14 { ip-proto == tcp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap ypserv request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA4/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-2033-8 { ip-proto == udp event "RPC ypserv maplist request UDP" payload /.{11}\x00\x01\x86\xA4.{4}\x00\x00\x00\x0B/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-2034-7 { ip-proto == tcp event "RPC ypserv maplist request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA4.{4}\x00\x00\x00\x0B/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-2035-6 { ip-proto == udp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap network-status-monitor request UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x03\x0Dp/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-2036-6 { ip-proto == tcp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap network-status-monitor request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x03\x0Dp/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-2037-5 { ip-proto == udp event "RPC network-status-monitor mon-callback request UDP" payload /.{11}\x00\x03\x0Dp.{4}\x00\x00\x00\x01/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-2038-5 { ip-proto == tcp event "RPC network-status-monitor mon-callback request TCP" tcp-state established,originator payload /.{15}\x00\x03\x0Dp.{4}\x00\x00\x00\x01/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-2079-6 { ip-proto == udp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap nlockmgr request UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB5/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-2080-6 { ip-proto == tcp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap nlockmgr request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB5/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-2081-9 { ip-proto == udp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap rpc.xfsmd request UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x05\xF7h/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-2082-9 { ip-proto == tcp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap rpc.xfsmd request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x05\xF7h/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-2083-8 { ip-proto == udp event "RPC rpc.xfsmd xfs_export attempt UDP" payload /.{11}\x00\x05\xF7h.{4}\x00\x00\x00\x0D/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-2084-8 { ip-proto == tcp event "RPC rpc.xfsmd xfs_export attempt TCP" tcp-state established,originator payload /.{15}\x00\x05\xF7h.{4}\x00\x00\x00\x0D/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-2005-10 { ip-proto == udp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap kcms_server request UDP" payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\}/ payload /.{3}\x00\x00\x00\x00/ } signature s2b-2006-10 { ip-proto == tcp dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap kcms_server request TCP" tcp-state established,originator payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\}/ payload /.{7}\x00\x00\x00\x00/ } signature s2b-2007-10 { ip-proto == tcp dst-port >= 32771 dst-port <= 34000 # Not supported: byte_jump: 4,20,relative,align,4,4,relative,align event "RPC kcms_server directory traversal attempt" tcp-state established,originator payload /.{15}\x00\x01\x87\}.*.*\/\.\.\// payload /.{7}\x00\x00\x00\x00/ } signature s2b-2255-3 { ip-proto == tcp # Not supported: byte_jump: 4,8,relative,align event "RPC sadmind query with root credentials attempt TCP" tcp-state established,originator payload /.{15}\x00\x01\x87\x88.{4}\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00/ } signature s2b-2256-3 { ip-proto == udp # Not supported: byte_jump: 4,8,relative,align event "RPC sadmind query with root credentials attempt UDP" payload /.{11}\x00\x01\x87\x88.{4}\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00/ } signature s2b-601-6 { ip-proto == tcp dst-port == 513 event "RSERVICES rlogin LinuxNIS" tcp-state established,originator payload /.*\x3A\x3A\x3A\x3A\x3A\x3A\x3A\x3A\x00\x3A\x3A\x3A\x3A\x3A\x3A\x3A\x3A/ } signature s2b-602-5 { ip-proto == tcp dst-port == 513 event "RSERVICES rlogin bin" tcp-state established,originator payload /.*bin\x00bin\x00/ } signature s2b-603-5 { ip-proto == tcp dst-port == 513 event "RSERVICES rlogin echo++" tcp-state established,originator payload /.*echo \x22 \+ \+ \x22/ } signature s2b-604-5 { ip-proto == tcp dst-port == 513 event "RSERVICES rsh froot" tcp-state established,originator payload /.*-froot\x00/ } signature s2b-611-7 { ip-proto == tcp src-port == 513 event "RSERVICES rlogin login failure" tcp-state established,responder payload /.*\x01rlogind\x3A Permission denied\./ } signature s2b-605-6 { ip-proto == tcp src-port == 513 event "RSERVICES rlogin login failure" tcp-state established,responder payload /.*login incorrect/ } signature s2b-606-5 { ip-proto == tcp dst-port == 513 event "RSERVICES rlogin root" tcp-state established,originator payload /.*root\x00root\x00/ } signature s2b-607-5 { ip-proto == tcp dst-port == 514 event "RSERVICES rsh bin" tcp-state established,originator payload /.*bin\x00bin\x00/ } signature s2b-608-5 { ip-proto == tcp dst-port == 514 event "RSERVICES rsh echo + +" tcp-state established,originator payload /.*echo \x22\+ \+\x22/ } signature s2b-609-5 { ip-proto == tcp dst-port == 514 event "RSERVICES rsh froot" tcp-state established,originator payload /.*-froot\x00/ } signature s2b-610-5 { ip-proto == tcp dst-port == 514 event "RSERVICES rsh root" tcp-state established,originator payload /.*root\x00root\x00/ } signature s2b-2113-3 { ip-proto == tcp dst-port == 512 dst-ip == local_nets event "RSERVICES rexec username overflow attempt" tcp-state established,originator payload /.{8}.*\x00.*.*\x00.*.*\x00/ } signature s2b-2114-3 { ip-proto == tcp dst-port == 512 event "RSERVICES rexec password overflow attempt" tcp-state established,originator payload /.*\x00.{33}.*\x00.*.*\x00/ } signature s2b-616-4 { ip-proto == tcp dst-port == 113 event "SCAN ident version request" tcp-state established,originator payload /.{0,8}VERSION\x0A/ } signature s2b-619-5 { ip-proto == tcp dst-port == 80 payload-size == 0 header tcp[13:1] & 255 == 195 event "SCAN cybercop os probe" tcp-state stateless } signature s2b-622-6 { ip-proto == tcp header tcp[13:1] & 255 == 2 header tcp[4:4] == 1958810375 event "SCAN ipEye SYN scan" tcp-state stateless } signature s2b-1228-6 { ip-proto == tcp header tcp[13:1] & 255 == 41 event "SCAN nmap XMAS" tcp-state stateless } signature s2b-630-5 { ip-proto == tcp header tcp[13:1] & 255 == 3 event "SCAN synscan portscan" tcp-state stateless header ip[4:2] == 39426 } signature s2b-626-7 { ip-proto == tcp header tcp[13:1] & 255 == 216 event "SCAN cybercop os PA12 attempt" tcp-state stateless payload /AAAAAAAAAAAAAAAA/ } signature s2b-627-7 { ip-proto == tcp header tcp[8:4] == 0 header tcp[13:1] & 255 == 227 event "SCAN cybercop os SFU12 probe" tcp-state stateless payload /AAAAAAAAAAAAAAAA/ } signature s2b-634-2 { ip-proto == udp dst-port >= 10080 dst-port <= 10081 event "SCAN Amanda client version request" payload /.*[aA][mM][aA][nN][dD][aA]/ } signature s2b-635-3 { ip-proto == udp dst-port == 49 event "SCAN XTACACS logout" payload /.*\x80\x07\x00\x00\x07\x00\x00\x04\x00\x00\x00\x00\x00/ } signature s2b-636-1 { ip-proto == udp dst-port == 7 event "SCAN cybercop udp bomb" payload /.*cybercop/ } signature s2b-637-3 { ip-proto == udp event "SCAN Webtrends Scanner UDP Probe" payload /.