# $Id: ex.web-rules.sig 6 2004-04-30 00:31:26Z jason $ # # This is a subset of Snort's signatures (automatically converted into Bro's # language by snort2bro). # # [web-*.rules from snortrules-current.tar.gz as of Oct 9 19:15:02 2003 GMT] # # To use it, customize the variables contained in snort.bro and load snort.bro # and signatures.bro. signature sid-1328 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS ps command attempt" http /.*[\/\\]bin[\/\\]ps/ tcp-state established,originator } signature sid-1329 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS /bin/ps command attempt" http /.*ps%20/ tcp-state established,originator } signature sid-1330 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS wget command attempt" tcp-state established,originator payload /.*[wW][gG][eE][tT]%20/ } signature sid-1331 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS uname -a command attempt" tcp-state established,originator payload /.*[uU][nN][aA][mM][eE]%20-[aA]/ } signature sid-1332 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS /usr/bin/id command attempt" tcp-state established,originator payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[iI][dD]/ } signature sid-1333 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS id command attempt" tcp-state established,originator payload /.*;[iI][dD]/ } signature sid-1334 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS echo command attempt" tcp-state established,originator payload /.*\/[bB][iI][nN]\/[eE][cC][hH][oO]/ } signature sid-1335 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS kill command attempt" tcp-state established,originator payload /.*\/[bB][iI][nN]\/[kK][iI][lL][lL]/ } signature sid-1336 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS chmod command attempt" tcp-state established,originator payload /.*\/[bB][iI][nN]\/[cC][hH][mM][oO][dD]/ } signature sid-1337 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS chgrp command attempt" tcp-state established,originator payload /.*\/[cC][hH][gG][rR][pP]/ } signature sid-1338 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS chown command attempt" tcp-state established,originator payload /.*\/[cC][hH][oO][wW][nN]/ } signature sid-1339 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS chsh command attempt" tcp-state established,originator payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[cC][hH][sS][hH]/ } signature sid-1340 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS tftp command attempt" tcp-state established,originator payload /.*[tT][fF][tT][pP]%20/ } signature sid-1341 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS /usr/bin/gcc command attempt" tcp-state established,originator payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[gG][cC][cC]/ } signature sid-1342 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS gcc command attempt" tcp-state established,originator payload /.*[gG][cC][cC]%20-[oO]/ } signature sid-1343 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS /usr/bin/cc command attempt" tcp-state established,originator payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[cC][cC]/ } signature sid-1344 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS cc command attempt" tcp-state established,originator payload /.*[cC][cC]%20/ } signature sid-1345 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS /usr/bin/cpp command attempt" tcp-state established,originator payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[cC][pP][pP]/ } signature sid-1346 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS cpp command attempt" tcp-state established,originator payload /.*[cC][pP][pP]%20/ } signature sid-1347 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS /usr/bin/g++ command attempt" tcp-state established,originator payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[gG]\+\+/ } signature sid-1348 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS g++ command attempt" tcp-state established,originator payload /.*[gG]\+\+%20/ } signature sid-1349 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS bin/python access attempt" tcp-state established,originator payload /.*[bB][iI][nN]\/[pP][yY][tT][hH][oO][nN]/ } signature sid-1350 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS python access attempt" tcp-state established,originator payload /.*[pP][yY][tT][hH][oO][nN]%20/ } signature sid-1351 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS bin/tclsh execution attempt" tcp-state established,originator payload /.*[bB][iI][nN]\/[tT][cC][lL][sS][hH]/ } signature sid-1352 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS tclsh execution attempt" tcp-state established,originator payload /.*[tT][cC][lL][sS][hH]8%20/ } signature sid-1353 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS bin/nasm command attempt" tcp-state established,originator payload /.