signature sid-524-a { ip-proto == tcp src-ip == local_nets dst-ip != local_nets src-port == 0 event "BAD-TRAFFIC tcp port 0 traffic" } signature sid-524-b { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 0 event "BAD-TRAFFIC tcp port 0 traffic" } signature sid-525-a { ip-proto == udp src-ip == local_nets dst-ip != local_nets src-port == 0 event "BAD-TRAFFIC udp port 0 traffic" } signature sid-525-b { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 0 event "BAD-TRAFFIC udp port 0 traffic" } signature sid-526 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets payload-size > 6 header tcp[13:1] & 255 == 2 event "BAD-TRAFFIC data in TCP SYN packet" } signature sid-528-a { src-ip == 127.0.0.0/8 event "BAD-TRAFFIC loopback traffic" } signature sid-528-b { dst-ip == 127.0.0.0/8 event "BAD-TRAFFIC loopback traffic" } signature sid-527 { same-ip event "BAD-TRAFFIC same SRC/DST" } signature sid-523 { src-ip != local_nets dst-ip == local_nets event "BAD-TRAFFIC ip reserved bit set" header ip[6:1] & 224 == 128 } signature sid-1321 { src-ip != local_nets dst-ip == local_nets event "BAD-TRAFFIC 0 ttl" header ip[8:1] == 0 } signature sid-1322 { src-ip != local_nets dst-ip == local_nets event "BAD-TRAFFIC bad frag bits" header ip[6:1] & 224 == 96 } signature sid-1627 { src-ip != local_nets dst-ip == local_nets header ip[9:1] > 134 event "BAD-TRAFFIC Unassigned/Reserved IP protocol" } signature sid-1431 { ip-proto == tcp dst-ip == 232.0.0.0/8,233.0.0.0/8,239.0.0.0/8 event "BAD-TRAFFIC syn to multicast address" header tcp[13:1] & 255 == 2 } signature sid-2186 { header ip[9:1] == 53 event "BAD-TRAFFIC IP Proto 53 (SWIPE)" } signature sid-2187 { header ip[9:1] == 55 event "BAD-TRAFFIC IP Proto 55 (IP Mobility)" } signature sid-2188 { header ip[9:1] == 77 event "BAD-TRAFFIC IP Proto 77 (Sun ND)" } signature sid-2189 { header ip[9:1] == 103 event "BAD-TRAFFIC IP Proto 103 (PIM)" } signature sid-1324 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 22 event "EXPLOIT ssh CRC32 overflow /bin/sh" tcp-state established,originator payload /.*\/bin\/sh/ } signature sid-1326 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 22 event "EXPLOIT ssh CRC32 overflow NOOP" tcp-state established,originator payload /.*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90/ } signature sid-1327 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 22 event "EXPLOIT ssh CRC32 overflow" tcp-state established,originator payload /\x00\x01\x57\x00\x00\x00\x18/ payload /.{7}\xFF\xFF\xFF\xFF\x00\x00/ } signature sid-283 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets src-port == 80 event "EXPLOIT Netscape 4.7 client overflow" tcp-state established,responder payload /.*\x33\xC9\xB1\x10\x3F\xE9\x06\x51\x3C\xFA\x47\x33\xC0\x50\xF7\xD0\x50/ } signature sid-300 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 2766 event "EXPLOIT nlps x86 Solaris overflow" tcp-state established,originator payload /.*\xeb\x23\x5e\x33\xc0\x88\x46\xfa\x89\x46\xf5\x89\x36/ } signature sid-301 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 515 event "EXPLOIT LPRng overflow" tcp-state established,originator payload /.*\x43\x07\x89\x5B\x08\x8D\x4B\x08\x89\x43\x0C\xB0\x0B\xCD\x80\x31\xC0\xFE\xC0\xCD\x80\xE8\x94\xFF\xFF\xFF\x2F\x62\x69\x6E\x2F\x73\x68\x0A/ } signature sid-302 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 515 event "EXPLOIT Redhat 7.0 lprd overflow" tcp-state established,originator payload /.*\x58\x58\x58\x58\x25\x2E\x31\x37\x32\x75\x25\x33\x30\x30\x24\x6E/ } signature sid-304 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 6373 event "EXPLOIT SCO calserver overflow" tcp-state established,originator payload /.*\xeb\x7f\x5d\x55\xfe\x4d\x98\xfe\x4d\x9b/ } signature sid-305 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 8080 payload-size > 1000 event "EXPLOIT delegate proxy overflow" tcp-state established,originator payload /.*[wW][hH][oO][iI][sS]\x3a\/\// } signature sid-306 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 9090 event "EXPLOIT VQServer admin" tcp-state established,originator payload /.*[gG][eE][tT] \/ [hH][tT][tT][pP]\/1\.1/ } signature sid-308 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets src-port == 21 event "EXPLOIT NextFTP client overflow" tcp-state established,responder payload /.*\xb4\x20\xb4\x21\x8b\xcc\x83\xe9\x04\x8b\x19\x33\xc9\x66\xb9\x10/ } signature sid-309 { ip-proto == tcp src-ip != local_nets dst-ip == smtp_servers dst-port == 25 payload-size > 512 header tcp[13:1] & 255 == 16 event "EXPLOIT sniffit overflow" payload /.*[fF][rR][oO][mM]\x3A\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90/ } signature sid-310 { ip-proto == tcp src-ip != local_nets dst-ip == smtp_servers dst-port == 25 event "EXPLOIT x86 windows MailMax overflow" tcp-state established,originator payload /.*\xeb\x45\xeb\x20\x5b\xfc\x33\xc9\xb1\x82\x8b\xf3\x80\x2b/ } signature sid-311 { ip-proto == tcp src-ip == local_nets dst-ip != local_nets dst-port == 80 event "EXPLOIT Netscape 4.7 unsucessful overflow" tcp-state established,originator payload /.*\x33\xC9\xB1\x10\x3F\xE9\x06\x51\x3C\xFA\x47\x33\xC0\x50\xF7\xD0\x50/ } signature sid-312 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 123 payload-size > 128 event "EXPLOIT ntpdx overflow attempt" } signature sid-313 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 518 event "EXPLOIT ntalkd x86 Linux overflow" payload /.*\x01\x03\x00\x00\x00\x00\x00\x01\x00\x02\x02\xe8/ } signature sid-315 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 635 event "EXPLOIT x86 Linux mountd overflow" payload /.*\x5e\xb0\x02\x89\x06\xfe\xc8\x89\x46\x04\xb0\x06\x89\x46/ } signature sid-316 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 635 event "EXPLOIT x86 Linux mountd overflow" payload /.*\xeb\x56\x5E\x56\x56\x56\x31\xd2\x88\x56\x0b\x88\x56\x1e/ } signature sid-317 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 635 event "EXPLOIT x86 Linux mountd overflow" payload /.*\xeb\x40\x5E\x31\xc0\x40\x89\x46\x04\x89\xc3\x40\x89\x06/ } signature sid-1240 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 2224 event "EXPLOIT MDBMS overflow" tcp-state established,originator payload /.*\x01\x31\xDB\xCD\x80\xE8\x5B\xFF\xFF\xFF/ } signature sid-1261 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 4242 payload-size > 1000 event "EXPLOIT AIX pdnsd overflow" tcp-state established,originator payload /.*\x7F\xFF\xFB\x78\x7F\xFF\xFB\x78\x7F\xFF\xFB\x78\x7F\xFF\xFB\x78/ payload /.*\x40\x8A\xFF\xC8\x40\x82\xFF\xD8\x3B\x36\xFE\x03\x3B\x76\xFE\x02/ } signature sid-1323 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 4321 event "EXPLOIT rwhoisd format string attempt" tcp-state established,originator payload /.*-soa %p/ } signature sid-1398 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 6112 event "EXPLOIT CDE dtspcd exploit attempt" tcp-state established,originator payload /.{9}1/ payload /.{10}/ } signature sid-1751 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port >= 32772 dst-port <= 34000 payload-size > 720 event "EXPLOIT cachefsd buffer overflow attempt" tcp-state established,originator payload /.*\x00\x01\x87\x86\x00\x00\x00\x01\x00\x00\x00\x05/ } signature sid-1894 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 749 event "EXPLOIT kadmind buffer overflow attempt" tcp-state established,originator payload /.*\x00\xC0\x05\x08\x00\xC0\x05\x08\x00\xC0\x05\x08\x00\xC0\x05\x08/ } signature sid-1895 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 751 event "EXPLOIT kadmind buffer overflow attempt" tcp-state established,originator payload /.*\x00\xC0\x05\x08\x00\xC0\x05\x08\x00\xC0\x05\x08\x00\xC0\x05\x08/ } signature sid-1896 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 749 event "EXPLOIT kadmind buffer overflow attempt" tcp-state established,originator payload /.*\xff\xff\x4b\x41\x44\x4d\x30\x2e\x30\x41\x00\x00\xfb\x03/ } signature sid-1897 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 751 event "EXPLOIT kadmind buffer overflow attempt" tcp-state established,originator payload /.*\xff\xff\x4b\x41\x44\x4d\x30\x2e\x30\x41\x00\x00\xfb\x03/ } signature sid-1898 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 749 event "EXPLOIT kadmind buffer overflow attempt" tcp-state established,originator payload /.*\x2F\x73\x68\x68\x2F\x2F\x62\x69/ } signature sid-1899 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 751 event "EXPLOIT kadmind buffer overflow attempt" tcp-state established,originator payload /.*\x2F\x73\x68\x68\x2F\x2F\x62\x69/ } signature sid-1812 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 22 event "EXPLOIT gobbles SSH exploit attempt" tcp-state established,originator payload /.*GOBBLES/ } signature sid-1821 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 515 event "EXPLOIT LPD dvips remote command execution attempt" tcp-state established,originator payload /.*psfile=\x22\x60/ } signature sid-1838 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets src-port == 22 event "EXPLOIT SSH server banner overflow" tcp-state established,responder payload /SSH-[^\x0a]{600}/ } signature sid-307 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port >= 6666 dst-port <= 7000 event "EXPLOIT CHAT IRC topic overflow" tcp-state established,responder payload /.*\xeb\x4b\x5b\x53\x32\xe4\x83\xc3\x0b\x4b\x88\x23\xb8\x50\x77/ } signature sid-1382 { ip-proto == tcp dst-port >= 6666 dst-port <= 7000 event "EXPLOIT CHAT IRC Ettercap parse overflow attempt" tcp-state established,originator payload /.*[pP][rR][iI][vV][mM][sS][gG] [nN][iI][cC][kK][sS][eE][rR][vV] [iI][dD][eE][nN][tT][iI][fF][yY][^\x0a]{150}/ } signature sid-292 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 139 event "EXPLOIT x86 Linux samba overflow" tcp-state established,originator payload /.*\xeb\x2f\x5f\xeb\x4a\x5e\x89\xfb\x89\x3e\x89\xf2/ } signature sid-613 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets src-port == 10101 header tcp[8:4] == 0 header tcp[13:1] & 255 == 2 header ip[8:1] > 220 event "SCAN myscan" } signature sid-616 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 113 event "SCAN ident version request" tcp-state established,originator payload /.{0,8}VERSION\x0A/ } signature sid-619 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 80 payload-size == 0 header tcp[13:1] & 255 == 195 event "SCAN cybercop os probe" } signature sid-618 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 3128 event "SCAN Squid Proxy attempt" header tcp[13:1] & 255 == 2 } signature sid-615 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 1080 header tcp[13:1] & 255 == 2 event "SCAN SOCKS Proxy attempt" } signature sid-620 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 8080 event "SCAN Proxy (8080) attempt" header tcp[13:1] & 255 == 2 } signature sid-621 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets header tcp[13:1] & 255 == 1 event "SCAN FIN" } signature sid-622 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets header tcp[13:1] & 255 == 2 header tcp[4:4] == 1958810375 event "SCAN ipEye SYN scan" } signature sid-623 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets header tcp[8:4] == 0 header tcp[13:1] & 255 == 0 header tcp[4:4] == 0 event "SCAN NULL" } signature sid-624 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets header tcp[13:1] & 255 == 3 event "SCAN SYN FIN" } signature sid-625 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets header tcp[13:1] & 255 == 63 event "SCAN XMAS" } signature sid-1228 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets header tcp[13:1] & 255 == 41 event "SCAN nmap XMAS" } signature sid-628 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets header tcp[8:4] == 0 header tcp[13:1] & 255 == 16 event "SCAN nmap TCP" } signature sid-629 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets header tcp[13:1] & 255 == 43 event "SCAN nmap fingerprint attempt" } signature sid-630 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets header tcp[13:1] & 255 == 3 event "SCAN synscan portscan" header ip[4:2] == 39426 } signature sid-626 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets header tcp[13:1] & 255 == 216 event "SCAN cybercop os PA12 attempt" payload /AAAAAAAAAAAAAAAA/ } signature sid-627 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets header tcp[8:4] == 0 header tcp[13:1] & 255 == 227 event "SCAN cybercop os SFU12 probe" payload /AAAAAAAAAAAAAAAA/ } signature sid-634 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port >= 10080 dst-port <= 10081 event "SCAN Amanda client version request" payload /.