*\x0Ahelp\x0Aquite\x0A/ } signature s2b-1638-5 { ip-proto == tcp dst-port == 22 event "SCAN SSH Version map attempt" tcp-state established,originator payload /.*[vV][eE][rR][sS][iI][oO][nN]_[mM][aA][pP][pP][eE][rR]/ } signature s2b-1133-11 { ip-proto == tcp dst-port == http_ports header tcp[8:4] == 0 header tcp[13:1] & 255 == 11 event "SCAN cybercop os probe" tcp-state stateless payload /AAAAAAAAAAAAAAAA/ } signature s2b-647-6 { src-port != non_shellcode_ports event "SHELLCODE sparc setuid 0" payload /.*\x82\x10 \x17\x91\xD0 \x08/ } signature s2b-649-8 { src-port != non_shellcode_ports event "SHELLCODE x86 setgid 0" payload /.*\xB0\xB5\xCD\x80/ } signature s2b-638-5 { src-port != non_shellcode_ports event "SHELLCODE SGI NOOP" payload /.*\x03\xE0\xF8%\x03\xE0\xF8%\x03\xE0\xF8%\x03\xE0\xF8%/ } signature s2b-639-5 { src-port != non_shellcode_ports event "SHELLCODE SGI NOOP" payload /.*\x24\x0F\x124\x24\x0F\x124\x24\x0F\x124\x24\x0F\x124/ } signature s2b-640-6 { src-port != non_shellcode_ports event "SHELLCODE AIX NOOP" payload /.*O\xFF\xFB\x82O\xFF\xFB\x82O\xFF\xFB\x82O\xFF\xFB\x82/ } signature s2b-641-6 { src-port != non_shellcode_ports event "SHELLCODE Digital UNIX NOOP" payload /.*G\xFF\x04\x1FG\xFF\x04\x1FG\xFF\x04\x1FG\xFF\x04\x1F/ } signature s2b-642-6 { src-port != non_shellcode_ports event "SHELLCODE HP-UX NOOP" payload /.*\x08!\x02\x80\x08!\x02\x80\x08!\x02\x80\x08!\x02\x80/ } signature s2b-644-5 { src-port != non_shellcode_ports event "SHELLCODE sparc NOOP" payload /.*\x13\xC0\x1C\xA6\x13\xC0\x1C\xA6\x13\xC0\x1C\xA6\x13\xC0\x1C\xA6/ } signature s2b-645-5 { src-port != non_shellcode_ports event "SHELLCODE sparc NOOP" payload /.*\x80\x1C@\x11\x80\x1C@\x11\x80\x1C@\x11\x80\x1C@\x11/ } signature s2b-646-5 { src-port != non_shellcode_ports event "SHELLCODE sparc NOOP" payload /.*\xA6\x1C\xC0\x13\xA6\x1C\xC0\x13\xA6\x1C\xC0\x13\xA6\x1C\xC0\x13/ } signature s2b-648-7 { src-port != non_shellcode_ports event "SHELLCODE x86 NOOP" payload /.{0,114}\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90/ } signature s2b-651-8 { src-port != non_shellcode_ports event "SHELLCODE x86 stealth NOOP" payload /.*\xEB\x02\xEB\x02\xEB\x02/ } signature s2b-653-8 { src-port != non_shellcode_ports event "SHELLCODE x86 unicode NOOP" payload /.*\x90\x00\x90\x00\x90\x00\x90\x00\x90\x00/ } signature s2b-652-9 { src-port != non_shellcode_ports event "SHELLCODE Linux shellcode" payload /.*\x90\x90\x90\xE8\xC0\xFF\xFF\xFF\/bin\/sh/ } signature s2b-1390-5 { src-port != non_shellcode_ports event "SHELLCODE x86 inc ebx NOOP" payload /.*CCCCCCCCCCCCCCCCCCCCCCCC/ } signature s2b-1394-5 { src-port != non_shellcode_ports event "SHELLCODE x86 NOOP" payload /.*aaaaaaaaaaaaaaaaaaaaa/ } signature s2b-1424-6 { src-port != non_shellcode_ports event "SHELLCODE x86 0xEB0C NOOP" payload /.*\xEB\x0C\xEB\x0C\xEB\x0C\xEB\x0C\xEB\x0C\xEB\x0C\xEB\x0C\xEB\x0C/ } signature s2b-2312-2 { src-port != non_shellcode_ports event "SHELLCODE x86 0x71FB7BAB NOOP" payload /.*q\xFB\{\xABq\xFB\{\xABq\xFB\{\xABq\xFB\{\xAB/ } signature s2b-2313-2 { src-port != non_shellcode_ports event "SHELLCODE x86 0x71FB7BAB NOOP unicode" payload /.*q\x00\xFB\x00\{\x00\xAB\x00q\x00\xFB\x00\{\x00\xAB\x00q\x00\xFB\x00\{\x00\xAB\x00q\x00\xFB\x00\{\x00\xAB\x00/ } signature s2b-2314-1 { src-port != non_shellcode_ports event "SHELLCODE x86 0x90 NOOP unicode" payload /.*\x90\x00\x90\x00\x90\x00\x90\x00\x90\x00\x90\x00\x90\x00\x90\x00/ } signature s2b-654-13 { ip-proto == tcp dst-port == 25 # Not supported: pcre: /^RCPT TO\s[^\n]{300}/ism event "SMTP RCPT TO overflow" tcp-state established,originator # Not supported: isdataat: 300,relative payload /.*[rR][cC][pP][tT] [tT][oO]\x3A/ requires-reverse-signature ! smtp_server_fail payload /((^)|(\n+))[rR][cC][pP][tT] [tT][oO][\x20\x09\x0b][^\n]{300}/ } signature s2b-657-12 { ip-proto == tcp dst-port == 25 # Not supported: pcre: /^HELP\s[^\n]{500}/ism event "SMTP chameleon overflow" tcp-state established,originator # Not supported: isdataat: 500,relative requires-reverse-signature ! smtp_server_fail payload /((^)|(\n+))[hH][eE][lL][pP][\x20\x09\x0b][^\n]{500}/ } signature s2b-655-8 { ip-proto == tcp src-port == 113 dst-port == 25 event "SMTP sendmail 8.6.9 exploit" tcp-state established,originator payload /.*\x0AD\// requires-reverse-signature ! smtp_server_fail } signature s2b-658-5 { ip-proto == tcp dst-port == 25 event "SMTP exchange mime DOS" tcp-state established,originator payload /.*charset = \x22\x22/ } signature s2b-659-6 { ip-proto == tcp dst-port == 25 # Not supported: pcre: /^expn\s+decode/smi event "SMTP expn decode" tcp-state established,originator requires-reverse-signature ! smtp_server_fail payload /((^)|(\n+))[eE][xX][pP][nN][\x20\x09\x0b][dD][eE][cC][oO][dD][eE]/ } signature s2b-660-7 { ip-proto == tcp dst-port == 25 # Not supported: pcre: /^expn\s+root/smi event "SMTP expn root" tcp-state established,originator requires-reverse-signature ! smtp_server_fail payload /((^)|(\n+))[eE][xX][pP][nN][\x20\x09\x0b][rR][oO][oO][tT]/ } signature s2b-1450-5 { ip-proto == tcp dst-port == 25 # Not supported: pcre: /^expn\s+\*@/smi event "SMTP expn *@" tcp-state established,originator requires-reverse-signature ! smtp_server_fail payload /((^)|(\n+))[eE][xX][pP][nN][\x20\x09\x0b]\*@/ } signature s2b-661-6 { ip-proto == tcp dst-port == 25 event "SMTP majordomo ifs" tcp-state established,originator payload /.*eply-to\x3A a~\.`\/bin\// requires-reverse-signature ! smtp_server_fail } signature s2b-662-5 { ip-proto == tcp dst-port == 25 event "SMTP sendmail 5.5.5 exploit" tcp-state established,originator payload /.*[mM][aA][iI][lL] [fF][rR][oO][mM]\x3A \x22\x7C/ requires-reverse-signature ! smtp_server_fail } signature s2b-663-13 { ip-proto == tcp dst-port == 25 # Not supported: pcre: /^rcpt\s+to\:\s+[|\x3b]/smi event "SMTP rcpt to command attempt" tcp-state established,originator payload /((^)|(\n+))[rR][cC][pP][tT][\x20\x09\x0b][tT][oO]:[\x20\x09\x0b]+[|\x3b]/ } signature s2b-664-13 { ip-proto == tcp dst-port == 25 # Not supported: pcre: /^rcpt to\:\s+decode/smi event "SMTP RCPT TO decode attempt" tcp-state established,originator requires-reverse-signature ! smtp_server_fail payload /((^)|(\n+))[rR][cC][pP][tT][\x20\x09\x0b][tT][oO]:[\x20\x09\x0b]+[dD][eE][cC][oO][dD][eE]/ } signature s2b-665-5 { ip-proto == tcp dst-port == 25 event "SMTP sendmail 5.6.5 exploit" tcp-state established,originator payload /.*[mM][aA][iI][lL] [fF][rR][oO][mM]\x3A \x7C\/[uU][sS][rR]\/[uU][cC][bB]\/[tT][aA][iI][lL]/ requires-reverse-signature ! smtp_server_fail } signature s2b-667-5 { ip-proto == tcp dst-port == 25 event "SMTP sendmail 8.6.10 exploit" tcp-state established,originator payload /.*Croot\x0D\x0AMprog, P=\/bin\// requires-reverse-signature ! smtp_server_fail } signature s2b-668-6 { ip-proto == tcp dst-port == 25 event "SMTP sendmail 8.6.10 exploit" tcp-state established,originator payload /.*Croot\x09\x09\x09\x09\x09\x09\x09Mprog,P=\/bin/ requires-reverse-signature ! smtp_server_fail } signature s2b-670-7 { ip-proto == tcp dst-port == 25 event "SMTP sendmail 8.6.9 exploit" tcp-state established,originator payload /.*\x0AC\x3Adaemon\x0AR/ requires-reverse-signature ! smtp_server_fail } signature s2b-671-8 { ip-proto == tcp dst-port == 25 event "SMTP sendmail 8.6.9c exploit" tcp-state established,originator payload /.