*[bB][iI][nN]\/[nN][aA][sS][mM]/ } signature sid-1354 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS nasm command attempt" tcp-state established,originator payload /.*[nN][aA][sS][mM]%20/ } signature sid-1355 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS /usr/bin/perl execution attempt" tcp-state established,originator payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[pP][eE][rR][lL]/ } signature sid-1356 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS perl execution attempt" tcp-state established,originator payload /.*[pP][eE][rR][lL]%20/ } signature sid-1357 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS nt admin addition attempt" tcp-state established,originator payload /.*[nN][eE][tT] [lL][oO][cC][aA][lL][gG][rR][oO][uU][pP] [aA][dD][mM][iI][nN][iI][sS][tT][rR][aA][tT][oO][rR][sS] \/[aA][dD][dD]/ } signature sid-1358 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS traceroute command attempt" tcp-state established,originator payload /.*[tT][rR][aA][cC][eE][rR][oO][uU][tT][eE]%20/ } signature sid-1359 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS ping command attempt" tcp-state established,originator payload /.*\/[bB][iI][nN]\/[pP][iI][nN][gG]/ } signature sid-1360 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS netcat command attempt" tcp-state established,originator payload /.*[nN][cC]%20/ } signature sid-1361 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS nmap command attempt" tcp-state established,originator payload /.*[nN][mM][aA][pP]%20/ } signature sid-1362 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS xterm command attempt" tcp-state established,originator payload /.*\/[uU][sS][rR]\/[xX]11[rR]6\/[bB][iI][nN]\/[xX][tT][eE][rR][mM]/ } signature sid-1363 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS X application to remote host attempt" tcp-state established,originator payload /.*%20-[dD][iI][sS][pP][lL][aA][yY]%20/ } signature sid-1364 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS lsof command attempt" tcp-state established,originator payload /.*[lL][sS][oO][fF]%20/ } signature sid-1365 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS rm command attempt" tcp-state established,originator payload /.*[rR][mM]%20/ } signature sid-1366 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS mail command attempt" tcp-state established,originator payload /.*\/[bB][iI][nN]\/[mM][aA][iI][lL]/ } signature sid-1367 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS mail command attempt" tcp-state established,originator payload /.*[mM][aA][iI][lL]%20/ } signature sid-1368 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS /bin/ls| command attempt" http /.*[\/\\]bin[\/\\]ls\|/ tcp-state established,originator } signature sid-1369 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS /bin/ls command attempt" http /.*[\/\\]bin[\/\\]ls/ tcp-state established,originator } signature sid-1370 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS /etc/inetd.conf access" tcp-state established,originator payload /.*\/[eE][tT][cC]\/[iI][nN][eE][tT][dD]\.[cC][oO][nN][fF]/ } signature sid-1371 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS /etc/motd access" tcp-state established,originator payload /.*\/[eE][tT][cC]\/[mM][oO][tT][dD]/ } signature sid-1372 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS /etc/shadow access" tcp-state established,originator payload /.*\/[eE][tT][cC]\/[sS][hH][aA][dD][oO][wW]/ } signature sid-1373 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS conf/httpd.conf attempt" tcp-state established,originator payload /.*[cC][oO][nN][fF]\/[hH][tT][tT][pP][dD]\.[cC][oO][nN][fF]/ } signature sid-1374 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-ATTACKS .htgroup access" http /.*\.htgroup/ tcp-state established,originator } signature sid-803 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI HyperSeek hsx.cgi directory traversal attempt" http /.*[\/\\]hsx\.cgi/ tcp-state established,originator payload /.*\.\.\/\.\.\/.{1}.*%00/ } signature sid-1607 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI HyperSeek hsx.cgi access" http /.*[\/\\]hsx\.cgi/ tcp-state established,originator } signature sid-804 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI SWSoft ASPSeek Overflow attempt" http /.*[\/\\]s\.cgi/ tcp-state established,originator payload /.*[tT][mM][pP][lL]=/ } signature sid-805 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI webspeed access" http /.*[\/\\]wsisa\.dll[\/\\]WService=/ tcp-state established,originator payload /.*[wW][sS][mM][aA][dD][mM][iI][nN]/ } signature sid-806 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI yabb.cgi directory traversal attempt" http /.*[\/\\]YaBB\.pl/ tcp-state established,originator payload /.*\.\.\// } signature sid-1637 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI yabb.cgi access" http /.