*[aA][mM][aA][nN][dD][aA]/ } signature sid-635 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 49 event "SCAN XTACACS logout" payload /.*\x80\x07\x00\x00\x07\x00\x00\x04\x00\x00\x00\x00\x00/ } signature sid-636 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 7 event "SCAN cybercop udp bomb" payload /.*cybercop/ } signature sid-637 { ip-proto == udp src-ip != local_nets dst-ip == local_nets event "SCAN Webtrends Scanner UDP Probe" payload /.*\x0Ahelp\x0Aquite\x0A/ } signature sid-1638 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 22 event "SCAN SSH Version map attempt" tcp-state established,originator payload /.*[vV][eE][rR][sS][iI][oO][nN]_[mM][aA][pP][pP][eE][rR]/ } signature sid-1917 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 1900 event "SCAN UPnP service discover attempt" payload /M-SEARCH / payload /.*ssdp:discover/ } signature sid-1918 { ip-proto == icmp src-ip != local_nets dst-ip == local_nets header icmp[1:1] == 0 header icmp[0:1] == 8 event "SCAN SolarWinds IP scan attempt" payload /.*SolarWinds\.Net/ } signature sid-1133 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports header tcp[8:4] == 0 header tcp[13:1] & 255 == 11 event "SCAN cybercop os probe" payload /AAAAAAAAAAAAAAAA/ } signature sid-320 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 79 event "FINGER cmd_rootsh backdoor attempt" tcp-state established,originator payload /.*cmd_rootsh/ } signature sid-321 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 79 event "FINGER account enumeration attempt" tcp-state established,originator payload /.*[aA] [bB] [cC] [dD] [eE] [fF]/ } signature sid-322 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 79 event "FINGER search query" tcp-state established,originator payload /.*search/ } signature sid-323 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 79 event "FINGER root query" tcp-state established,originator payload /.*root/ } signature sid-324 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 79 event "FINGER null request" tcp-state established,originator payload /.*\x00/ } signature sid-326 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 79 event "FINGER remote command ; execution attempt" tcp-state established,originator payload /.*\x3b/ } signature sid-327 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 79 event "FINGER remote command pipe execution attempt" tcp-state established,originator payload /.*\x7c/ } signature sid-328 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 79 event "FINGER bomb attempt" tcp-state established,originator payload /.*@@/ } signature sid-330 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 79 event "FINGER redirection attempt" tcp-state established,originator payload /.*@/ } signature sid-331 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 79 event "FINGER cybercop query" tcp-state established,originator payload /.{0,4}\x0A / } signature sid-332 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 79 event "FINGER 0 query" tcp-state established,originator payload /.*0/ } signature sid-333 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 79 event "FINGER . query" tcp-state established,originator payload /.*\./ } signature sid-1541 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 79 event "FINGER version query" tcp-state established,originator payload /.*version/ } signature sid-337 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP CEL overflow attempt" tcp-state established,originator payload /.*[cC][eE][lL] [^\x0a]{100}/ } signature sid-1919 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP CWD overflow attempt" tcp-state established,originator payload /.*[cC][wW][dD] [^\x0a]{100}/ } signature sid-1621 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP CMD overflow attempt" tcp-state established,originator payload /.*[cC][mM][dD] [^\x0a]{100}/ } signature sid-1379 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP STAT overflow attempt" tcp-state established,originator payload /.*[sS][tT][aA][tT] [^\x0a]{100}/ } signature sid-1562 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP SITE CHOWN overflow attempt" tcp-state established,originator payload /.*[sS][iI][tT][eE] / payload /.* [cC][hH][oO][wW][nN] [^\x0a]{100}/ } signature sid-1920 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP SITE NEWER overflow attempt" tcp-state established,originator payload /.*[sS][iI][tT][eE] / payload /.* [nN][eE][wW][eE][rR] [^\x0a]{100}/ } signature sid-1888 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP SITE CPWD overflow attempt" tcp-state established,originator payload /.*[sS][iI][tT][eE] / payload /.* [cC][pP][wW][dD] [^\x0a]{100}/ } signature sid-1971 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP SITE EXEC format string attempt" tcp-state established,originator payload /.*[sS][iI][tT][eE].*.{0}.*[eE][xX][eE][cC] .{1}.*%.{1}.*%/ } signature sid-1529 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP SITE overflow attempt" tcp-state established,originator payload /.*[sS][iI][tT][eE] [^\x0a]{100}/ } signature sid-1734 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP USER overflow attempt" tcp-state established,originator payload /.*[uU][sS][eE][rR] [^\x0a]{100}/ } signature sid-1972 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP PASS overflow attempt" tcp-state established,originator payload /.*[pP][aA][sS][sS] [^\x0a]{100}/ } signature sid-1942 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP RMDIR overflow attempt" tcp-state established,originator payload /.*[rR][mM][dD][iI][rR] [^\x0a]{100}/ } signature sid-1973 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP MKD overflow attempt" tcp-state established,originator payload /.*[mM][kK][dD] [^\x0a]{100}/ } signature sid-1974 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP REST overflow attempt" tcp-state established,originator payload /.*[rR][eE][sS][tT] [^\x0a]{100}/ } signature sid-1975 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP DELE overflow attempt" tcp-state established,originator payload /.*[dD][eE][lL][eE] [^\x0a]{100}/ } signature sid-1976 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP RMD overflow attempt" tcp-state established,originator payload /.*[rR][mM][dD] [^\x0a]{100}/ } signature sid-1623 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP invalid MODE" tcp-state established,originator payload /.*[mM][oO][dD][eE] / payload /.*/ payload /.*/ payload /.*/ payload /.*/ } signature sid-1624 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 payload-size == 10 event "FTP large PWD command" tcp-state established,originator payload /.*[pP][wW][dD]/ } signature sid-1625 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 payload-size == 10 event "FTP large SYST command" tcp-state established,originator payload /.*[sS][yY][sS][tT]/ } signature sid-2125 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP CWD C:\" tcp-state established,originator payload /.*[cC][wW][dD].{1}.*C:\\/ } signature sid-1921 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP SITE ZIPCHK attempt" tcp-state established,originator payload /.*[sS][iI][tT][eE] / payload /.* [zZ][iI][pP][cC][hH][kK] [^\x0a]{100}/ } signature sid-1864 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP SITE NEWER attempt" tcp-state established,originator payload /.*[sS][iI][tT][eE] / payload /.* [nN][eE][wW][eE][rR] / } signature sid-361 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP site exec" tcp-state established,originator payload /.*[sS][iI][tT][eE] .*.{0}.*[eE][xX][eE][cC] / } signature sid-1777 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP EXPLOIT STAT * dos attempt" tcp-state established,originator payload /.*[sS][tT][aA][tT].{1}.*\*/ } signature sid-1778 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP EXPLOIT STAT ? dos attempt" tcp-state established,originator payload /.*[sS][tT][aA][tT].{1}.*\?/ } signature sid-362 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP tar parameters" tcp-state established,originator payload /.*\" --[uU][sS][eE]-[cC][oO][mM][pP][rR][eE][sS][sS]-[pP][rR][oO][gG][rR][aA][mM]\" / } signature sid-336 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP CWD ~root attempt" tcp-state established,originator payload /.*CWD / payload /.* ~[rR][oO][oO][tT]/ } signature sid-1229 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP CWD ..." tcp-state established,originator payload /.*CWD / payload /.* \.\.\./ } signature sid-1672 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP CWD ~ attempt" tcp-state established,originator payload /.*CWD / payload /.* ~\x0A/ } signature sid-1728 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP CWD ~ attempt" tcp-state established,originator payload /.*CWD / payload /.* ~\x0D\x0A/ } signature sid-1779 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP CWD .... attempt" tcp-state established,originator payload /.*CWD / payload /.* \.\.\.\./ } signature sid-360 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP serv-u directory transversal" tcp-state established,originator payload /.*\.%20\./ } signature sid-1377 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP wu-ftp bad file completion attempt [" tcp-state established,originator payload /.*~.{1}.*\[/ } signature sid-1378 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP wu-ftp bad file completion attempt {" tcp-state established,originator payload /.*~.{1}.*\{/ } signature sid-1530 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP format string attempt" tcp-state established,originator payload /.*%[pP]/ } signature sid-1622 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP RNFR ././ attempt" tcp-state established,originator payload /.*[rR][nN][fF][rR] / payload /.* \.\/\.\// } signature sid-1748 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 payload-size > 100 event "FTP command overflow attempt" tcp-state established,originator } signature sid-1992 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP LIST directory traversal attempt" payload /.*LIST.{1}.*\.\..{1}.*\.\./ } signature sid-334 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP .forward" tcp-state established,originator payload /.