*\x0ACroot\x0D\x0AMprog/ requires-reverse-signature ! smtp_server_fail } signature s2b-672-6 { ip-proto == tcp dst-port == 25 # Not supported: pcre: /^vrfy\s+decode/smi event "SMTP vrfy decode" tcp-state established,originator requires-reverse-signature ! smtp_server_fail payload /((^)|(\n+))[vV][rR][fF][yY][\x20\x09\x0b]+[dD][eE][cC][oO][dD][eE]/ } signature s2b-1446-6 { ip-proto == tcp dst-port == 25 # Not supported: pcre: /^vrfy\s+root/smi event "SMTP vrfy root" tcp-state established,originator requires-reverse-signature ! smtp_server_fail payload /((^)|(\n+))[vV][rR][fF][yY][\x20\x09\x0b]+[rR][oO][oO][tT]/ } signature s2b-631-6 { ip-proto == tcp dst-port == 25 event "SMTP ehlo cybercop attempt" tcp-state established,originator payload /.*ehlo cybercop\x0Aquit\x0A/ requires-reverse-signature ! smtp_server_fail } signature s2b-632-5 { ip-proto == tcp dst-port == 25 event "SMTP expn cybercop attempt" tcp-state established,originator payload /.*expn cybercop/ } signature s2b-1549-16 { ip-proto == tcp dst-port == 25 # Not supported: pcre: /^HELO\s[^\n]{500}/smi event "SMTP HELO overflow attempt" tcp-state established,originator # Not supported: isdataat: 500,relative requires-reverse-signature ! smtp_server_fail payload /((^)|(\n+))[hH][eE][lL][oO][\x20\x09\x0b][^\n]{500}/ } signature s2b-1550-10 { ip-proto == tcp dst-port == 25 # Not supported: pcre: /^ETRN\s[^\n]{500}/smi event "SMTP ETRN overflow attempt" tcp-state established,originator # Not supported: isdataat: 500,relative requires-reverse-signature ! smtp_server_fail payload /((^)|(\n+))[eE][tT][rR][nN]][\x20\x09\x0b][^\n]{500}/ } signature s2b-2087-5 { ip-proto == tcp dst-port == 25 event "Sendmail SMTP From comment overflow attempt" tcp-state established,originator payload /.*From\x3A<><><><><><><><><><><><><><><><><><><><><><>.{1}\x28.{1}\x29/ requires-reverse-signature ! smtp_server_fail } signature s2b-2253-3 { ip-proto == tcp dst-port == 25 # Not supported: pcre: /^XEXCH50\s+-\d/smi event "SMTP XEXCH50 overflow attempt" tcp-state established,originator requires-reverse-signature ! smtp_server_fail payload /((^)|(\n+))[xX][eE][xX][cC][hH]50[\x20\x09\x0b]+-[0-9]/ } signature s2b-2259-5 { ip-proto == tcp dst-port == 25 # Not supported: pcre: /^EXPN[^\n]{255,}/smi event "SMTP EXPN overflow attempt" tcp-state established,originator requires-reverse-signature ! smtp_server_fail payload /((^)|(\n+))[eE][xX][pP][nN][^\n]{255,}/ } signature s2b-2260-5 { ip-proto == tcp dst-port == 25 # Not supported: pcre: /^VRFY[^\n]{255,}/smi event "SMTP VRFY overflow attempt" tcp-state established,originator requires-reverse-signature ! smtp_server_fail payload /((^)|(\n+))[vV][rR][fF][yY][^\n]{255,}/ } signature s2b-2261-4 { ip-proto == tcp dst-port == 25 # Not supported: pcre: /^SEND FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?,0,6,2,!,0,8,2,!,16,8,2,>,20,10,2,>,32768,0,relative event "SMTP Client_Hello overflow attempt" tcp-state established,originator payload /.{1}\x01/ payload /.{10}\x8F/ requires-reverse-signature ! smtp_server_fail } signature s2b-1892-6 { ip-proto == udp dst-port == 161 event "SNMP null community string attempt" payload /.{4}.{0,7}\x04\x01\x00/ requires-reverse-signature snmp_userver_ok_return } signature s2b-1409-10 { ip-proto == udp dst-port >= 161 dst-port <= 162 event "SNMP community string buffer overflow attempt" payload /.{3}.*\x02\x01\x00\x04\x82\x01\x00/ requires-reverse-signature snmp_userver_ok_return } signature s2b-1422-10 { ip-proto == udp dst-port >= 161 dst-port <= 162 event "SNMP community string buffer overflow attempt with evasion" payload /.{6} \x04\x82\x01\x00/ } signature s2b-1411-10 { ip-proto == udp dst-port == 161 event "SNMP public access udp" payload /.*public/ requires-reverse-signature snmp_userver_ok_return } signature s2b-1412-13 { ip-proto == tcp dst-port == 161 event "SNMP public access tcp" tcp-state established,originator payload /.*public/ requires-reverse-signature snmp_userver_ok_return } signature s2b-1413-10 { ip-proto == udp dst-port == 161 event "SNMP private access udp" payload /.*private/ } signature s2b-1414-11 { ip-proto == tcp dst-port == 161 event "SNMP private access tcp" tcp-state established,originator payload /.*private/ requires-reverse-signature snmp_tserver_ok_return } signature s2b-1415-9 { ip-proto == udp dst-ip == 255.255.255.255 dst-port == 161 event "SNMP Broadcast request" requires-reverse-signature snmp_userver_ok_return } signature s2b-1416-9 { ip-proto == udp dst-ip == 255.255.255.255 dst-port == 162 event "SNMP broadcast trap" requires-reverse-signature snmp_userver_ok_return } signature s2b-1418-11 { ip-proto == tcp dst-port == 161 event "SNMP request tcp" tcp-state stateless requires-reverse-signature snmp_tserver_ok_return } signature s2b-1419-9 { ip-proto == udp dst-port == 162 event "SNMP trap udp" requires-reverse-signature snmp_userver_ok_return } signature s2b-1420-11 { ip-proto == tcp dst-port == 162 event "SNMP trap tcp" tcp-state stateless requires-reverse-signature snmp_tserver_ok_return } signature s2b-1421-11 { ip-proto == tcp dst-port == 705 event "SNMP AgentX/tcp request" tcp-state stateless } signature s2b-1426-5 { ip-proto == udp dst-port == 161 event "SNMP PROTOS test-suite-req-app attempt" payload /.*0&\x02\x01\x00\x04\x06public\xA0\x19\x02\x01\x00\x02\x01\x00\x02\x01\x000\x0E0\x0C\x06\x08\+\x06\x01\x02\x01\x01\x05\x00\x05\x00/ requires-reverse-signature snmp_userver_ok_return } signature s2b-1427-4 { ip-proto == udp dst-port == 162 event "SNMP PROTOS test-suite-trap-app attempt" payload /.*08\x02\x01\x00\x04\x06public\xA4\+\x06/ requires-reverse-signature snmp_userver_ok_return } signature s2b-676-6 { ip-proto == tcp dst-port == 139 event "MS-SQL/SMB sp_start_job - program execution" tcp-state established,originator payload /.{31}[sS]\x00[pP]\x00_\x00[sS]\x00[tT]\x00[aA]\x00[rR]\x00[tT]\x00_\x00[jJ]\x00[oO]\x00[bB]\x00/ } signature s2b-677-6 { ip-proto == tcp dst-port == 139 event "MS-SQL/SMB sp_password password change" tcp-state established,originator payload /.*[sS]\x00[pP]\x00_\x00[pP]\x00[aA]\x00[sS]\x00[sS]\x00[wW]\x00[oO]\x00[rR]\x00[dD]\x00/ } signature s2b-678-6 { ip-proto == tcp dst-port == 139 event "MS-SQL/SMB sp_delete_alert log file deletion" tcp-state established,originator payload /.*[sS]\x00[pP]\x00_\x00[dD]\x00[eE]\x00[lL]\x00[eE]\x00[tT]\x00[eE]\x00_\x00[aA]\x00[lL]\x00[eE]\x00/ } signature s2b-679-6 { ip-proto == tcp dst-port == 139 event "MS-SQL/SMB sp_adduser database user creation" tcp-state established,originator payload /.{31}[sS]\x00[pP]\x00_\x00[aA]\x00[dD]\x00[dD]\x00[uU]\x00[sS]\x00[eE]\x00[rR]\x00/ } signature s2b-708-8 { ip-proto == tcp dst-port == 139 event "MS-SQL/SMB xp_enumresultset possible buffer overflow" tcp-state established,originator payload /.{31}.*[xX]\x00[pP]\x00_\x00[eE]\x00[nN]\x00[uU]\x00[mM]\x00[rR]\x00[eE]\x00[sS]\x00[uU]\x00[lL]\x00[tT]\x00[sS]\x00[eE]\x00[tT]\x00/ } signature s2b-1386-8 { ip-proto == tcp dst-port == 139 event "MS-SQL/SMB raiserror possible buffer overflow" tcp-state established,originator payload /.{31}.*[rR]\x00[aA]\x00[iI]\x00[sS]\x00[eE]\x00[rR]\x00[rR]\x00[oO]\x00[rR]\x00/ } signature s2b-702-8 { ip-proto == tcp dst-port == 139 event "MS-SQL/SMB xp_displayparamstmt possible buffer overflow" tcp-state established,originator payload /.{31}.*[xX]\x00[pP]\x00_\x00[dD]\x00[iI]\x00[sS]\x00[pP]\x00[lL]\x00[aA]\x00[yY]\x00[pP]\x00[aA]\x00[rR]\x00[aA]\x00[mM]\x00[sS]\x00[tT]\x00[mM]\x00[tT]\x00/ } signature s2b-681-6 { ip-proto == tcp dst-port == 139 event "MS-SQL/SMB xp_cmdshell program execution" tcp-state established,originator payload /.{31}.*[xX]\x00[pP]\x00_\x00[cC]\x00[mM]\x00[dD]\x00[sS]\x00[hH]\x00[eE]\x00[lL]\x00[lL]\x00/ } signature s2b-689-6 { ip-proto == tcp dst-port == 139 event "MS-SQL/SMB xp_reg* registry access" tcp-state established,originator payload /.