*[\/\\]YaBB\.pl/ tcp-state established,originator } signature sid-807 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI /wwwboard/passwd.txt access" http /.*[\/\\]wwwboard[\/\\]passwd\.txt/ tcp-state established,originator } signature sid-808 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI webdriver access" http /.*[\/\\]webdriver/ tcp-state established,originator } signature sid-809 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI whois_raw.cgi arbitrary command execution attempt" http /.*[\/\\]whois_raw\.cgi\?/ tcp-state established,originator payload /.*\x0a/ } signature sid-810 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI whois_raw.cgi access" http /.*[\/\\]whois_raw\.cgi/ tcp-state established,originator } signature sid-811 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI websitepro path access" tcp-state established,originator payload /.* \/[hH][tT][tT][pP]\/1\./ } signature sid-812 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI webplus version access" http /.*[\/\\]webplus\?about/ tcp-state established,originator } signature sid-813 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI webplus directory traversal" http /.*[\/\\]webplus\?script/ tcp-state established,originator payload /.*\.\.\// } signature sid-815 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI websendmail access" http /.*[\/\\]websendmail/ tcp-state established,originator } signature sid-1571 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI dcforum.cgi directory traversal attempt" http /.*[\/\\]dcforum\.cgi/ tcp-state established,originator payload /.*forum=\.\.\/\.\./ } signature sid-818 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI dcforum.cgi access" http /.*[\/\\]dcforum\.cgi/ tcp-state established,originator } signature sid-817 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI dcboard.cgi invalid user addition attempt" http /.*[\/\\]dcboard\.cgi/ tcp-state established,originator payload /.*command=register/ payload /.*%7cadmin/ } signature sid-1410 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI dcboard.cgi access" http /.*[\/\\]dcboard\.cgi/ tcp-state established,originator } signature sid-819 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI mmstdod.cgi access" http /.*[\/\\]mmstdod\.cgi/ tcp-state established,originator } signature sid-820 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI anaconda directory transversal attempt" http /.*[\/\\]apexec\.pl/ tcp-state established,originator payload /.*[tT][eE][mM][pP][lL][aA][tT][eE]=\.\.\// } signature sid-821 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI imagemap.exe overflow attempt" http /.*[\/\\]imagemap\.exe\?/ tcp-state established,originator } signature sid-1700 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI imagemap.exe access" http /.*[\/\\]imagemap\.exe/ tcp-state established,originator } signature sid-823 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI cvsweb.cgi access" http /.*[\/\\]cvsweb\.cgi/ tcp-state established,originator } signature sid-824 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI php.cgi access" http /.*[\/\\]php\.cgi/ tcp-state established,originator } signature sid-825 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI glimpse access" http /.*[\/\\]glimpse/ tcp-state established,originator } signature sid-1608 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI htmlscript attempt" http /.*[\/\\]htmlscript\?\.\.[\/\\]\.\./ tcp-state established,originator } signature sid-826 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI htmlscript access" http /.*[\/\\]htmlscript/ tcp-state established,originator } signature sid-827 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI info2www access" http /.*[\/\\]info2www/ tcp-state established,originator } signature sid-828 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI maillist.pl access" http /.*[\/\\]maillist\.pl/ tcp-state established,originator } signature sid-829 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI nph-test-cgi access" http /.*[\/\\]nph-test-cgi/ tcp-state established,originator } signature sid-1451 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI NPH-publish access" http /.*[\/\\]nph-maillist\.pl/ tcp-state established,originator } signature sid-830 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI NPH-publish access" http /.*[\/\\]nph-publish/ tcp-state established,originator } signature sid-833 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI rguest.exe access" http /.*[\/\\]rguest\.exe/ tcp-state established,originator } signature sid-834 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI rwwwshell.pl access" http /.*[\/\\]rwwwshell\.pl/ tcp-state established,originator } signature sid-1644 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI test-cgi attempt" http /.*[\/\\]test-cgi[\/\\]\*\?\*/ tcp-state established,originator } signature sid-835 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI test-cgi access" http /.