Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
zeek/scripts/s2b/etc/s2b-augment.cfg

17162 lines
425 KiB
INI
Raw Blame History

# $Id: s2b-augment.cfg 797 2004-11-27 20:26:50Z rwinslow $
<augment 1724-6>
active T
comment WEB-CGI emumail.cgi access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2005-10>
active T
comment RPC portmap kcms_server request UDP
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1600-6>
active T
comment WEB-CGI htsearch arbitrary configuration file attempt
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 657-12>
active T
comment SMTP chameleon overflow
comment pcre: /^HELP\s[^\n]{500}/ism
payload /((^)|(\n+))[hH][eE][lL][pP][\x20\x09\x0b][^\n]{500}/
sigaction SIG_LOG
requires-reverse-signature ! smtp_server_fail
snort-rule-file s2b_data_on_weed/rules2.1/smtp.rules
<delete>
payload /.*[hH][eE][lL][pP]/
</delete>
</augment>
<augment 1970-6>
active T
comment WEB-IIS MDAC Content-Type overflow attempt
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 333-8>
active T
comment FINGER . query
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/finger.rules
</augment>
<augment 818-10>
active T
comment WEB-CGI dcforum.cgi access
comment "informational only"
comment "too general but low occurence"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 683-5>
active T
comment MS-SQL sp_password - password change
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 1503-8>
active T
comment WEB-CGI admentor admin.asp access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2104-3>
active T
comment ATTACK-RESPONSES rexec username too long response
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/attack-responses.rules
</augment>
<augment 1588-8>
active T
comment WEB-MISC SalesLogix Eviewer access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1502-8>
active T
comment WEB-CGI a1stats a1disp3.cgi access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1426-5>
active T
comment SNMP PROTOS test-suite-req-app attempt
requires-reverse-signature snmp_userver_ok_return
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/snmp.rules
</augment>
<augment 2533-5>
active T
comment "MISC LDAP SSLv3 Server_Hello request"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 262-6>
active T
comment "DNS EXPLOIT x86 Linux overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/dns.rules
</augment>
<augment 1865-4>
active T
comment "WEB-CGI webdist.cgi arbitrary command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2063-1>
active T
comment "WEB-MISC Demarc SQL injection attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 937-7>
active T
comment "WEB-FRONTPAGE _vti_rpc access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 879-7>
active T
comment "WEB-CGI admin.pl access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1378-14>
active T
comment "FTP wu-ftp bad file completion attempt {"
sigaction SIG_LOG
<delete>
payload /.*~.{1}.*\{/
</delete>
ftp /.{2,} ~.?\{/
snort-rule-file snort_rules/rules2.2/ftp.rules
</augment>
<augment 1107-10>
active T
comment "WEB-MISC ftp.pl access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2084-8>
active T
comment "RPC rpc.xfsmd xfs_export attempt TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1729-5>
active T
comment "CHAT IRC channel join"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 2575-1>
active T
comment "WEB-PHP Opt-X header.php remote file include attempt"
comment pcre: /systempath=(http|https|ftp)/i
payload /.*[sS][yY][sS][tT][eE][mM][pP][aA][tT][hH]=([hH][tT]{2}[pP][sS]?)|([fF][tT][pP])/
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
<delete>
payload /.*[sS][yY][sS][tT][eE][mM][pP][aA][tT][hH]=/
</delete>
</augment>
<augment 1000-7>
active T
comment "WEB-IIS bdir.htr access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1505-7>
active T
comment "WEB-CGI alchemy http server PRN arbitrary command execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2385-9>
active T
comment "NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1675-4>
active T
comment "ORACLE misparsed login response"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/oracle.rules
</augment>
<augment 1997-3>
active T
comment "WEB-PHP read_body.php access attempt"
comment "java script squirrel mail exploit: just add to signature "
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
http /.*[fF][rR][oO][mM]\x3a.*\x3cscript\x3e.*document.cookie.*\x3c\x2fscript\x3e/
</augment>
<augment 1181-8>
active T
comment "WEB-MISC Annex Terminal DOS attempt"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2411-5>
active T
comment WEB-MISC Real Server DESCRIBE buffer overflow attempt
comment "pcre: /^DESCRIBE\s[^\n]{300}/smi"
http "/((^)|(\n+))[dD][eE][sS][cC][rR][iI][bB][eE][\x20\x09\x0b][^\n]{300}/"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
<delete>
payload "/.*[dD][eE][sS][cC][rR][iI][bB][eE].{1}.*\.\.\//"
</delete>
</augment>
<augment 1634-11>
active T
comment POP3 PASS overflow attempt
comment "pcre: /^PASS\s[^\n]{50}/smi"
payload "/((^)|(\n+))[pP][aA][sS][sS][\x20\x09\x0b][^\n]{50}/"
requires-reverse-signature ! pop_return_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/pop3.rules
<delete>
payload "/.*[pP][aA][sS][sS]/"
</delete>
</augment>
<augment 1960-7>
active T
comment "RPC portmap NFS request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1334-5>
active T
comment "WEB-ATTACKS echo command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 393-8>
active F
comment "ICMP Datagram Conversion Error undefined code"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 401-6>