*\.forward/ } signature sid-335 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP .rhosts" tcp-state established,originator payload /.*\.rhosts/ } signature sid-1927 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP authorized_keys" tcp-state established,originator payload /.*authorized_keys/ } signature sid-356 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP passwd retrieval attempt" tcp-state established,originator payload /.*[rR][eE][tT][rR]/ payload /.*passwd/ } signature sid-1928 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP shadow retrieval attempt" tcp-state established,originator payload /.*[rR][eE][tT][rR]/ payload /.*shadow/ } signature sid-144 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP ADMw0rm ftp login attempt" tcp-state established,originator payload /.*USER w0rm\x0D\x0A/ } signature sid-353 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP adm scan" tcp-state established,originator payload /.*PASS ddd@\x0a/ } signature sid-354 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP iss scan" tcp-state established,originator payload /.*pass -iss@iss/ } signature sid-355 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP pass wh00t" tcp-state established,originator payload /.*[pP][aA][sS][sS] [wW][hH]00[tT]/ } signature sid-357 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP piss scan" tcp-state established,originator payload /.*pass -cklaus/ } signature sid-358 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP saint scan" tcp-state established,originator payload /.*pass -saint/ } signature sid-359 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 21 event "FTP satan scan" tcp-state established,originator payload /.*pass -satan/ } signature sid-1430 { ip-proto == tcp src-ip != local_nets dst-ip == telnet_servers dst-port == 23 event "TELNET Solaris memory mismanagement exploit attempt" tcp-state established,originator payload /.*\xA0\x23\xA0\x10\xAE\x23\x80\x10\xEE\x23\xBF\xEC\x82\x05\xE0\xD6\x90\x25\xE0/ } signature sid-711 { ip-proto == tcp src-ip != local_nets dst-ip == telnet_servers dst-port == 23 event "TELNET SGI telnetd format bug" tcp-state established,originator payload /.*_RLD/ payload /.*bin\/sh/ } signature sid-712 { ip-proto == tcp src-ip != local_nets dst-ip == telnet_servers dst-port == 23 event "TELNET ld_library_path" tcp-state established,originator payload /.*ld_library_path/ } signature sid-713 { ip-proto == tcp src-ip != local_nets dst-ip == telnet_servers dst-port == 23 event "TELNET livingston DOS" tcp-state established,originator payload /.*\xff\xf3\xff\xf3\xff\xf3\xff\xf3\xff\xf3/ } signature sid-714 { ip-proto == tcp src-ip != local_nets dst-ip == telnet_servers dst-port == 23 event "TELNET resolv_host_conf" tcp-state established,originator payload /.*resolv_host_conf/ } signature sid-715 { ip-proto == tcp src-ip == telnet_servers dst-ip != local_nets src-port == 23 event "TELNET Attempted SU from wrong group" tcp-state established,responder payload /.*[tT][oO] [sS][uU] [rR][oO][oO][tT]/ } signature sid-717 { ip-proto == tcp src-ip == telnet_servers dst-ip != local_nets src-port == 23 event "TELNET not on console" tcp-state established,responder payload /.*[nN][oO][tT] [oO][nN] [sS][yY][sS][tT][eE][mM] [cC][oO][nN][sS][oO][lL][eE]/ } signature sid-718 { ip-proto == tcp src-ip == telnet_servers dst-ip != local_nets src-port == 23 event "TELNET login incorrect" tcp-state established,responder payload /.*Login incorrect/ } signature sid-719 { ip-proto == tcp src-ip == telnet_servers dst-ip != local_nets src-port == 23 event "TELNET root login" tcp-state established,responder payload /.*login: root/ } signature sid-1252 { ip-proto == tcp src-ip == telnet_servers dst-ip != local_nets src-port == 23 event "TELNET bsd telnet exploit response" tcp-state established,responder payload /.*\x0D\x0A\[Yes\]\x0D\x0A\xFF\xFE\x08\xFF\xFD\x26/ } signature sid-1253 { ip-proto == tcp src-ip != local_nets dst-ip == telnet_servers dst-port == 23 payload-size > 200 event "TELNET bsd exploit client finishing" tcp-state established,responder payload /.{199}\xFF\xF6\xFF\xF6\xFF\xFB\x08\xFF\xF6/ } signature sid-709 { ip-proto == tcp src-ip != local_nets dst-ip == telnet_servers dst-port == 23 event "TELNET 4Dgifts SGI account attempt" tcp-state established,originator payload /.*4Dgifts/ } signature sid-710 { ip-proto == tcp src-ip != local_nets dst-ip == telnet_servers dst-port == 23 event "TELNET EZsetup account attempt" tcp-state established,originator payload /.*OutOfBox/ } signature sid-716 { ip-proto == tcp src-ip == telnet_servers dst-ip != local_nets src-port == 23 event "TELNET access" tcp-state established,responder payload /.*\xFF\xFD\x18\xFF\xFD\x1F\xFF\xFD\x23\xFF\xFD\x27\xFF\xFD\x24/ } signature sid-2093 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_test: 4,>,2048,12,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap proxy integer overflow attempt TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0\x00.{3}\x00\x00\x00\x05/ } signature sid-2092 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap proxy integer overflow attempt UDP" # Not supported: byte_test: 4,>,2048,12,relative payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0\x00.{3}\x00\x00\x00\x05/ } signature sid-1922 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 event "RPC portmap proxy attempt TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x05/ } signature sid-1923 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 event "RPC portmap proxy attempt UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x05/ } signature sid-1280 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 event "RPC portmap listing UDP 111" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x04/ } signature sid-598 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 event "RPC portmap listing TCP 111" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x04/ } signature sid-1949 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 event "RPC portmap SET attempt TCP 111" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x01/ } signature sid-1950 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 event "RPC portmap SET attempt UDP 111" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x01/ } signature sid-2014 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 event "RPC portmap UNSET attempt TCP 111" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x02/ } signature sid-2015 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 event "RPC portmap UNSET attempt UDP 111" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x02/ } signature sid-599 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 32771 event "RPC portmap listing TCP 32771" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x04/ } signature sid-1281 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 32771 event "RPC portmap listing UDP 32771" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x04/ } signature sid-1746 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap cachefsd request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x8B/ } signature sid-1747 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap cachefsd request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x8B/ } signature sid-1732 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap rwalld request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA8/ } signature sid-1733 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap rwalld request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA8/ } signature sid-575 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap admind request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xF7/ } signature sid-1262 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap admind request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xF7/ } signature sid-576 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap amountd request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x03/ } signature sid-1263 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap amountd request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x03/ } signature sid-577 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap bootparam request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xBA/ } signature sid-1264 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap bootparam request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xBA/ } signature sid-580 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap nisd request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\xcc/ } signature sid-1267 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap nisd request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\xcc/ } signature sid-581 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap pcnfsd request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x02\x49\xf1/ } signature sid-1268 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap pcnfsd request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x02\x49\xf1/ } signature sid-582 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap rexd request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB1/ } signature sid-1269 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap rexd request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB1/ } signature sid-584 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap rusers request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA2/ } signature sid-1271 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap rusers request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA2/ } signature sid-612 { ip-proto == udp src-ip != local_nets dst-ip == local_nets event "RPC rusers query UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA2.{4}\x00\x00\x00\x02/ } signature sid-586 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap selection_svc request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xAF/ } signature sid-1273 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap selection_svc request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xAF/ } signature sid-587 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap status request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB8/ } signature sid-2016 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap status request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB8/ } signature sid-593 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap snmpXdmi request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x99/ } signature sid-1279 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap snmpXdmi request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x99/ } signature sid-569 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets # Not supported: byte_test: 4,>,1024,20,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC snmpXdmi overflow attempt TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x87\x99.{4}\x00\x00\x01\x01/ } signature sid-2045 { ip-proto == udp src-ip != local_nets dst-ip == local_nets # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC snmpXdmi overflow attempt UDP" # Not supported: byte_test: 4,>,1024,20,relative payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x87\x99.