{31}[xX]\x00[pP]\x00_\x00[rR]\x00[eE]\x00[gG]\x00/ } signature s2b-690-7 { ip-proto == tcp dst-port == 139 event "MS-SQL/SMB xp_printstatements possible buffer overflow" tcp-state established,originator payload /.{31}.*[xX]\x00[pP]\x00_\x00[pP]\x00[rR]\x00[iI]\x00[nN]\x00[tT]\x00[sS]\x00[tT]\x00[aA]\x00[tT]\x00[eE]\x00[mM]\x00[eE]\x00[nN]\x00[tT]\x00[sS]\x00/ } signature s2b-692-6 { ip-proto == tcp dst-port == 139 event "MS-SQL/SMB shellcode attempt" tcp-state established,originator payload /.*9 \xD0\x00\x92\x01\xC2\x00R\x00U\x009 \xEC\x00/ } signature s2b-694-6 { ip-proto == tcp dst-port == 139 event "MS-SQL/SMB shellcode attempt" tcp-state established,originator payload /.*H\x00%\x00x\x00w\x00\x90\x00\x90\x00\x90\x00\x90\x00\x90\x003\x00\xC0\x00P\x00h\x00\.\x00/ } signature s2b-695-7 { ip-proto == tcp dst-port == 139 event "MS-SQL/SMB xp_sprintf possible buffer overflow" tcp-state established,originator payload /.{31}.*[xX]\x00[pP]\x00_\x00[sS]\x00[pP]\x00[rR]\x00[iI]\x00[nN]\x00[tT]\x00[fF]\x00/ } signature s2b-696-7 { ip-proto == tcp dst-port == 139 event "MS-SQL/SMB xp_showcolv possible buffer overflow" tcp-state established,originator payload /.{31}.*[xX]\x00[pP]\x00_\x00[sS]\x00[hH]\x00[oO]\x00[wW]\x00[cC]\x00[oO]\x00[lL]\x00[vV]\x00/ } signature s2b-697-8 { ip-proto == tcp dst-port == 139 event "MS-SQL/SMB xp_peekqueue possible buffer overflow" tcp-state established,originator payload /.{31}.*[xX]\x00[pP]\x00_\x00[pP]\x00[eE]\x00[eE]\x00[kK]\x00[qQ]\x00[uU]\x00[eE]\x00[uU]\x00[eE]\x00/ } signature s2b-698-8 { ip-proto == tcp dst-port == 139 event "MS-SQL/SMB xp_proxiedmetadata possible buffer overflow" tcp-state established,originator payload /.{31}.*[xX]\x00[pP]\x00_\x00[pP]\x00[rR]\x00[oO]\x00[xX]\x00[iI]\x00[eE]\x00[dD]\x00[mM]\x00[eE]\x00[tT]\x00[aA]\x00[dD]\x00[aA]\x00[tT]\x00[aA]\x00/ } signature s2b-700-8 { ip-proto == tcp dst-port == 139 event "MS-SQL/SMB xp_updatecolvbm possible buffer overflow" tcp-state established,originator payload /.{31}.*[xX]\x00[pP]\x00_\x00[uU]\x00[pP]\x00[dD]\x00[aA]\x00[tT]\x00[eE]\x00[cC]\x00[oO]\x00[lL]\x00[vV]\x00[bB]\x00[mM]\x00/ } signature s2b-673-5 { ip-proto == tcp dst-port == 1433 event "MS-SQL sp_start_job - program execution" tcp-state established,originator payload /.*[sS]\x00[pP]\x00_\x00[sS]\x00[tT]\x00[aA]\x00[rR]\x00[tT]\x00_\x00[jJ]\x00[oO]\x00[bB]\x00/ } signature s2b-674-6 { ip-proto == tcp dst-port == 1433 event "MS-SQL xp_displayparamstmt possible buffer overflow" tcp-state established,originator payload /.*[xX]\x00[pP]\x00_\x00[dD]\x00[iI]\x00[sS]\x00[pP]\x00[lL]\x00[aA]\x00[yY]\x00[pP]\x00[aA]\x00[rR]\x00[aA]\x00[mM]\x00[sS]\x00[tT]\x00[mM]\x00[tT]/ } signature s2b-675-6 { ip-proto == tcp dst-port == 1433 event "MS-SQL xp_setsqlsecurity possible buffer overflow" tcp-state established,originator payload /.*[xX]\x00[pP]\x00_\x00[sS]\x00[eE]\x00[tT]\x00[sS]\x00[qQ]\x00[lL]\x00[sS]\x00[eE]\x00[cC]\x00[uU]\x00[rR]\x00[iI]\x00[tT]\x00[yY]\x00/ } signature s2b-682-6 { ip-proto == tcp dst-port == 1433 event "MS-SQL xp_enumresultset possible buffer overflow" tcp-state established,originator payload /.*[xX]\x00[pP]\x00_\x00[eE]\x00[nN]\x00[uU]\x00[mM]\x00[rR]\x00[eE]\x00[sS]\x00[uU]\x00[lL]\x00[tT]\x00[sS]\x00[eE]\x00[tT]\x00/ } signature s2b-683-5 { ip-proto == tcp dst-port == 1433 event "MS-SQL sp_password - password change" tcp-state established,originator payload /.*[sS]\x00[pP]\x00_\x00[pP]\x00[aA]\x00[sS]\x00[sS]\x00[wW]\x00[oO]\x00[rR]\x00[dD]\x00/ } signature s2b-684-5 { ip-proto == tcp dst-port == 1433 event "MS-SQL sp_delete_alert log file deletion" tcp-state established,originator payload /.*[sS]\x00[pP]\x00_\x00[dD]\x00[eE]\x00[lL]\x00[eE]\x00[tT]\x00[eE]\x00_\x00[aA]\x00[lL]\x00[eE]\x00[rR]\x00[tT]\x00/ } signature s2b-685-5 { ip-proto == tcp dst-port == 1433 event "MS-SQL sp_adduser - database user creation" tcp-state established,originator payload /.*[sS]\x00[pP]\x00_\x00[aA]\x00[dD]\x00[dD]\x00[uU]\x00[sS]\x00[eE]\x00[rR]\x00/ } signature s2b-686-5 { ip-proto == tcp dst-port == 1433 event "MS-SQL xp_reg* - registry access" tcp-state established,originator payload /.*[xX]\x00[pP]\x00_\x00[rR]\x00[eE]\x00[gG]\x00/ } signature s2b-687-5 { ip-proto == tcp dst-port == 1433 event "MS-SQL xp_cmdshell - program execution" tcp-state established,originator payload /.*[xX]\x00[pP]\x00_\x00[cC]\x00[mM]\x00[dD]\x00[sS]\x00[hH]\x00[eE]\x00[lL]\x00[lL]\x00/ } signature s2b-691-5 { ip-proto == tcp dst-port == 1433 event "MS-SQL shellcode attempt" tcp-state established,originator payload /.*9 \xD0\x00\x92\x01\xC2\x00R\x00U\x009 \xEC\x00/ } signature s2b-693-5 { ip-proto == tcp dst-port == 1433 event "MS-SQL shellcode attempt" tcp-state established,originator payload /.*H\x00%\x00x\x00w\x00\x90\x00\x90\x00\x90\x00\x90\x00\x90\x003\x00\xC0\x00P\x00h\x00\.\x00/ } signature s2b-699-7 { ip-proto == tcp dst-port == 1433 event "MS-SQL xp_printstatements possible buffer overflow" tcp-state established,originator payload /.*[xX]\x00[pP]\x00_\x00[pP]\x00[rR]\x00[iI]\x00[nN]\x00[tT]\x00[sS]\x00[tT]\x00[aA]\x00[tT]\x00[eE]\x00[mM]\x00[eE]\x00[nN]\x00[tT]\x00[sS]\x00/ } signature s2b-701-7 { ip-proto == tcp dst-port == 1433 event "MS-SQL xp_updatecolvbm possible buffer overflow" tcp-state established,originator payload /.*[xX]\x00[pP]\x00_\x00[uU]\x00[pP]\x00[dD]\x00[aA]\x00[tT]\x00[eE]\x00[cC]\x00[oO]\x00[lL]\x00[vV]\x00[bB]\x00[mM]\x00/ } signature s2b-704-6 { ip-proto == tcp dst-port == 1433 event "MS-SQL xp_sprintf possible buffer overflow" tcp-state established,originator payload /.*[xX]\x00[pP]\x00_\x00[sS]\x00[pP]\x00[rR]\x00[iI]\x00[nN]\x00[tT]\x00[fF]\x00/ } signature s2b-705-7 { ip-proto == tcp dst-port == 1433 event "MS-SQL xp_showcolv possible buffer overflow" tcp-state established,originator payload /.*[xX]\x00[pP]\x00_\x00[sS]\x00[hH]\x00[oO]\x00[wW]\x00[cC]\x00[oO]\x00[lL]\x00[vV]\x00/ } signature s2b-706-7 { ip-proto == tcp dst-port == 1433 event "MS-SQL xp_peekqueue possible buffer overflow" tcp-state established,originator payload /.*[xX]\x00[pP]\x00_\x00[pP]\x00[eE]\x00[eE]\x00[kK]\x00[qQ]\x00[uU]\x00[eE]\x00[uU]\x00[eE]\x00/ } signature s2b-707-8 { ip-proto == tcp dst-port == 1433 event "MS-SQL xp_proxiedmetadata possible buffer overflow" tcp-state established,originator payload /.*[xX]\x00[pP]\x00_\x00[pP]\x00[rR]\x00[oO]\x00[xX]\x00[iI]\x00[eE]\x00[dD]\x00[mM]\x00[eE]\x00[tT]\x00[aA]\x00[dD]\x00[aA]\x00[tT]\x00[aA]\x00/ } signature s2b-1387-7 { ip-proto == tcp dst-port == 1433 event "MS-SQL raiserror possible buffer overflow" tcp-state established,originator payload /.*[rR]\x00[aA]\x00[iI]\x00[sS]\x00[eE]\x00[rR]\x00[rR]\x00[oO]\x00[rR]\x00/ } signature s2b-1759-5 { ip-proto == tcp dst-port == 445 event "MS-SQL xp_cmdshell program execution 445" tcp-state established,originator payload /.*[xX]\x00[pP]\x00_\x00[cC]\x00[mM]\x00[dD]\x00[sS]\x00[hH]\x00[eE]\x00[lL]\x00[lL]\x00/ } signature s2b-688-6 { ip-proto == tcp src-port == 1433 event "MS-SQL sa login failed" tcp-state established,responder payload /.*Login failed for user 'sa'/ } signature s2b-680-6 { ip-proto == tcp src-port == 139 event "MS-SQL/SMB sa login failed" tcp-state established,responder payload /.{82}.*Login failed for user 'sa'/ } signature s2b-2050-5 { ip-proto == udp dst-port == 1434 payload-size > 100 event "MS-SQL version overflow attempt" payload /\x04/ } signature s2b-2329-6 { ip-proto == udp dst-port == 1434 dst-ip == local_nets # Not supported: byte_test: 2,>,512,1 event "MS-SQL probe response overflow attempt" # Not supported: isdataat: 512,relative payload /\x05.*.*\x3B[^\x3B]{512}/ } signature s2b-1430-7 { ip-proto == tcp dst-port == 23 event "TELNET Solaris memory mismanagement exploit attempt" tcp-state established,originator payload /.