*[\/\\]test-cgi/ tcp-state established,originator } signature sid-1645 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI testcgi access" http /.*[\/\\]testcgi/ tcp-state established,originator } signature sid-1646 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI test.cgi access" http /.*[\/\\]test\.cgi/ tcp-state established,originator } signature sid-836 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI textcounter.pl access" http /.*[\/\\]textcounter\.pl/ tcp-state established,originator } signature sid-837 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI uploader.exe access" http /.*[\/\\]uploader\.exe/ tcp-state established,originator } signature sid-838 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI webgais access" http /.*[\/\\]webgais/ tcp-state established,originator } signature sid-839 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI finger access" http /.*[\/\\]finger/ tcp-state established,originator } signature sid-840 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI perlshop.cgi access" http /.*[\/\\]perlshop\.cgi/ tcp-state established,originator } signature sid-841 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI pfdisplay.cgi access" http /.*[\/\\]pfdisplay\.cgi/ tcp-state established,originator } signature sid-842 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI aglimpse access" http /.*[\/\\]aglimpse/ tcp-state established,originator } signature sid-843 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI anform2 access" http /.*[\/\\]AnForm2/ tcp-state established,originator } signature sid-844 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI args.bat access" http /.*[\/\\]args\.bat/ tcp-state established,originator } signature sid-1452 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI args.cmd access" http /.*[\/\\]args\.cmd/ tcp-state established,originator } signature sid-845 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI AT-admin.cgi access" http /.*[\/\\]AT-admin\.cgi/ tcp-state established,originator } signature sid-1453 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI AT-generated.cgi access" http /.*[\/\\]AT-generated\.cgi/ tcp-state established,originator } signature sid-846 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI bnbform.cgi access" http /.*[\/\\]bnbform\.cgi/ tcp-state established,originator } signature sid-847 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI campas access" http /.*[\/\\]campas/ tcp-state established,originator } signature sid-848 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI view-source directory traversal" http /.*[\/\\]view-source/ tcp-state established,originator payload /.*\.\.\// } signature sid-849 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI view-source access" http /.*[\/\\]view-source/ tcp-state established,originator } signature sid-850 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI wais.pl access" http /.*[\/\\]wais\.pl/ tcp-state established,originator } signature sid-1454 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI wwwwais access" http /.*[\/\\]wwwwais/ tcp-state established,originator } signature sid-851 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI files.pl access" http /.*[\/\\]files\.pl/ tcp-state established,originator } signature sid-852 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI wguest.exe access" http /.*[\/\\]wguest\.exe/ tcp-state established,originator } signature sid-853 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI wrap access" http /.*[\/\\]wrap/ tcp-state established,originator } signature sid-854 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI classifieds.cgi access" http /.*[\/\\]classifieds\.cgi/ tcp-state established,originator } signature sid-856 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI environ.cgi access" http /.*[\/\\]environ\.cgi/ tcp-state established,originator } signature sid-1647 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI faxsurvey attempt (full path)" http /.*[\/\\]faxsurvey\?[\/\\]/ tcp-state established,originator } signature sid-1609 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI faxsurvey arbitrary file read attempt" http /.*[\/\\]faxsurvey\?cat%20/ tcp-state established,originator } signature sid-857 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI faxsurvey access" http /.*[\/\\]faxsurvey/ tcp-state established,originator } signature sid-858 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI filemail access" http /.*[\/\\]filemail\.pl/ tcp-state established,originator } signature sid-859 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI man.sh access" http /.*[\/\\]man\.sh/ tcp-state established,originator } signature sid-860 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI snork.bat access" http /.