{4}\x00\x00\x01\x01/ } signature sid-2017 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap espd request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x05\xF7\x75/ } signature sid-595 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap espd request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x05\xF7\x75/ } signature sid-1890 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port >= 1024 dst-port <= 65535 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC status GHBN format string attack" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xB8.{4}\x00\x00\x00\x02.{0,251}%x %x/ } signature sid-1891 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port >= 1024 dst-port <= 65535 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC status GHBN format string attack" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xB8.{4}\x00\x00\x00\x02.{0,251}%x %x/ } signature sid-579 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap mountd request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA5/ } signature sid-1266 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap mountd request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA5/ } signature sid-574 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets event "RPC mountd TCP export request" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x05/ } signature sid-1924 { ip-proto == udp src-ip != local_nets dst-ip == local_nets event "RPC mountd UDP export request" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x05/ } signature sid-1925 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets event "RPC mountd TCP exportall request" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x06/ } signature sid-1926 { ip-proto == udp src-ip != local_nets dst-ip == local_nets event "RPC mountd UDP exportall request" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x06/ } signature sid-1951 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets event "RPC mountd TCP mount request" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x01/ } signature sid-1952 { ip-proto == udp src-ip != local_nets dst-ip == local_nets event "RPC mountd UDP mount request" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x01/ } signature sid-2018 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets event "RPC mountd TCP dump request" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x02/ } signature sid-2019 { ip-proto == udp src-ip != local_nets dst-ip == local_nets event "RPC mountd UDP dump request" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x02/ } signature sid-2020 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets event "RPC mountd TCP unmount request" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x03/ } signature sid-2021 { ip-proto == udp src-ip != local_nets dst-ip == local_nets event "RPC mountd UDP unmount request" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x03/ } signature sid-2022 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets event "RPC mountd TCP unmountall request" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x04/ } signature sid-2023 { ip-proto == udp src-ip != local_nets dst-ip == local_nets event "RPC mountd UDP unmountall request" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x04/ } signature sid-1905 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port >= 500 dst-port <= 65535 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC AMD UDP amqproc_mount plog overflow attempt" # Not supported: byte_test: 4,>,512,0,relative payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x04\x93\xF3.{4}\x00\x00\x00\x07/ } signature sid-1906 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port >= 500 dst-port <= 65535 # Not supported: byte_test: 4,>,512,0,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC AMD TCP amqproc_mount plog overflow attempt" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x04\x93\xF3.{4}\x00\x00\x00\x07/ } signature sid-1953 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port >= 500 dst-port <= 65535 event "RPC AMD TCP pid request" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x04\x93\xF3.{4}\x00\x00\x00\x09/ } signature sid-1954 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port >= 500 dst-port <= 65535 event "RPC AMD UDP pid request" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x04\x93\xF3.{4}\x00\x00\x00\x09/ } signature sid-1955 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port >= 500 dst-port <= 65535 event "RPC AMD TCP version request" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x04\x93\xF3.{4}\x00\x00\x00\x08/ } signature sid-1956 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port >= 500 dst-port <= 65535 event "RPC AMD UDP version request" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x04\x93\xF3.{4}\x00\x00\x00\x08/ } signature sid-578 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap cmsd request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xE4/ } signature sid-1265 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap cmsd request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xE4/ } signature sid-1907 { ip-proto == udp src-ip != local_nets dst-ip == local_nets # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC CMSD UDP CMSD_CREATE buffer overflow attempt" # Not supported: byte_test: 4,>,1024,0,relative payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xE4.{4}\x00\x00\x00\x15/ } signature sid-1908 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets # Not supported: byte_test: 4,>,1024,0,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC CMSD TCP CMSD_CREATE buffer overflow attempt" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xE4.{4}\x00\x00\x00\x15/ } signature sid-2094 { ip-proto == udp src-ip != local_nets dst-ip == local_nets # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC CMSD UDP CMSD_CREATE array buffer overflow attempt" # Not supported: byte_test: 4,>,1024,20,relative payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xE4.{4}\x00\x00\x00\x15/ } signature sid-2095 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets # Not supported: byte_test: 4,>,1024,20,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC CMSD TCP CMSD_CREATE array buffer overflow attempt" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xE4.{4}\x00\x00\x00\x15/ } signature sid-1909 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets # Not supported: byte_test: 4,>,1000,28,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align event "RPC CMSD TCP CMSD_INSERT buffer overflow attempt" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xE4.{4}\x00\x00\x00\x06/ } signature sid-1910 { ip-proto == udp src-ip != local_nets dst-ip == local_nets # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align event "RPC CMSD udp CMSD_INSERT buffer overflow attempt" # Not supported: byte_test: 4,>,1000,28,relative payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xE4.{4}\x00\x00\x00\x06/ } signature sid-1272 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap sadmind request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x88/ } signature sid-585 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap sadmind request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x88/ } signature sid-1911 { ip-proto == udp src-ip != local_nets dst-ip == local_nets # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,124,relative,align,4,20,relative,align event "RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt" # Not supported: byte_test: 4,>,512,4,relative payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x87\x88.{4}\x00\x00\x00\x01/ } signature sid-1912 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets # Not supported: byte_test: 4,>,512,4,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,124,relative,align,4,20,relative,align event "RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x87\x88.{4}\x00\x00\x00\x01/ } signature sid-1957 { ip-proto == udp src-ip != local_nets dst-ip == local_nets event "RPC sadmind UDP PING" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x87\x88.{4}\x00\x00\x00\x00/ } signature sid-1958 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets event "RPC sadmind TCP PING" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x87\x88.{4}\x00\x00\x00\x00/ } signature sid-583 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap rstatd request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA1/ } signature sid-1270 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap rstatd request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA1/ } signature sid-1913 { ip-proto == udp src-ip != local_nets dst-ip == local_nets # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC STATD UDP stat mon_name format string exploit attempt" # Not supported: byte_test: 4,>,100,0,relative payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xB8.{4}\x00\x00\x00\x01/ } signature sid-1914 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets # Not supported: byte_test: 4,>,100,0,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC STATD TCP stat mon_name format string exploit attempt" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xB8.{4}\x00\x00\x00\x01/ } signature sid-1915 { ip-proto == udp src-ip != local_nets dst-ip == local_nets # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC STATD UDP monitor mon_name format string exploit attempt" # Not supported: byte_test: 4,>,100,0,relative payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xB8.{4}\x00\x00\x00\x02/ } signature sid-1916 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets # Not supported: byte_test: 4,>,100,0,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC STATD TCP monitor mon_name format string exploit attempt" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xB8.{4}\x00\x00\x00\x02/ } signature sid-1277 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap ypupdated request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xBC/ } signature sid-591 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap ypupdated request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xBC/ } signature sid-2088 { ip-proto == udp src-ip != local_nets dst-ip == local_nets # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC ypupdated arbitrary command attempt UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xBC.{4}\x00\x00\x00\x01.{4}.*\|/ } signature sid-2089 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC ypupdated arbitrary command attempt TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xBC.{4}\x00\x00\x00\x01.{4}.*\|/ } signature sid-1959 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap NFS request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA3/ } signature sid-1960 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap NFS request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA3/ } signature sid-1961 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap RQUOTA request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xAB/ } signature sid-1962 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap RQUOTA request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xAB/ } signature sid-1963 { ip-proto == udp src-ip != local_nets dst-ip == local_nets # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC RQUOTA getquota overflow attempt UDP" # Not supported: byte_test: 4,>,128,0,relative payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xAB.