*\xA0\x23\xA0\x10\xAE\x23\x80\x10\xEE\x23\xBF\xEC\x82\x05\xE0\xD6\x90%\xE0/ } signature s2b-711-5 { ip-proto == tcp dst-port == 23 event "TELNET SGI telnetd format bug" tcp-state established,originator payload /.*_RLD/ payload /.*bin\/sh/ } signature s2b-712-8 { ip-proto == tcp dst-port == 23 event "TELNET ld_library_path" tcp-state established,originator payload /.*ld_library_path/ } signature s2b-714-4 { ip-proto == tcp dst-port == 23 event "TELNET resolv_host_conf" tcp-state established,originator payload /.*resolv_host_conf/ } signature s2b-715-6 { ip-proto == tcp src-port == 23 event "TELNET Attempted SU from wrong group" tcp-state established,responder payload /.*[tT][oO] [sS][uU] [rR][oO][oO][tT]/ } signature s2b-717-6 { ip-proto == tcp src-port == 23 event "TELNET not on console" tcp-state established,responder payload /.*[nN][oO][tT] [oO][nN] [sS][yY][sS][tT][eE][mM] [cC][oO][nN][sS][oO][lL][eE]/ } signature s2b-718-7 { ip-proto == tcp src-port == 23 event "TELNET login incorrect" tcp-state established,responder payload /.*Login incorrect/ } signature s2b-719-7 { ip-proto == tcp src-port == 23 event "TELNET root login" tcp-state established,responder payload /.*login\x3A root/ } signature s2b-1252-13 { ip-proto == tcp src-port == 23 event "TELNET bsd telnet exploit response" tcp-state established,responder payload /.*\x0D\x0A\[Yes\]\x0D\x0A\xFF\xFE\x08\xFF\xFD&/ } signature s2b-1253-11 { ip-proto == tcp dst-port == 23 payload-size > 200 event "TELNET bsd exploit client finishing" tcp-state established,responder payload /.{199}\xFF\xF6\xFF\xF6\xFF\xFB\x08\xFF\xF6/ } signature s2b-709-7 { ip-proto == tcp dst-port == 23 event "TELNET 4Dgifts SGI account attempt" tcp-state established,originator payload /.*4Dgifts/ } signature s2b-710-7 { ip-proto == tcp dst-port == 23 event "TELNET EZsetup account attempt" tcp-state established,originator payload /.*OutOfBox/ } signature s2b-2406-1 { ip-proto == tcp dst-port == 23 event "TELNET APC SmartSlot default admin account attempt" tcp-state established,originator payload /.*TENmanUFactOryPOWER/ } signature s2b-1941-8 { ip-proto == udp dst-port == 69 event "TFTP GET filename overflow attempt" payload /\x00\x01[^\x00]{100}/ } signature s2b-2337-7 { ip-proto == udp dst-port == 69 event "TFTP PUT filename overflow attempt" payload /\x00\x02[^\x00]{100}/ } signature s2b-1289-4 { ip-proto == udp dst-port == 69 event "TFTP GET Admin.dll" payload /\x00\x01/ payload /.{1}.*[aA][dD][mM][iI][nN]\.[dD][lL][lL]/ } signature s2b-1441-4 { ip-proto == udp dst-port == 69 event "TFTP GET nc.exe" payload /\x00\x01/ payload /.{1}.*[nN][cC]\.[eE][xX][eE]/ } signature s2b-1442-4 { ip-proto == udp dst-port == 69 event "TFTP GET shadow" payload /\x00\x01/ payload /.{1}.*[sS][hH][aA][dD][oO][wW]/ } signature s2b-1443-4 { ip-proto == udp dst-port == 69 event "TFTP GET passwd" payload /\x00\x01/ payload /.{1}.*[pP][aA][sS][sS][wW][dD]/ } signature s2b-519-6 { ip-proto == udp dst-port == 69 event "TFTP parent directory" payload /.{1}.*\.\./ } signature s2b-520-5 { ip-proto == udp dst-port == 69 event "TFTP root directory" payload /\x00\x01\// } signature s2b-518-6 { ip-proto == udp dst-port == 69 event "TFTP Put" payload /\x00\x02/ } signature s2b-1444-3 { ip-proto == udp dst-port == 69 event "TFTP Get" payload /\x00\x01/ } signature s2b-2339-2 { ip-proto == udp dst-port == 69 event "TFTP NULL command attempt" payload /\x00\x00/ } signature s2b-1328-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS ps command attempt" http /.*[\/\\]bin[\/\\]ps([^_a-zA-Z0-9.\/-]|$)/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1330-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS wget command attempt" tcp-state established,originator payload /.*[wW][gG][eE][tT]%20/ requires-reverse-signature ! http_error # would like to inspect contents of reply } signature s2b-1331-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS uname -a command attempt" tcp-state established,originator payload /.*[uU][nN][aA][mM][eE]%20-[aA]/ requires-reverse-signature ! http_error } signature s2b-1332-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS /usr/bin/id command attempt" tcp-state established,originator payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[iI][dD]/ requires-reverse-signature ! http_error } signature s2b-1333-6 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS id command attempt" tcp-state established,originator requires-reverse-signature ! http_error http /.*;[iI][dD]([;|\x20\x09\x0b]|$)./ } signature s2b-1334-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS echo command attempt" tcp-state established,originator payload /.*\/[bB][iI][nN]\/[eE][cC][hH][oO]/ requires-reverse-signature ! http_error } signature s2b-1335-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS kill command attempt" tcp-state established,originator payload /.*\/[bB][iI][nN]\/[kK][iI][lL][lL]/ requires-reverse-signature ! http_error } signature s2b-1336-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS chmod command attempt" tcp-state established,originator http /.*\/[cC][hH][mM][oO][dD]([^-a-zA-Z0-9_.]|$)/ requires-reverse-signature ! http_error } signature s2b-1337-6 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS chgrp command attempt" tcp-state established,originator http /.*\/[cC][hH][gG][rR][pP]([^-a-zA-Z0-9_.]|$)/ requires-reverse-signature ! http_error } signature s2b-1338-6 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS chown command attempt" tcp-state established,originator http /.*\/[cC][hH][oO][wW][nN]([^-a-zA-Z0-9_.]|$)/ requires-reverse-signature ! http_error } signature s2b-1339-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS chsh command attempt" tcp-state established,originator payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[cC][hH][sS][hH]/ requires-reverse-signature ! http_error } signature s2b-1340-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS tftp command attempt" tcp-state established,originator payload /.*[tT][fF][tT][pP]%20/ requires-signature ! http_cool_dll requires-reverse-signature ! http_error } signature s2b-1341-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS /usr/bin/gcc command attempt" tcp-state established,originator payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[gG][cC][cC]/ requires-reverse-signature ! http_error } signature s2b-1342-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS gcc command attempt" tcp-state established,originator payload /.*[gG][cC][cC]%20-[oO]/ requires-reverse-signature ! http_error } signature s2b-1343-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS /usr/bin/cc command attempt" tcp-state established,originator payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[cC][cC]/ requires-reverse-signature ! http_error } signature s2b-1344-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS cc command attempt" tcp-state established,originator payload /.*[cC][cC]%20/ requires-reverse-signature ! http_error } signature s2b-1345-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS /usr/bin/cpp command attempt" tcp-state established,originator payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[cC][pP][pP]/ requires-reverse-signature ! http_error } signature s2b-1347-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS /usr/bin/g++ command attempt" tcp-state established,originator payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[gG]\+\+/ requires-reverse-signature ! http_error } signature s2b-1348-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS g++ command attempt" tcp-state established,originator payload /.