*[\/\\]snork\.bat/ tcp-state established,originator } signature sid-861 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI w3-msql access" http /.*[\/\\]w3-msql[\/\\]/ tcp-state established,originator } signature sid-863 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI day5datacopier.cgi access" http /.*[\/\\]day5datacopier\.cgi/ tcp-state established,originator } signature sid-864 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI day5datanotifier.cgi access" http /.*[\/\\]day5datanotifier\.cgi/ tcp-state established,originator } signature sid-866 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI post-query access" http /.*[\/\\]post-query/ tcp-state established,originator } signature sid-867 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI visadmin.exe access" http /.*[\/\\]visadmin\.exe/ tcp-state established,originator } signature sid-869 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI dumpenv.pl access" http /.*[\/\\]dumpenv\.pl/ tcp-state established,originator } signature sid-1536 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI calendar_admin.pl arbitrary command execution attempt" http /.*[\/\\]calendar_admin\.pl\?config=\|/ tcp-state established,originator } signature sid-1537 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI calendar_admin.pl access" http /.*[\/\\]calendar_admin\.pl/ tcp-state established,originator } signature sid-1701 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI calendar-admin.pl access" http /.*[\/\\]calendar-admin\.pl/ tcp-state established,originator } signature sid-1455 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI calender.pl access" http /.*[\/\\]calender\.pl/ tcp-state established,originator } signature sid-882 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI calendar access" http /.*[\/\\]calendar/ tcp-state established,originator } signature sid-1457 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI user_update_admin.pl access" http /.*[\/\\]user_update_admin\.pl/ tcp-state established,originator } signature sid-1458 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI user_update_passwd.pl access" http /.*[\/\\]user_update_passwd\.pl/ tcp-state established,originator } signature sid-870 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI snorkerz.cmd access" http /.*[\/\\]snorkerz\.cmd/ tcp-state established,originator } signature sid-871 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI survey.cgi access" http /.*[\/\\]survey\.cgi/ tcp-state established,originator } signature sid-873 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI scriptalias access" http /.*[\/\\][\/\\][\/\\]/ tcp-state established,originator } signature sid-875 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI win-c-sample.exe access" http /.*[\/\\]win-c-sample\.exe/ tcp-state established,originator } signature sid-878 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI w3tvars.pm access" http /.*[\/\\]w3tvars\.pm/ tcp-state established,originator } signature sid-879 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI admin.pl access" http /.*[\/\\]admin\.pl/ tcp-state established,originator } signature sid-880 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI LWGate access" http /.*[\/\\]LWGate/ tcp-state established,originator } signature sid-881 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI archie access" http /.*[\/\\]archie/ tcp-state established,originator } signature sid-883 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI flexform access" http /.*[\/\\]flexform/ tcp-state established,originator } signature sid-1610 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI formmail arbitrary command execution attempt" http /.*[\/\\]formmail/ tcp-state established,originator payload /.*%0[aA]/ } signature sid-884 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI formmail access" http /.*[\/\\]formmail/ tcp-state established,originator } signature sid-1762 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI phf arbitrary command execution attempt" http /.*[\/\\]phf/ tcp-state established,originator payload /.*[qQ][aA][lL][iI][aA][sS]/ payload /.*%0a\// } signature sid-886 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI phf access" http /.*[\/\\]phf/ tcp-state established,originator } signature sid-887 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI www-sql access" http /.*[\/\\]www-sql/ tcp-state established,originator } signature sid-888 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI wwwadmin.pl access" http /.*[\/\\]wwwadmin\.pl/ tcp-state established,originator } signature sid-889 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI ppdscgi.exe access" http /.*[\/\\]ppdscgi\.exe/ tcp-state established,originator } signature sid-890 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI sendform.cgi access" http /.*[\/\\]sendform\.cgi/ tcp-state established,originator } signature sid-891 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI upload.pl access" http /.