{4}\x00\x00\x00\x01/ } signature sid-2024 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC RQUOTA getquota overflow attempt TCP" # Not supported: byte_test: 4,>,128,0,relative payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xAB.{4}\x00\x00\x00\x01/ } signature sid-588 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap ttdbserv request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xF3/ } signature sid-1274 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap ttdbserv request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xF3/ } signature sid-1964 { ip-proto == udp src-ip != local_nets dst-ip == local_nets # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC tooltalk UDP overflow attempt" # Not supported: byte_test: 4,>,128,0,relative payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xF3.{4}\x00\x00\x00\x07/ } signature sid-1965 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets # Not supported: byte_test: 4,>,128,0,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC tooltalk TCP overflow attempt" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xF3.{4}\x00\x00\x00\x07/ } signature sid-589 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap yppasswd request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA9/ } signature sid-1275 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap yppasswd request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA9/ } signature sid-2027 { ip-proto == udp src-ip != local_nets dst-ip == local_nets # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align # Not supported: byte_test: 4,>,64,0,relative event "RPC yppasswd old password overflow attempt UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/ } signature sid-2028 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets # Not supported: byte_test: 4,>,64,0,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC yppasswd old password overflow attempt TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/ } signature sid-2025 { ip-proto == udp src-ip != local_nets dst-ip == local_nets # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align event "RPC yppasswd username overflow attempt UDP" # Not supported: byte_test: 4,>,64,0,relative payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/ } signature sid-2026 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets # Not supported: byte_test: 4,>,64,0,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align event "RPC yppasswd username overflow attempt TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/ } signature sid-2029 { ip-proto == udp src-ip != local_nets dst-ip == local_nets # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align,4,0,relative,align # Not supported: byte_test: 4,>,64,0,relative event "RPC yppasswd new password overflow attempt UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/ } signature sid-2030 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets # Not supported: byte_test: 4,>,64,0,relative # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align,4,0,relative,align event "RPC yppasswd new password overflow attempt TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/ } signature sid-2031 { ip-proto == udp src-ip != local_nets dst-ip == local_nets event "RPC yppasswd user update UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/ } signature sid-2032 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets event "RPC yppasswd user update TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/ } signature sid-590 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap ypserv request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA4/ } signature sid-1276 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap ypserv request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA4/ } signature sid-2033 { ip-proto == udp src-ip != local_nets dst-ip == local_nets event "RPC ypserv maplist request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA4.{4}\x00\x00\x00\x0B/ } signature sid-2034 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets event "RPC ypserv maplist request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA4.{4}\x00\x00\x00\x0B/ } signature sid-2035 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap network-status-monitor request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x03\x0D\x70/ } signature sid-2036 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap network-status-monitor request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x03\x0D\x70/ } signature sid-2037 { ip-proto == udp src-ip != local_nets dst-ip == local_nets event "RPC network-status-monitor mon-callback request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x03\x0D\x70.{4}\x00\x00\x00\x01/ } signature sid-2038 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets event "RPC network-status-monitor mon-callback request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x03\x0D\x70.{4}\x00\x00\x00\x01/ } signature sid-2079 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap nlockmgr request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB5/ } signature sid-2080 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap nlockmgr request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB5/ } signature sid-2081 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap rpc.xfsmd request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x05\xF7\x68/ } signature sid-2082 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap rpc.xfsmd request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x05\xF7\x68/ } signature sid-2083 { ip-proto == udp src-ip != local_nets dst-ip == local_nets event "RPC rpc.xfsmd xfs_export attempt UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x05\xF7\x68.{4}\x00\x00\x00\x0D/ } signature sid-2084 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets event "RPC rpc.xfsmd xfs_export attempt TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x05\xF7\x68.{4}\x00\x00\x00\x0D/ } signature sid-2005 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap kcms_server request UDP" payload /.{3}\x00\x00\x00\x00/ payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x7D/ } signature sid-2006 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 111 # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align event "RPC portmap kcms_server request TCP" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x7D/ } signature sid-2007 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port >= 32771 dst-port <= 34000 # Not supported: byte_jump: 4,20,relative,align,4,4,relative,align event "RPC kcms_server directory traversal attempt" tcp-state established,originator payload /.{7}\x00\x00\x00\x00/ payload /.{15}\x00\x01\x87\x7D.*.{0}.*\/\.\.\// } signature sid-601 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 513 event "RSERVICES rlogin LinuxNIS" tcp-state established,originator payload /.*\x3a\x3a\x3a\x3a\x3a\x3a\x3a\x3a\x00\x3a\x3a\x3a\x3a\x3a\x3a\x3a\x3a/ } signature sid-602 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 513 event "RSERVICES rlogin bin" tcp-state established,originator payload /.*bin\x00bin\x00/ } signature sid-603 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 513 event "RSERVICES rlogin echo++" tcp-state established,originator payload /.*echo \x22 \+ \+ \x22/ } signature sid-604 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 513 event "RSERVICES rsh froot" tcp-state established,originator payload /.*-froot\x00/ } signature sid-611 { ip-proto == tcp src-ip == local_nets dst-ip != local_nets src-port == 513 event "RSERVICES rlogin login failure" tcp-state established,responder payload /.*\x01rlogind\x3a Permission denied\./ } signature sid-605 { ip-proto == tcp src-ip == local_nets dst-ip != local_nets src-port == 513 event "RSERVICES rlogin login failure" tcp-state established,responder payload /.*login incorrect/ } signature sid-606 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 513 event "RSERVICES rlogin root" tcp-state established,originator payload /.*root\x00root\x00/ } signature sid-607 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 514 event "RSERVICES rsh bin" tcp-state established,originator payload /.*bin\x00bin\x00/ } signature sid-608 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 514 event "RSERVICES rsh echo + +" tcp-state established,originator payload /.*echo \x22\+ \+\x22/ } signature sid-609 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 514 event "RSERVICES rsh froot" tcp-state established,originator payload /.*-froot\x00/ } signature sid-610 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 514 event "RSERVICES rsh root" tcp-state established,originator payload /.*root\x00root\x00/ } signature sid-2113 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 512 event "RSERVICES rexec username overflow attempt" payload /.{8}.*\x00.*.{0}.*\x00.*.{0}.*\x00/ } signature sid-2114 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 512 event "RSERVICES rexec password overflow attempt" payload /.*\x00.{33}.*\x00.*.{0}.*\x00/ } signature sid-268 { src-ip != local_nets dst-ip == local_nets payload-size == 408 event "DOS Jolt attack" header ip[6:1] & 224 == 32 } signature sid-270 { ip-proto == udp src-ip != local_nets dst-ip == local_nets event "DOS Teardrop attack" header ip[6:1] & 224 == 32 header ip[4:2] == 242 } signature sid-271-a { ip-proto == udp src-port == 7 dst-port == 19 event "DOS UDP echo+chargen bomb" } signature sid-271-b { ip-proto == udp src-port == 19 dst-port == 7 event "DOS UDP echo+chargen bomb" } signature sid-272 { src-ip != local_nets dst-ip == local_nets header ip[9:1] == 2 event "DOS IGMP dos attack" header ip[6:1] & 224 == 32 payload /\x02\x00/ } signature sid-273 { src-ip != local_nets dst-ip == local_nets header ip[9:1] == 2 event "DOS IGMP dos attack" header ip[6:1] & 224 == 32 payload /\x00\x00/ } signature sid-274 { ip-proto == icmp src-ip != local_nets dst-ip == local_nets header icmp[0:1] == 8 event "DOS ath" payload /.*\+\+\+[aA][tT][hH]/ } signature sid-275-a { ip-proto == tcp src-ip == local_nets dst-ip != local_nets header tcp[13:1] & 255 == 2 header tcp[4:4] == 6060842 event "DOS NAPTHA" header ip[4:2] == 413 } signature sid-275-b { ip-proto == tcp src-ip != local_nets dst-ip == local_nets header tcp[13:1] & 255 == 2 header tcp[4:4] == 6060842 event "DOS NAPTHA" header ip[4:2] == 413 } signature sid-276 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 7070 event "DOS Real Audio Server" tcp-state established,originator payload /.*\xff\xf4\xff\xfd\x06/ } signature sid-277 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 7070 event "DOS Real Server template.html" tcp-state established,originator payload /.*\/[vV][iI][eE][wW][sS][oO][uU][rR][cC][eE]\/[tT][eE][mM][pP][lL][aA][tT][eE]\.[hH][tT][mM][lL]\?/ } signature sid-278 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 8080 event "DOS Real Server template.html" tcp-state established,originator payload /.*\/[vV][iI][eE][wW][sS][oO][uU][rR][cC][eE]\/[tT][eE][mM][pP][lL][aA][tT][eE]\.[hH][tT][mM][lL]\?/ } signature sid-279 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 161 payload-size == 0 event "DOS Bay/Nortel Nautica Marlin" } signature sid-281 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 9 event "DOS Ascend Route" payload /.