*[gG]\+\+%20/ requires-reverse-signature ! http_error } signature s2b-1351-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS bin/tclsh execution attempt" tcp-state established,originator payload /.*[bB][iI][nN]\/[tT][cC][lL][sS][hH]/ requires-reverse-signature ! http_error } signature s2b-1352-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS tclsh execution attempt" tcp-state established,originator payload /.*[tT][cC][lL][sS][hH]8%20/ requires-reverse-signature ! http_error } signature s2b-1353-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS bin/nasm command attempt" tcp-state established,originator payload /.*[bB][iI][nN]\/[nN][aA][sS][mM]/ requires-reverse-signature ! http_error } signature s2b-1354-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS nasm command attempt" tcp-state established,originator payload /.*[nN][aA][sS][mM]%20/ requires-reverse-signature ! http_error } signature s2b-1355-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS /usr/bin/perl execution attempt" tcp-state established,originator payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[pP][eE][rR][lL]/ requires-reverse-signature ! http_error } signature s2b-1356-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS perl execution attempt" tcp-state established,originator payload /.*[pP][eE][rR][lL]%20/ requires-reverse-signature ! http_error } signature s2b-1357-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS nt admin addition attempt" tcp-state established,originator payload /.*[nN][eE][tT] [lL][oO][cC][aA][lL][gG][rR][oO][uU][pP] [aA][dD][mM][iI][nN][iI][sS][tT][rR][aA][tT][oO][rR][sS] \/[aA][dD][dD]/ requires-reverse-signature ! http_error } signature s2b-1358-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS traceroute command attempt" tcp-state established,originator payload /.*[tT][rR][aA][cC][eE][rR][oO][uU][tT][eE]%20/ requires-reverse-signature ! http_error } signature s2b-1359-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS ping command attempt" tcp-state established,originator payload /.*\/[bB][iI][nN]\/[pP][iI][nN][gG]/ requires-reverse-signature ! http_error } signature s2b-1360-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS netcat command attempt" tcp-state established,originator payload /.*[nN][cC]%20/ requires-reverse-signature ! http_error } signature s2b-1361-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS nmap command attempt" tcp-state established,originator payload /.*[nN][mM][aA][pP]%20/ requires-reverse-signature ! http_error } signature s2b-1362-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS xterm command attempt" tcp-state established,originator payload /.*\/[uU][sS][rR]\/[xX]11[rR]6\/[bB][iI][nN]\/[xX][tT][eE][rR][mM]/ requires-reverse-signature ! http_error } signature s2b-1363-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS X application to remote host attempt" tcp-state established,originator payload /.*%20-[dD][iI][sS][pP][lL][aA][yY]%20/ requires-reverse-signature ! http_error } signature s2b-1364-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS lsof command attempt" tcp-state established,originator payload /.*[lL][sS][oO][fF]%20/ requires-reverse-signature ! http_error } signature s2b-1365-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS rm command attempt" tcp-state established,originator payload /.*[rR][mM]%20/ requires-reverse-signature ! http_error } signature s2b-1366-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS mail command attempt" tcp-state established,originator payload /.*\/[bB][iI][nN]\/[mM][aA][iI][lL]/ requires-reverse-signature ! http_error } signature s2b-1367-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS mail command attempt" tcp-state established,originator payload /.*[mM][aA][iI][lL]%20/ requires-reverse-signature ! http_error } signature s2b-1368-6 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS /bin/ls| command attempt" http /.*[\/\\]bin[\/\\]ls\x7C/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1369-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS /bin/ls command attempt" http /.*[\/\\]bin[\/\\]ls[^a-zA-Z0-9_.-]/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1370-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS /etc/inetd.conf access" tcp-state established,originator payload /.*\/[eE][tT][cC]\/[iI][nN][eE][tT][dD]\.[cC][oO][nN][fF]/ requires-reverse-signature ! http_error } signature s2b-1372-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS /etc/shadow access" tcp-state established,originator payload /.*\/[eE][tT][cC]\/[sS][hH][aA][dD][oO][wW].{1,}root:/ requires-reverse-signature ! http_error } signature s2b-1373-6 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS conf/httpd.conf attempt" tcp-state established,originator payload /.*[cC][oO][nN][fF]\/[hH][tT][tT][pP][dD]\.[cC][oO][nN][fF]/ requires-reverse-signature ! http_error } signature s2b-1374-5 { ip-proto == tcp dst-port == http_ports event "WEB-ATTACKS .htgroup access" http /.*\.htgroup[\x20\x09\x0b]*$/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-803-9 { ip-proto == tcp dst-port == http_ports event "WEB-CGI HyperSeek hsx.cgi directory traversal attempt" http /.*[\/\\]hsx\.cgi/ tcp-state established,originator payload /.*\.\.\/\.\.\/.{1}.*%00/ requires-reverse-signature ! http_error } signature s2b-804-9 { ip-proto == tcp dst-port == http_ports event "WEB-CGI SWSoft ASPSeek Overflow attempt" http /.*[\/\\]s\.cgi/ tcp-state established,originator payload /.*[tT][mM][pP][lL]=/ requires-reverse-signature ! http_error } signature s2b-806-11 { ip-proto == tcp dst-port == http_ports event "WEB-CGI yabb directory traversal attempt" http /.*[\/\\]YaBB/ tcp-state established,originator payload /.*\.\.\// requires-reverse-signature ! http_error } signature s2b-809-11 { ip-proto == tcp dst-port == http_ports event "WEB-CGI whois_raw.cgi arbitrary command execution attempt" http /.*[\/\\]whois_raw\.cgi\?/ tcp-state established,originator payload /.*\x0A/ requires-reverse-signature ! http_error } signature s2b-810-11 { ip-proto == tcp dst-port == http_ports event "WEB-CGI whois_raw.cgi access" http /.*[\/\\]whois_raw\.cgi/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-813-9 { ip-proto == tcp dst-port == http_ports event "WEB-CGI webplus directory traversal" http /.*[\/\\]webplus\?script/ tcp-state established,originator payload /.*\.\.\// requires-reverse-signature ! http_error } signature s2b-1571-8 { ip-proto == tcp dst-port == http_ports event "WEB-CGI dcforum.cgi directory traversal attempt" http /.*[\/\\]dcforum\.cgi/ tcp-state established,originator payload /.*forum=\.\.\/\.\./ requires-reverse-signature ! http_error } signature s2b-817-10 { ip-proto == tcp dst-port == http_ports event "WEB-CGI dcboard.cgi invalid user addition attempt" http /.*[\/\\]dcboard\.cgi/ tcp-state established,originator payload /.*command=register/ payload /.*%7cadmin/ requires-reverse-signature ! http_error } signature s2b-1410-9 { ip-proto == tcp dst-port == http_ports event "WEB-CGI dcboard.cgi access" http /.*[\/\\]dcboard\.cgi/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-820-9 { ip-proto == tcp dst-port == http_ports event "WEB-CGI anaconda directory transversal attempt" http /.*[\/\\]apexec\.pl/ tcp-state established,originator payload /.*[tT][eE][mM][pP][lL][aA][tT][eE]=\.\.\// requires-reverse-signature ! http_error } signature s2b-821-12 { ip-proto == tcp dst-port == http_ports event "WEB-CGI imagemap.exe overflow attempt" http /.