active F
comment "ICMP Destination Unreachable Network Unreachable"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2143-3>
active T
comment "WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 461-7>
active F
comment "ICMP unassigned type 2 undefined code"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2081-9>
active T
comment "RPC portmap rpc.xfsmd request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2103-9>
active T
comment "NETBIOS SMB trans2open buffer overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 940-7>
active T
comment "WEB-FRONTPAGE shtml.dll access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 335-5>
active T
comment "FTP .rhosts"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
ftp /.*\.rhosts/
<delete>
payload /.*\.rhosts/
</delete>
</augment>
<augment 2212-6>
active T
dst-ip == local_nets
http /.*[\/\\]imageFolio\.cgi\?.*<script>/
comment "WEB-CGI imageFolio.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
<delete>
http /.*[\/\\]imageFolio\.cgi/
</delete>
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1231-8>
active T
comment "WEB-MISC VirusWall catinfo access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1975-6>
active T
comment FTP DELE overflow attempt
comment "pcre: /^DELE\s[^\n]{100}/smi"
eval dataSizeG100
ftp "/((^)|(\n+))[dD][eE][lL][eE][\x20\x09\x0b][^\n]{100}/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload "/.*[dD][eE][lL][eE]/"
</delete>
</augment>
<augment 426-7>
active F
comment "ICMP Parameter Problem Missing a Required Option"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 494-7>
active F
comment "ATTACK-RESPONSES command completed"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/attack-responses.rules
</augment>
<augment 1473-5>
active T
comment "WEB-CGI newsdesk.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2026-9>
active T
comment "RPC yppasswd username overflow attempt TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1392-10>
active T
comment "WEB-CGI lastlines.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1453-5>
active T
comment "WEB-CGI AT-generated.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1496-5>
active T
comment "WEB-CGI spin_client.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1197-6>
active T
comment "WEB-PHP Phorum code access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1887-3>
active T
comment "MISC OpenSSL Worm traffic"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 589-8>
active T
comment "RPC portmap yppasswd request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 533-8>
active T
comment "NETBIOS SMB C$ share access"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 2530-3>
active T
comment "IMAP SSLv3 Server_Hello request"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/imap.rules
</augment>
<augment 1108-10>
active T
comment "WEB-MISC Tomcat server snoop access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 977-7>
active T
comment "WEB-IIS .cnf access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1514-9>
active T
comment "WEB-CGI input2.bat arbitrary command execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 396-6>
active F
comment "ICMP Destination Unreachable Fragmentation Needed and DF bit was set"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 803-9>
active T
comment "WEB-CGI HyperSeek hsx.cgi directory traversal attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1268-12>
active T
comment "RPC portmap pcnfsd request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2415-7>
active T
comment "EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 1391-7>
active T
comment "WEB-MISC Phorecast remote code execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2436-2>
active F
comment "WEB-CLIENT Microsoft wmf metafile access"
requires-signature http_msie_client
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-client.rules
comment "Informational only"
</augment>
<augment 1447-11>
active T
comment "MISC MS Terminal server request RDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 303-11>
active T
comment "DNS EXPLOIT named tsig overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/dns.rules
</augment>
<augment 1720-4>
active T
comment "WEB-CGI talkback.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2229-4>
active T
comment "WEB-PHP viewtopic.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
http /.*[sS][uU][bB][sS][Ss][tT][rR][iI][nN][gG]\x28[uU][sS][eE][rR][pP][aA][sS][sS][wW][oO][rR][dD]*./
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 236-6>
active T
comment "DDOS Stacheldraht client check gag"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 1023-9>
active T
comment "WEB-IIS msadcs.dll access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 681-6>
active T
comment "MS-SQL/SMB xp_cmdshell program execution"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 1629-6>
active T
comment "OTHER-IDS SecureNetPro traffic"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/other-ids.rules
</augment>
<augment 1200-10>
active F
comment "ATTACK-RESPONSES Invalid URL"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/attack-responses.rules
</augment>
<augment 2329-6>
active T
dst-port == 1434
dst-ip == local_nets
comment "MS-SQL probe response overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 2019-4>
active T
comment "RPC mountd UDP dump request"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 956-6>
active T
comment "WEB-FRONTPAGE register.txt access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 372-7>