{24}.{0,17}\x4e\x41\x4d\x45\x4e\x41\x4d\x45/ } signature sid-282 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 617 payload-size > 1445 event "DOS arkiea backup" tcp-state established,originator } signature sid-1257 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port >= 135 dst-port <= 139 header tcp[13:1] & 255 == 32 event "DOS Winnuke attack" } signature sid-1408 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 3372 payload-size > 1023 event "DOS MSDTC attempt" tcp-state established,originator } signature sid-1605 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 6004 event "DOS iParty DOS attempt" tcp-state established,originator payload /.*\xFF\xFF\xFF\xFF\xFF\xFF/ } signature sid-1641 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port >= 6789 dst-port <= 6790 payload-size == 1 event "DOS DB2 dos attempt" tcp-state established,originator } signature sid-1545 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == 80 payload-size == 1 event "DOS Cisco attempt" tcp-state established,originator payload /\x13/ } signature sid-221 { ip-proto == icmp src-ip != local_nets dst-ip == local_nets header icmp[0:1] == 8 event "DDOS TFN Probe" header ip[4:2] == 678 payload /.*1234/ } signature sid-222 { ip-proto == icmp src-ip != local_nets dst-ip == local_nets header icmp[0:1] == 0 event "DDOS tfn2k icmp possible communication" header icmp[0:1] == 0,8 header icmp[4:2] == 0 payload /.*AAAAAAAAAA/ } signature sid-223 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 31335 event "DDOS Trin00:DaemontoMaster(PONGdetected)" payload /.*PONG/ } signature sid-228 { ip-proto == icmp src-ip != local_nets dst-ip == local_nets header icmp[0:1] == 0 header icmp[0:1] == 0,8 header icmp[6:2] == 0 event "DDOS TFN client command BE" header icmp[0:1] == 0,8 header icmp[4:2] == 456 } signature sid-230 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 20432 event "DDOS shaft client to handler" tcp-state established } signature sid-231 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 31335 event "DDOS Trin00:DaemontoMaster(messagedetected)" payload /.*l44/ } signature sid-232 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 31335 event "DDOS Trin00:DaemontoMaster(*HELLO*detected)" payload /.*\*HELLO\*/ } signature sid-233 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 27665 event "DDOS Trin00:Attacker to Master default startup password" tcp-state established,originator payload /.*betaalmostdone/ } signature sid-234 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 27665 event "DDOS Trin00 Attacker to Master default password" tcp-state established,originator payload /.*gOrave/ } signature sid-235 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 27665 event "DDOS Trin00 Attacker to Master default mdie password" tcp-state established,originator payload /.*killme/ } signature sid-237 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 27444 event "DDOS Trin00:MastertoDaemon(defaultpassdetected!)" payload /.*l44adsl/ } signature sid-238 { ip-proto == icmp src-ip == local_nets dst-ip != local_nets header icmp[0:1] == 0 header icmp[0:1] == 0,8 header icmp[6:2] == 0 event "DDOS TFN server response" header icmp[0:1] == 0,8 header icmp[4:2] == 123 payload /.*shell bound to port/ } signature sid-239 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 18753 event "DDOS shaft handler to agent" payload /.*alive tijgu/ } signature sid-240 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 20433 event "DDOS shaft agent to handler" payload /.*alive/ } signature sid-241-a { ip-proto == tcp src-ip != local_nets dst-ip == local_nets header tcp[13:1] & 255 == 2 header tcp[4:4] == 674711609 event "DDOS shaft synflood" } signature sid-241-b { ip-proto == tcp src-ip == local_nets dst-ip != local_nets header tcp[13:1] & 255 == 2 header tcp[4:4] == 674711609 event "DDOS shaft synflood" } signature sid-243 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 6838 event "DDOS mstream agent to handler" payload /.*newserver/ } signature sid-244 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 10498 event "DDOS mstream handler to agent" payload /.*stream\// } signature sid-245 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 10498 event "\"DDOS mstream handler ping to agent\" " payload /.*ping/ } signature sid-246 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 10498 event "\"DDOS mstream agent pong to handler\" " payload /.*pong/ } signature sid-247 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 12754 event "DDOS mstream client to handler" tcp-state established,originator payload /.*>/ } signature sid-248 { ip-proto == tcp src-ip == local_nets dst-ip != local_nets src-port == 12754 event "DDOS mstream handler to client" tcp-state established,responder payload /.*>/ } signature sid-249 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 15104 header tcp[13:1] & 255 == 2 event "DDOS mstream client to handler" } signature sid-250 { ip-proto == tcp src-ip == local_nets dst-ip != local_nets src-port == 15104 event "DDOS mstream handler to client" tcp-state established,responder payload /.*>/ } signature sid-251 { ip-proto == icmp src-ip != local_nets dst-ip == local_nets header icmp[0:1] == 0 header icmp[0:1] == 0,8 header icmp[6:2] == 0 event "DDOS - TFN client command LE" header icmp[0:1] == 0,8 header icmp[4:2] == 51201 } signature sid-224 { ip-proto == icmp src-ip == 3.3.3.3/32 dst-ip != local_nets header icmp[0:1] == 0 event "DDOS Stacheldraht server spoof" header icmp[0:1] == 0,8 header icmp[4:2] == 666 } signature sid-225 { ip-proto == icmp src-ip == local_nets dst-ip != local_nets header icmp[0:1] == 0 event "DDOS Stacheldraht gag server response" header icmp[0:1] == 0,8 header icmp[4:2] == 669 payload /.*sicken/ } signature sid-226 { ip-proto == icmp src-ip == local_nets dst-ip != local_nets header icmp[0:1] == 0 event "DDOS Stacheldraht server response" header icmp[0:1] == 0,8 header icmp[4:2] == 667 payload /.*ficken/ } signature sid-227 { ip-proto == icmp src-ip != local_nets dst-ip == local_nets header icmp[0:1] == 0 event "DDOS Stacheldraht client spoofworks" header icmp[0:1] == 0,8 header icmp[4:2] == 1000 payload /.*spoofworks/ } signature sid-236 { ip-proto == icmp src-ip != local_nets dst-ip == local_nets header icmp[0:1] == 0 event "DDOS Stacheldraht client check gag" header icmp[0:1] == 0,8 header icmp[4:2] == 668 payload /.*gesundheit!/ } signature sid-229 { ip-proto == icmp src-ip != local_nets dst-ip == local_nets header icmp[0:1] == 0 event "DDOS Stacheldraht client check skillz" header icmp[0:1] == 0,8 header icmp[4:2] == 666 payload /.*skillz/ } signature sid-1854-a { ip-proto == icmp src-ip == local_nets dst-ip != local_nets header icmp[0:1] == 0 event "DDOS Stacheldraht handler->agent (niggahbitch)" header icmp[0:1] == 0,8 header icmp[4:2] == 9015 payload /.*niggahbitch/ } signature sid-1854-b { ip-proto == icmp src-ip != local_nets dst-ip == local_nets header icmp[0:1] == 0 event "DDOS Stacheldraht handler->agent (niggahbitch)" header icmp[0:1] == 0,8 header icmp[4:2] == 9015 payload /.*niggahbitch/ } signature sid-1855-a { ip-proto == icmp src-ip == local_nets dst-ip != local_nets header icmp[0:1] == 0 event "DDOS Stacheldraht agent->handler (skillz)" header icmp[0:1] == 0,8 header icmp[4:2] == 6666 payload /.*skillz/ } signature sid-1855-b { ip-proto == icmp src-ip != local_nets dst-ip == local_nets header icmp[0:1] == 0 event "DDOS Stacheldraht agent->handler (skillz)" header icmp[0:1] == 0,8 header icmp[4:2] == 6666 payload /.*skillz/ } signature sid-1856-a { ip-proto == icmp src-ip == local_nets dst-ip != local_nets header icmp[0:1] == 0 event "DDOS Stacheldraht handler->agent (ficken)" header icmp[0:1] == 0,8 header icmp[4:2] == 6667 payload /.*ficken/ } signature sid-1856-b { ip-proto == icmp src-ip != local_nets dst-ip == local_nets header icmp[0:1] == 0 event "DDOS Stacheldraht handler->agent (ficken)" header icmp[0:1] == 0,8 header icmp[4:2] == 6667 payload /.*ficken/ } signature sid-255 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 53 event "DNS zone transfer TCP" tcp-state established,originator payload /.{14}.*\x00\x00\xFC/ } signature sid-1948 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 53 event "DNS zone transfer UDP" payload /.{13}.*\x00\x00\xFC/ } signature sid-1435 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 53 event "DNS named authors attempt" tcp-state established,originator payload /.{11}.*\x07[aA][uU][tT][hH][oO][rR][sS]/ payload /.{11}.*\x04[bB][iI][nN][dD]/ } signature sid-256 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 53 event "DNS named authors attempt" payload /.{11}.*\x07[aA][uU][tT][hH][oO][rR][sS]/ payload /.{11}.*\x04[bB][iI][nN][dD]/ } signature sid-257 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 53 event "DNS named version attempt" tcp-state established,originator payload /.{11}.*\x07[vV][eE][rR][sS][iI][oO][nN]/ payload /.{11}.*\x04[bB][iI][nN][dD]/ } signature sid-1616 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 53 event "DNS named version attempt" payload /.{11}.*\x07[vV][eE][rR][sS][iI][oO][nN]/ payload /.{11}.*\x04[bB][iI][nN][dD]/ } signature sid-253 { ip-proto == udp src-ip != local_nets dst-ip == local_nets src-port == 53 event "DNS SPOOF query response PTR with TTL: 1 min. and no authority" payload /.*\x85\x80\x00\x01\x00\x01\x00\x00\x00\x00/ payload /.*\xc0\x0c\x00\x0c\x00\x01\x00\x00\x00\x3c\x00\x0f/ } signature sid-254 { ip-proto == udp src-ip != local_nets dst-ip == local_nets src-port == 53 event "DNS SPOOF query response with ttl: 1 min. and no authority" payload /.*\x81\x80\x00\x01\x00\x01\x00\x00\x00\x00/ payload /.*\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x3c\x00\x04/ } signature sid-258 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 53 event "DNS EXPLOIT named 8.2->8.2.1" tcp-state established,originator payload /.*\.\.\/\.\.\/\.\.\// } signature sid-303 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 53 event "DNS EXPLOIT named tsig overflow attempt" tcp-state established,originator payload /.*\xAB\xCD\x09\x80\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x00\x01\x20\x20\x20\x20\x02\x61/ } signature sid-314 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 53 event "DNS EXPLOIT named tsig overflow attempt" payload /.*\x80\x00\x07\x00\x00\x00\x00\x00\x01\x3F\x00\x01\x02/ } signature sid-259 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 53 event "DNS EXPLOIT named overflow (ADM)" tcp-state established,originator payload /.*thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool/ } signature sid-260 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 53 event "DNS EXPLOIT named overflow (ADMROCKS)" tcp-state established,originator payload /.*ADMROCKS/ } signature sid-261 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 53 event "DNS EXPLOIT named overflow attempt" tcp-state established,originator payload /.*\xCD\x80\xE8\xD7\xFF\xFF\xFF\/bin\/sh/ } signature sid-262 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 53 event "DNS EXPLOIT x86 Linux overflow attempt" tcp-state established,originator payload /.*\x31\xc0\xb0\x3f\x31\xdb\xb3\xff\x31\xc9\xcd\x80\x31\xc0/ } signature sid-264 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 53 event "DNS EXPLOIT x86 Linux overflow attempt" tcp-state established,originator payload /.