*[\/\\]imagemap\.exe\?/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1608-5 { ip-proto == tcp dst-port == http_ports event "WEB-CGI htmlscript attempt" http /.*[\/\\]htmlscript\?\.\.[\/\\]\.\./ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-826-7 { ip-proto == tcp dst-port == http_ports event "WEB-CGI htmlscript access" http /.*[\/\\]htmlscript/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-827-7 { ip-proto == tcp dst-port == http_ports event "WEB-CGI info2www access" http /.*[\/\\]info2www/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-828-5 { ip-proto == tcp dst-port == http_ports event "WEB-CGI maillist.pl access" http /.*[\/\\]maillist\.pl/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-829-9 { ip-proto == tcp dst-port == http_ports event "WEB-CGI nph-test-cgi access" http /.*[\/\\]nph-test-cgi/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1451-6 { ip-proto == tcp dst-port == http_ports event "WEB-CGI NPH-publish access" http /.*[\/\\]nph-maillist\.pl/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-833-8 { ip-proto == tcp dst-port == http_ports event "WEB-CGI rguest.exe access" http /.*[\/\\]rguest\.exe/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-834-7 { ip-proto == tcp dst-port == http_ports event "WEB-CGI rwwwshell.pl access" http /.*[\/\\]rwwwshell\.pl/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1644-8 { ip-proto == tcp dst-port == http_ports event "WEB-CGI test-cgi attempt" http /.*[\/\\]test-cgi[\/\\]\*\?\*/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-835-9 { ip-proto == tcp dst-port == http_ports event "WEB-CGI test-cgi access" http /.*[\/\\]test-cgi/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1645-6 { ip-proto == tcp dst-ip == local_nets dst-port == http_ports event "WEB-CGI testcgi access" http /.*[\/\\]testcgi/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1646-5 { ip-proto == tcp dst-port == http_ports event "WEB-CGI test.cgi access" http /.*[\/\\]test\.cgi/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-836-7 { ip-proto == tcp dst-port == http_ports event "WEB-CGI textcounter.pl access" http /.*[\/\\]textcounter\.pl/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-837-8 { ip-proto == tcp dst-port == http_ports event "WEB-CGI uploader.exe access" http /.*[\/\\]uploader\.exe/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-838-9 { ip-proto == tcp dst-port == http_ports event "WEB-CGI webgais access" http /.*[\/\\]webgais/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-840-7 { ip-proto == tcp dst-port == http_ports event "WEB-CGI perlshop.cgi access" http /.*[\/\\]perlshop\.cgi/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-841-7 { ip-proto == tcp dst-port == http_ports event "WEB-CGI pfdisplay.cgi access" http /.*[\/\\]pfdisplay\.cgi/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-842-7 { ip-proto == tcp dst-port == http_ports event "WEB-CGI aglimpse access" http /.*[\/\\]aglimpse/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-843-7 { ip-proto == tcp dst-port == http_ports event "WEB-CGI anform2 access" http /.*[\/\\]AnForm2/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-844-7 { ip-proto == tcp dst-port == http_ports event "WEB-CGI args.bat access" http /.*[\/\\]args\.bat/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1452-5 { ip-proto == tcp dst-port == http_ports event "WEB-CGI args.cmd access" http /.*[\/\\]args\.cmd/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-845-7 { ip-proto == tcp dst-port == http_ports event "WEB-CGI AT-admin.cgi access" http /.*[\/\\]AT-admin\.cgi/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1453-5 { ip-proto == tcp dst-port == http_ports event "WEB-CGI AT-generated.cgi access" http /.*[\/\\]AT-generated\.cgi/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-846-8 { ip-proto == tcp dst-port == http_ports event "WEB-CGI bnbform.cgi access" http /.*[\/\\]bnbform\.cgi/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-847-7 { ip-proto == tcp dst-port == http_ports event "WEB-CGI campas access" http /.*[\/\\]campas/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-848-9 { ip-proto == tcp dst-port == http_ports event "WEB-CGI view-source directory traversal" http /.*[\/\\]view-source/ tcp-state established,originator payload /.*\.\.\// requires-reverse-signature ! http_error } signature s2b-850-5 { ip-proto == tcp dst-port == http_ports event "WEB-CGI wais.pl access" http /.*[\/\\]wais\.pl/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1454-6 { ip-proto == tcp dst-port == http_ports event "WEB-CGI wwwwais access" http /.*[\/\\]wwwwais/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-851-7 { ip-proto == tcp dst-port == http_ports event "WEB-CGI files.pl access" http /.*[\/\\]files\.pl/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-852-8 { ip-proto == tcp dst-port == http_ports event "WEB-CGI wguest.exe access" http /.*[\/\\]wguest\.exe/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-854-7 { ip-proto == tcp dst-port == http_ports event "WEB-CGI classifieds.cgi access" http /.*[\/\\]classifieds\.cgi/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-856-5 { ip-proto == tcp dst-port == http_ports event "WEB-CGI environ.cgi access" http /.*[\/\\]environ\.cgi/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-857-10 { ip-proto == tcp dst-port == http_ports event "WEB-CGI faxsurvey access" http /.*[\/\\]faxsurvey/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-858-7 { ip-proto == tcp dst-port == http_ports event "WEB-CGI filemail access" http /.*[\/\\]filemail\.pl/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-859-7 { ip-proto == tcp dst-port == http_ports event "WEB-CGI man.sh access" http /.*[\/\\]man\.sh/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-860-8 { ip-proto == tcp dst-port == http_ports event "WEB-CGI snork.bat access" http /.*[\/\\]snork\.bat/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-861-12 { ip-proto == tcp dst-port == http_ports event "WEB-CGI w3-msql access" http /.*[\/\\]w3-msql[\/\\]/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-863-7 { ip-proto == tcp dst-port == http_ports event "WEB-CGI day5datacopier.cgi access" http /.*[\/\\]day5datacopier\.cgi/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-864-7 { ip-proto == tcp dst-port == http_ports event "WEB-CGI day5datanotifier.cgi access" http /.*[\/\\]day5datanotifier\.cgi/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-866-8 { ip-proto == tcp dst-port == http_ports event "WEB-CGI post-query access" http /.*[\/\\]post-query/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-867-9 { ip-proto == tcp dst-port == http_ports event "WEB-CGI visadmin.exe access" http /.*[\/\\]visadmin\.exe/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-869-8 { ip-proto == tcp dst-port == http_ports event "WEB-CGI dumpenv.pl access" http /.*[\/\\]dumpenv\.pl/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1536-8 { ip-proto == tcp dst-port == http_ports event "WEB-CGI calendar_admin.pl arbitrary command execution attempt" http /.*[\/\\]calendar_admin\.pl\?config=\x7C/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1537-6 { ip-proto == tcp dst-port == http_ports event "WEB-CGI calendar_admin.pl access" http /.*[\/\\]calendar_admin\.pl/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1701-4 { ip-proto == tcp dst-port == http_ports event "WEB-CGI calendar-admin.pl access" http /.