*[\/\\]upload\.pl/ tcp-state established,originator } signature sid-892 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI AnyForm2 access" http /.*[\/\\]AnyForm2/ tcp-state established,originator } signature sid-893 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI MachineInfo access" http /.*[\/\\]MachineInfo/ tcp-state established,originator } signature sid-1531 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI bb-hist.sh attempt" http /.*[\/\\]bb-hist\.sh\?HISTFILE=\.\.[\/\\]\.\./ tcp-state established,originator } signature sid-894 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI bb-hist.sh access" http /.*[\/\\]bb-hist\.sh/ tcp-state established,originator } signature sid-1459 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI bb-histlog.sh access" http /.*[\/\\]bb-histlog\.sh/ tcp-state established,originator } signature sid-1460 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI bb-histsvc.sh access" http /.*[\/\\]bb-histsvc\.sh/ tcp-state established,originator } signature sid-1532 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI bb-hostscv.sh attempt" http /.*[\/\\]bb-hostsvc\.sh\?HOSTSVC\?\.\.[\/\\]\.\./ tcp-state established,originator } signature sid-1533 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI bb-hostscv.sh access" http /.*[\/\\]bb-hostsvc\.sh/ tcp-state established,originator } signature sid-1461 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI bb-rep.sh access" http /.*[\/\\]bb-rep\.sh/ tcp-state established,originator } signature sid-1462 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI bb-replog.sh access" http /.*[\/\\]bb-replog\.sh/ tcp-state established,originator } signature sid-895 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI redirect access" http /.*[\/\\]redirect/ tcp-state established,originator } signature sid-1397 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI wayboard attempt" http /.*[\/\\]way-board[\/\\]way-board\.cgi/ tcp-state established,originator payload /.*db=/ payload /.*\.\.\/\.\./ } signature sid-896 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI way-board access" http /.*[\/\\]way-board/ tcp-state established,originator } signature sid-1222 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI pals-cgi arbitrary file access attempt" http /.*[\/\\]pals-cgi/ tcp-state established,originator payload /.*[dD][oO][cC][uU][mM][eE][nN][tT][nN][aA][mM][eE]=/ } signature sid-897 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI pals-cgi access" http /.*[\/\\]pals-cgi/ tcp-state established,originator } signature sid-1572 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI commerce.cgi arbitrary file access attempt" http /.*[\/\\]commerce\.cgi/ tcp-state established,originator payload /.*page=/ payload /.*\/\.\.\// } signature sid-898 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI commerce.cgi access" http /.*[\/\\]commerce\.cgi/ tcp-state established,originator } signature sid-899 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI Amaya templates sendtemp.pl directory traversal attempt" http /.*[\/\\]sendtemp\.pl/ tcp-state established,originator payload /.*[tT][eE][mM][pP][lL]=/ } signature sid-1702 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI Amaya templates sendtemp.pl access" http /.*[\/\\]sendtemp\.pl/ tcp-state established,originator } signature sid-900 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI webspirs.cgi directory traversal attempt" http /.*[\/\\]webspirs\.cgi/ tcp-state established,originator payload /.*\.\.\/\.\.\// } signature sid-901 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI webspirs.cgi access" http /.*[\/\\]webspirs\.cgi/ tcp-state established,originator } signature sid-902 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI tstisapi.dll access" http /.*tstisapi\.dll/ tcp-state established,originator } signature sid-1308 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI sendmessage.cgi access" http /.*[\/\\]sendmessage\.cgi/ tcp-state established,originator } signature sid-1392 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI lastlines.cgi access" http /.*[\/\\]lastlines\.cgi/ tcp-state established,originator } signature sid-1395 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI zml.cgi attempt" http /.*[\/\\]zml\.cgi/ tcp-state established,originator payload /.*file=\.\.\// } signature sid-1396 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI zml.cgi access" http /.*[\/\\]zml\.cgi/ tcp-state established,originator } signature sid-1405 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI AHG search.cgi access" http /.*[\/\\]publisher[\/\\]search\.cgi/ tcp-state established,originator payload /.*[tT][eE][mM][pP][lL][aA][tT][eE]=/ } signature sid-1534 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI agora.cgi attempt" http /.*[\/\\]store[\/\\]agora\.cgi\?cart_id=