*\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x4c\xeb\x4c\x5e\xb0/ } signature sid-265 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 53 event "DNS EXPLOIT x86 Linux overflow attempt (ADMv2)" tcp-state established,originator payload /.*\x89\xf7\x29\xc7\x89\xf3\x89\xf9\x89\xf2\xac\x3c\xfe/ } signature sid-266 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 53 event "DNS EXPLOIT x86 FreeBSD overflow attempt" tcp-state established,originator payload /.*\xeb\x6e\x5e\xc6\x06\x9a\x31\xc9\x89\x4e\x01\xc6\x46\x05/ } signature sid-267 { ip-proto == tcp src-ip != local_nets dst-ip == local_nets dst-port == 53 event "DNS EXPLOIT sparc overflow attempt" tcp-state established,originator payload /.*\x90\x1a\xc0\x0f\x90\x02\x20\x08\x92\x02\x20\x0f\xd0\x23\xbf\xf8/ } signature sid-1941 { ip-proto == udp dst-port == 69 event "TFTP filename overflow attempt" payload /\x00\x01[^\x00]{100}/ } signature sid-1289 { ip-proto == udp dst-port == 69 event "TFTP GET Admin.dll" payload /\x00\x01/ payload /.{1}.*[aA][dD][mM][iI][nN]\.[dD][lL][lL]/ } signature sid-1441 { ip-proto == udp dst-port == 69 event "TFTP GET nc.exe" payload /\x00\x01/ payload /.{1}.*[nN][cC]\.[eE][xX][eE]/ } signature sid-1442 { ip-proto == udp dst-port == 69 event "TFTP GET shadow" payload /\x00\x01/ payload /.{1}.*[sS][hH][aA][dD][oO][wW]/ } signature sid-1443 { ip-proto == udp dst-port == 69 event "TFTP GET passwd" payload /\x00\x01/ payload /.{1}.*[pP][aA][sS][sS][wW][dD]/ } signature sid-519 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 69 event "TFTP parent directory" payload /.{1}.*\.\./ } signature sid-520 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 69 event "TFTP root directory" payload /\x00\x01\// } signature sid-518 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 69 event "TFTP Put" payload /\x00\x02/ } signature sid-1444 { ip-proto == udp src-ip != local_nets dst-ip == local_nets dst-port == 69 event "TFTP Get" payload /\x00\x01/ } signature sid-803 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI HyperSeek hsx.cgi directory traversal attempt" http /.*[\/\\]hsx\.cgi/ tcp-state established,originator payload /.*\.\.\/\.\.\/.{1}.*%00/ } signature sid-1607 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI HyperSeek hsx.cgi access" http /.*[\/\\]hsx\.cgi/ tcp-state established,originator } signature sid-804 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI SWSoft ASPSeek Overflow attempt" http /.*[\/\\]s\.cgi/ tcp-state established,originator payload /.*[tT][mM][pP][lL]=/ } signature sid-805 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI webspeed access" http /.*[\/\\]wsisa\.dll[\/\\]WService=/ tcp-state established,originator payload /.*[wW][sS][mM][aA][dD][mM][iI][nN]/ } signature sid-806 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI yabb.cgi directory traversal attempt" http /.*[\/\\]YaBB\.pl/ tcp-state established,originator payload /.*\.\.\// } signature sid-1637 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI yabb.cgi access" http /.*[\/\\]YaBB\.pl/ tcp-state established,originator } signature sid-807 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI /wwwboard/passwd.txt access" http /.*[\/\\]wwwboard[\/\\]passwd\.txt/ tcp-state established,originator } signature sid-808 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI webdriver access" http /.*[\/\\]webdriver/ tcp-state established,originator } signature sid-809 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI whois_raw.cgi arbitrary command execution attempt" http /.*[\/\\]whois_raw\.cgi\?/ tcp-state established,originator payload /.*\x0a/ } signature sid-810 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI whois_raw.cgi access" http /.*[\/\\]whois_raw\.cgi/ tcp-state established,originator } signature sid-811 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI websitepro path access" tcp-state established,originator payload /.* \/[hH][tT][tT][pP]\/1\./ } signature sid-812 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI webplus version access" http /.*[\/\\]webplus\?about/ tcp-state established,originator } signature sid-813 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI webplus directory traversal" http /.*[\/\\]webplus\?script/ tcp-state established,originator payload /.*\.\.\// } signature sid-815 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI websendmail access" http /.*[\/\\]websendmail/ tcp-state established,originator } signature sid-1571 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI dcforum.cgi directory traversal attempt" http /.*[\/\\]dcforum\.cgi/ tcp-state established,originator payload /.*forum=\.\.\/\.\./ } signature sid-818 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI dcforum.cgi access" http /.*[\/\\]dcforum\.cgi/ tcp-state established,originator } signature sid-817 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI dcboard.cgi invalid user addition attempt" http /.*[\/\\]dcboard\.cgi/ tcp-state established,originator payload /.*command=register/ payload /.*%7cadmin/ } signature sid-1410 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI dcboard.cgi access" http /.*[\/\\]dcboard\.cgi/ tcp-state established,originator } signature sid-819 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI mmstdod.cgi access" http /.*[\/\\]mmstdod\.cgi/ tcp-state established,originator } signature sid-820 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI anaconda directory transversal attempt" http /.*[\/\\]apexec\.pl/ tcp-state established,originator payload /.*[tT][eE][mM][pP][lL][aA][tT][eE]=\.\.\// } signature sid-821 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI imagemap.exe overflow attempt" http /.*[\/\\]imagemap\.exe\?/ tcp-state established,originator } signature sid-1700 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI imagemap.exe access" http /.*[\/\\]imagemap\.exe/ tcp-state established,originator } signature sid-823 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI cvsweb.cgi access" http /.*[\/\\]cvsweb\.cgi/ tcp-state established,originator } signature sid-824 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI php.cgi access" http /.*[\/\\]php\.cgi/ tcp-state established,originator } signature sid-825 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI glimpse access" http /.*[\/\\]glimpse/ tcp-state established,originator } signature sid-1608 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI htmlscript attempt" http /.*[\/\\]htmlscript\?\.\.[\/\\]\.\./ tcp-state established,originator } signature sid-826 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI htmlscript access" http /.*[\/\\]htmlscript/ tcp-state established,originator } signature sid-827 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI info2www access" http /.*[\/\\]info2www/ tcp-state established,originator } signature sid-828 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI maillist.pl access" http /.*[\/\\]maillist\.pl/ tcp-state established,originator } signature sid-829 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI nph-test-cgi access" http /.*[\/\\]nph-test-cgi/ tcp-state established,originator } signature sid-1451 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI NPH-publish access" http /.*[\/\\]nph-maillist\.pl/ tcp-state established,originator } signature sid-830 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI NPH-publish access" http /.*[\/\\]nph-publish/ tcp-state established,originator } signature sid-833 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI rguest.exe access" http /.*[\/\\]rguest\.exe/ tcp-state established,originator } signature sid-834 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI rwwwshell.pl access" http /.*[\/\\]rwwwshell\.pl/ tcp-state established,originator } signature sid-1644 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI test-cgi attempt" http /.*[\/\\]test-cgi[\/\\]\*\?\*/ tcp-state established,originator } signature sid-835 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI test-cgi access" http /.*[\/\\]test-cgi/ tcp-state established,originator } signature sid-1645 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI testcgi access" http /.*[\/\\]testcgi/ tcp-state established,originator } signature sid-1646 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI test.cgi access" http /.*[\/\\]test\.cgi/ tcp-state established,originator } signature sid-836 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI textcounter.pl access" http /.*[\/\\]textcounter\.pl/ tcp-state established,originator } signature sid-837 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI uploader.exe access" http /.*[\/\\]uploader\.exe/ tcp-state established,originator } signature sid-838 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI webgais access" http /.*[\/\\]webgais/ tcp-state established,originator } signature sid-839 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI finger access" http /.*[\/\\]finger/ tcp-state established,originator } signature sid-840 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI perlshop.cgi access" http /.*[\/\\]perlshop\.cgi/ tcp-state established,originator } signature sid-841 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI pfdisplay.cgi access" http /.*[\/\\]pfdisplay\.cgi/ tcp-state established,originator } signature sid-842 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI aglimpse access" http /.*[\/\\]aglimpse/ tcp-state established,originator } signature sid-843 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI anform2 access" http /.*[\/\\]AnForm2/ tcp-state established,originator } signature sid-844 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI args.bat access" http /.*[\/\\]args\.bat/ tcp-state established,originator } signature sid-1452 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI args.cmd access" http /.*[\/\\]args\.cmd/ tcp-state established,originator } signature sid-845 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI AT-admin.cgi access" http /.*[\/\\]AT-admin\.cgi/ tcp-state established,originator } signature sid-1453 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI AT-generated.cgi access" http /.*[\/\\]AT-generated\.cgi/ tcp-state established,originator } signature sid-846 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI bnbform.cgi access" http /.*[\/\\]bnbform\.cgi/ tcp-state established,originator } signature sid-847 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI campas access" http /.*[\/\\]campas/ tcp-state established,originator } signature sid-848 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI view-source directory traversal" http /.*[\/\\]view-source/ tcp-state established,originator payload /.*\.\.\// } signature sid-849 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI view-source access" http /.*[\/\\]view-source/ tcp-state established,originator } signature sid-850 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI wais.pl access" http /.*[\/\\]wais\.pl/ tcp-state established,originator } signature sid-1454 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI wwwwais access" http /.*[\/\\]wwwwais/ tcp-state established,originator } signature sid-851 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI files.pl access" http /.*[\/\\]files\.pl/ tcp-state established,originator } signature sid-852 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI wguest.exe access" http /.