*[\/\\]calendar-admin\.pl/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1457-6 { ip-proto == tcp dst-port == http_ports event "WEB-CGI user_update_admin.pl access" http /.*[\/\\]user_update_admin\.pl/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1458-6 { ip-proto == tcp dst-port == http_ports event "WEB-CGI user_update_passwd.pl access" http /.*[\/\\]user_update_passwd\.pl/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-870-5 { ip-proto == tcp dst-port == http_ports event "WEB-CGI snorkerz.cmd access" http /.*[\/\\]snorkerz\.cmd/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-871-7 { ip-proto == tcp dst-port == http_ports event "WEB-CGI survey.cgi access" http /.*[\/\\]survey\.cgi/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-875-9 { ip-proto == tcp dst-port == http_ports event "WEB-CGI win-c-sample.exe access" http /.*[\/\\]win-c-sample\.exe/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-878-6 { ip-proto == tcp dst-port == http_ports event "WEB-CGI w3tvars.pm access" http /.*[\/\\]w3tvars\.pm/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-879-7 { ip-proto == tcp dst-port == http_ports event "WEB-CGI admin.pl access" http /.*[\/\\]admin\.pl/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-880-8 { ip-proto == tcp dst-port == http_ports event "WEB-CGI LWGate access" http /.*[\/\\]LWGate/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-881-5 { ip-proto == tcp dst-port == http_ports event "WEB-CGI archie access" http /.*[\/\\]archie/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-883-5 { ip-proto == tcp dst-port == http_ports event "WEB-CGI flexform access" http /.*[\/\\]flexform/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1610-11 { ip-proto == tcp dst-port == http_ports event "WEB-CGI formmail arbitrary command execution attempt" http /.*[\/\\]formmail{0,5}\?/ tcp-state established,originator payload /.*%0[aA]/ requires-reverse-signature ! http_error } signature s2b-884-14 { ip-proto == tcp dst-port == http_ports event "WEB-CGI formmail access" http /.*[\/\\]formmail{0,5}\?/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1762-4 { ip-proto == tcp dst-port == http_ports event "WEB-CGI phf arbitrary command execution attempt" http /.*[\/\\]phf/ tcp-state established,originator payload /.*[qQ][aA][lL][iI][aA][sS]/ payload /.*%0a\// requires-reverse-signature ! http_error } signature s2b-887-6 { ip-proto == tcp dst-port == http_ports event "WEB-CGI www-sql access" http /.*[\/\\]www-sql/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-888-5 { ip-proto == tcp dst-port == http_ports event "WEB-CGI wwwadmin.pl access" http /.*[\/\\]wwwadmin\.pl/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-889-7 { ip-proto == tcp dst-port == http_ports event "WEB-CGI ppdscgi.exe access" http /.*[\/\\]ppdscgi\.exe/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-890-10 { ip-proto == tcp dst-port == http_ports event "WEB-CGI sendform.cgi access" http /.*[\/\\]sendform\.cgi/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-891-5 { ip-proto == tcp dst-port == http_ports event "WEB-CGI upload.pl access" http /.*[\/\\]upload\.pl/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-892-8 { ip-proto == tcp dst-port == http_ports event "WEB-CGI AnyForm2 access" http /.*[\/\\]AnyForm2/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-893-7 { ip-proto == tcp dst-port == http_ports event "WEB-CGI MachineInfo access" http /.*[\/\\]MachineInfo/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1531-6 { ip-proto == tcp dst-port == http_ports event "WEB-CGI bb-hist.sh attempt" http /.*[\/\\]bb-hist\.sh\?HISTFILE=\.\.[\/\\]\.\./ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-894-8 { ip-proto == tcp dst-port == http_ports event "WEB-CGI bb-hist.sh access" http /.*[\/\\]bb-hist\.sh/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1459-5 { ip-proto == tcp dst-port == http_ports event "WEB-CGI bb-histlog.sh access" http /.*[\/\\]bb-histlog\.sh/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1460-5 { ip-proto == tcp dst-port == http_ports event "WEB-CGI bb-histsvc.sh access" http /.*[\/\\]bb-histsvc\.sh/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1532-7 { ip-proto == tcp dst-port == http_ports event "WEB-CGI bb-hostscv.sh attempt" http /.*[\/\\]bb-hostsvc\.sh\?HOSTSVC\?\.\.[\/\\]\.\./ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1533-7 { ip-proto == tcp dst-port == http_ports event "WEB-CGI bb-hostscv.sh access" http /.*[\/\\]bb-hostsvc\.sh/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1461-5 { ip-proto == tcp dst-port == http_ports event "WEB-CGI bb-rep.sh access" http /.*[\/\\]bb-rep\.sh/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1462-5 { ip-proto == tcp dst-port == http_ports event "WEB-CGI bb-replog.sh access" http /.*[\/\\]bb-replog\.sh/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1397-6 { ip-proto == tcp dst-port == http_ports event "WEB-CGI wayboard attempt" http /.*[\/\\]way-board[\/\\]way-board\.cgi/ tcp-state established,originator payload /.*db=/ payload /.*\.\.\/\.\./ requires-reverse-signature ! http_error } signature s2b-896-11 { ip-proto == tcp dst-port == http_ports dst-ip == local_nets event "WEB-CGI way-board access" http /.*[\/\\]way-board\?db\=.{2,}\x00/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1222-9 { ip-proto == tcp dst-port == http_ports event "WEB-CGI pals-cgi arbitrary file access attempt" http /.*[\/\\]pals-cgi/ tcp-state established,originator payload /.*[dD][oO][cC][uU][mM][eE][nN][tT][nN][aA][mM][eE]=/ requires-reverse-signature ! http_error } signature s2b-897-10 { ip-proto == tcp dst-port == http_ports event "WEB-CGI pals-cgi access" http /.*[\/\\]pals-cgi/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1572-7 { ip-proto == tcp dst-port == http_ports event "WEB-CGI commerce.cgi arbitrary file access attempt" http /.*[\/\\]commerce\.cgi/ tcp-state established,originator payload /.*page=/ payload /.*\/\.\.\// requires-reverse-signature ! http_error } signature s2b-898-9 { ip-proto == tcp dst-port == http_ports event "WEB-CGI commerce.cgi access" http /.*[\/\\]commerce\.cgi/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-899-8 { ip-proto == tcp dst-port == http_ports event "WEB-CGI Amaya templates sendtemp.pl directory traversal attempt" http /.*[\/\\]sendtemp\.pl/ tcp-state established,originator payload /.*[tT][eE][mM][pP][lL]=/ requires-reverse-signature ! http_error } signature s2b-901-10 { ip-proto == tcp dst-port == http_ports event "WEB-CGI webspirs.cgi access" http /.*[\/\\]webspirs\.cgi/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-902-7 { ip-proto == tcp dst-port == http_ports event "WEB-CGI tstisapi.dll access" http /.*tstisapi\.dll/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1308-5 { ip-proto == tcp dst-port == http_ports event "WEB-CGI sendmessage.cgi access" http /.*[\/\\]sendmessage\.cgi/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1392-10 { ip-proto == tcp dst-port == http_ports event "WEB-CGI lastlines.cgi access" http /.*[\/\\]lastlines\.cgi/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1395-8 { ip-proto == tcp dst-port == http_ports event "WEB-CGI zml.cgi attempt" http /.*[\/\\]zml\.cgi/ tcp-state established,originator payload /.*file=\.\.\// requires-reverse-signature ! http_error } signature s2b-1396-8 { ip-proto == tcp dst-port == http_ports event "WEB-CGI zml.cgi access" http /.*[\/\\]zml\.cgi/ tcp-state established,originator requires-reverse-signature ! http_error } signature s2b-1534-8 { ip-proto == tcp dst-port == http_ports event "WEB-CGI agora.cgi attempt" http /.*[\/\\]store[\/\\]agora\.cgi\?cart_id=