*[\/\\]wguest\.exe/ tcp-state established,originator } signature sid-853 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI wrap access" http /.*[\/\\]wrap/ tcp-state established,originator } signature sid-854 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI classifieds.cgi access" http /.*[\/\\]classifieds\.cgi/ tcp-state established,originator } signature sid-856 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI environ.cgi access" http /.*[\/\\]environ\.cgi/ tcp-state established,originator } signature sid-1647 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI faxsurvey attempt (full path)" http /.*[\/\\]faxsurvey\?[\/\\]/ tcp-state established,originator } signature sid-1609 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI faxsurvey arbitrary file read attempt" http /.*[\/\\]faxsurvey\?cat%20/ tcp-state established,originator } signature sid-857 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI faxsurvey access" http /.*[\/\\]faxsurvey/ tcp-state established,originator } signature sid-858 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI filemail access" http /.*[\/\\]filemail\.pl/ tcp-state established,originator } signature sid-859 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI man.sh access" http /.*[\/\\]man\.sh/ tcp-state established,originator } signature sid-860 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI snork.bat access" http /.*[\/\\]snork\.bat/ tcp-state established,originator } signature sid-861 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI w3-msql access" http /.*[\/\\]w3-msql[\/\\]/ tcp-state established,originator } signature sid-863 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI day5datacopier.cgi access" http /.*[\/\\]day5datacopier\.cgi/ tcp-state established,originator } signature sid-864 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI day5datanotifier.cgi access" http /.*[\/\\]day5datanotifier\.cgi/ tcp-state established,originator } signature sid-866 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI post-query access" http /.*[\/\\]post-query/ tcp-state established,originator } signature sid-867 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI visadmin.exe access" http /.*[\/\\]visadmin\.exe/ tcp-state established,originator } signature sid-869 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI dumpenv.pl access" http /.*[\/\\]dumpenv\.pl/ tcp-state established,originator } signature sid-1536 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI calendar_admin.pl arbitrary command execution attempt" http /.*[\/\\]calendar_admin\.pl\?config=\|/ tcp-state established,originator } signature sid-1537 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI calendar_admin.pl access" http /.*[\/\\]calendar_admin\.pl/ tcp-state established,originator } signature sid-1701 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI calendar-admin.pl access" http /.*[\/\\]calendar-admin\.pl/ tcp-state established,originator } signature sid-1455 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI calender.pl access" http /.*[\/\\]calender\.pl/ tcp-state established,originator } signature sid-882 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI calendar access" http /.*[\/\\]calendar/ tcp-state established,originator } signature sid-1457 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI user_update_admin.pl access" http /.*[\/\\]user_update_admin\.pl/ tcp-state established,originator } signature sid-1458 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI user_update_passwd.pl access" http /.*[\/\\]user_update_passwd\.pl/ tcp-state established,originator } signature sid-870 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI snorkerz.cmd access" http /.*[\/\\]snorkerz\.cmd/ tcp-state established,originator } signature sid-871 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI survey.cgi access" http /.*[\/\\]survey\.cgi/ tcp-state established,originator } signature sid-873 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI scriptalias access" http /.*[\/\\][\/\\][\/\\]/ tcp-state established,originator } signature sid-875 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI win-c-sample.exe access" http /.*[\/\\]win-c-sample\.exe/ tcp-state established,originator } signature sid-878 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI w3tvars.pm access" http /.*[\/\\]w3tvars\.pm/ tcp-state established,originator } signature sid-879 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI admin.pl access" http /.*[\/\\]admin\.pl/ tcp-state established,originator } signature sid-880 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI LWGate access" http /.*[\/\\]LWGate/ tcp-state established,originator } signature sid-881 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI archie access" http /.*[\/\\]archie/ tcp-state established,originator } signature sid-883 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI flexform access" http /.*[\/\\]flexform/ tcp-state established,originator } signature sid-1610 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI formmail arbitrary command execution attempt" http /.*[\/\\]formmail/ tcp-state established,originator payload /.*%0[aA]/ } signature sid-884 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI formmail access" http /.*[\/\\]formmail/ tcp-state established,originator } signature sid-1762 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI phf arbitrary command execution attempt" http /.*[\/\\]phf/ tcp-state established,originator payload /.*[qQ][aA][lL][iI][aA][sS]/ payload /.*%0a\// } signature sid-886 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI phf access" http /.*[\/\\]phf/ tcp-state established,originator } signature sid-887 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI www-sql access" http /.*[\/\\]www-sql/ tcp-state established,originator } signature sid-888 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI wwwadmin.pl access" http /.*[\/\\]wwwadmin\.pl/ tcp-state established,originator } signature sid-889 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI ppdscgi.exe access" http /.*[\/\\]ppdscgi\.exe/ tcp-state established,originator } signature sid-890 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI sendform.cgi access" http /.*[\/\\]sendform\.cgi/ tcp-state established,originator } signature sid-891 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI upload.pl access" http /.*[\/\\]upload\.pl/ tcp-state established,originator } signature sid-892 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI AnyForm2 access" http /.*[\/\\]AnyForm2/ tcp-state established,originator } signature sid-893 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI MachineInfo access" http /.*[\/\\]MachineInfo/ tcp-state established,originator } signature sid-1531 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI bb-hist.sh attempt" http /.*[\/\\]bb-hist\.sh\?HISTFILE=\.\.[\/\\]\.\./ tcp-state established,originator } signature sid-894 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI bb-hist.sh access" http /.*[\/\\]bb-hist\.sh/ tcp-state established,originator } signature sid-1459 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI bb-histlog.sh access" http /.*[\/\\]bb-histlog\.sh/ tcp-state established,originator } signature sid-1460 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI bb-histsvc.sh access" http /.*[\/\\]bb-histsvc\.sh/ tcp-state established,originator } signature sid-1532 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI bb-hostscv.sh attempt" http /.*[\/\\]bb-hostsvc\.sh\?HOSTSVC\?\.\.[\/\\]\.\./ tcp-state established,originator } signature sid-1533 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI bb-hostscv.sh access" http /.*[\/\\]bb-hostsvc\.sh/ tcp-state established,originator } signature sid-1461 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI bb-rep.sh access" http /.*[\/\\]bb-rep\.sh/ tcp-state established,originator } signature sid-1462 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI bb-replog.sh access" http /.*[\/\\]bb-replog\.sh/ tcp-state established,originator } signature sid-895 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI redirect access" http /.*[\/\\]redirect/ tcp-state established,originator } signature sid-1397 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI wayboard attempt" http /.*[\/\\]way-board[\/\\]way-board\.cgi/ tcp-state established,originator payload /.*db=/ payload /.*\.\.\/\.\./ } signature sid-896 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI way-board access" http /.*[\/\\]way-board/ tcp-state established,originator } signature sid-1222 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI pals-cgi arbitrary file access attempt" http /.*[\/\\]pals-cgi/ tcp-state established,originator payload /.*[dD][oO][cC][uU][mM][eE][nN][tT][nN][aA][mM][eE]=/ } signature sid-897 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI pals-cgi access" http /.*[\/\\]pals-cgi/ tcp-state established,originator } signature sid-1572 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI commerce.cgi arbitrary file access attempt" http /.*[\/\\]commerce\.cgi/ tcp-state established,originator payload /.*page=/ payload /.*\/\.\.\// } signature sid-898 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI commerce.cgi access" http /.*[\/\\]commerce\.cgi/ tcp-state established,originator } signature sid-899 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI Amaya templates sendtemp.pl directory traversal attempt" http /.*[\/\\]sendtemp\.pl/ tcp-state established,originator payload /.*[tT][eE][mM][pP][lL]=/ } signature sid-1702 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI Amaya templates sendtemp.pl access" http /.*[\/\\]sendtemp\.pl/ tcp-state established,originator } signature sid-900 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI webspirs.cgi directory traversal attempt" http /.*[\/\\]webspirs\.cgi/ tcp-state established,originator payload /.*\.\.\/\.\.\// } signature sid-901 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI webspirs.cgi access" http /.*[\/\\]webspirs\.cgi/ tcp-state established,originator } signature sid-902 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI tstisapi.dll access" http /.*tstisapi\.dll/ tcp-state established,originator } signature sid-1308 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI sendmessage.cgi access" http /.*[\/\\]sendmessage\.cgi/ tcp-state established,originator } signature sid-1392 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI lastlines.cgi access" http /.*[\/\\]lastlines\.cgi/ tcp-state established,originator } signature sid-1395 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI zml.cgi attempt" http /.*[\/\\]zml\.cgi/ tcp-state established,originator payload /.*file=\.\.\// } signature sid-1396 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI zml.cgi access" http /.*[\/\\]zml\.cgi/ tcp-state established,originator } signature sid-1405 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI AHG search.cgi access" http /.*[\/\\]publisher[\/\\]search\.cgi/ tcp-state established,originator payload /.*[tT][eE][mM][pP][lL][aA][tT][eE]=/ } signature sid-1534 { ip-proto == tcp src-ip != local_nets dst-ip == http_servers dst-port == http_ports event "WEB-CGI agora.cgi attempt" http /.*[\/\\]store[\/\\]agora\.cgi\?cart_id=