active F
comment "ICMP PING Delphi-Piette Windows"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1190-6>
active T
comment "WEB-MISC Netscape Enterprise Server directory view"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 676-6>
active T
comment "MS-SQL/SMB sp_start_job - program execution"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 2014-5>
active T
comment "RPC portmap UNSET attempt TCP 111"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 108-6>
active T
comment "BACKDOOR QAZ Worm Client Login access"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 2056-4>
active T
comment "WEB-MISC TRACE attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2068-2>
active T
comment "WEB-MISC BitKeeper arbitrary command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 361-12>
active T
comment "FTP SITE EXEC attempt"
requires-reverse-signature ! ftp_server_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ftp.rules
</augment>
<augment 586-8>
active T
comment "RPC portmap selection_svc request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 549-8>
active F
comment "P2P napster login"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/p2p.rules
</augment>
<augment 1704-5>
active T
comment "WEB-CGI cal_make.pl directory traversal attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1342-5>
active T
comment "WEB-ATTACKS gcc command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 2520-5>
active T
comment "WEB-MISC SSLv3 Client_Hello request"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1346-5>
active F
comment "WEB-ATTACKS cpp command attempt"
comment "too general"
comment "too many false positives"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 520-5>
active T
comment "TFTP root directory"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/tftp.rules
</augment>
<augment 1870-5>
active T
comment "WEB-CGI siteUserMod.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1864-7>
active T
comment FTP SITE NEWER attempt
comment "pcre: /^SITE\s+NEWER/smi"
ftp "/((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[nN][eE][wW][eE][rR]/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload "/.*[sS][iI][tT][eE].{1}.*[nN][eE][wW][eE][rR]/"
</delete>
</augment>
<augment 1002-6>
active T
comment "WEB-IIS cmd.exe access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1823-7>
active T
dst-ip == local_nets
http /.*[\/\\](af|alienform)\.cgi\?.*\.\|\./
event "WEB-CGI AlienForm directory traversal attempt"
comment "WEB-CGI AlienForm af.cgi directory traversal attempt"
requires-reverse-signature ! http_error
<delete>
event "WEB-CGI AlienForm af.cgi directory traversal attempt"
http /.*[\/\\]af\.cgi/
payload /.*\.\x7C\.\/\.\x7C\./
</delete>
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1556-7>
active T
comment "WEB-CGI DCShop orders.txt access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2263-6>
active T
comment SMTP SAML FROM sendmail prescan too many addresses overflow
comment "pcre: /^SAML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^ ..."
payload "/((^)|(\n+))[sS][aA][mM][lL] [fF][rR][oO][mM]\x3a[\x20\x09\x0b]*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</"
sigaction SIG_LOG
requires-reverse-signature ! smtp_server_fail
snort-rule-file snort_rules/rules2.2/smtp.rules
<delete>
payload /.*[sS][aA][mM][lL] [fF][rR][oO][mM]\x3A/
</delete>
</augment>
<augment 974-10>
active T
comment "WEB-IIS Directory transversal attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 690-7>
active T
comment "MS-SQL/SMB xp_printstatements possible buffer overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 1929-5>
active F
comment "BACKDOOR TCPDUMP/PCAP trojan traffic"
comment "Too general. Ephemeral windows ports match this easily"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 2048-2>
active T
comment "MISC rsyncd overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 386-5>
active F
comment "ICMP Address Mask Reply"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1134-7>
active T
comment "WEB-PHP Phorum admin access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 374-7>
active F
comment "ICMP PING IP NetMonitor Macintosh"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 309-9>
active T
comment "EXPLOIT sniffit overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 637-3>
active T
comment "SCAN Webtrends Scanner UDP Probe"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/scan.rules
</augment>
<augment 978-11>
active T
comment "WEB-IIS ASP contents view"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1151-5>
active T
comment "WEB-MISC Domino domcfg.nsf access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2311-7>
active T
comment "NETBIOS SMB-DS DCERPC Workstation Service bind attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1955-6>
active T
comment "RPC AMD TCP version request"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 833-8>
active T
comment "WEB-CGI rguest.exe access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 883-5>
active T
comment "WEB-CGI flexform access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 887-6>
active T
comment "WEB-CGI www-sql access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 588-17>
active T
comment "RPC portmap ttdbserv request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1952-5>
active T
comment "RPC mountd UDP mount request"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 144-9>
active T
comment "FTP ADMw0rm ftp login attempt"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
</augment>
<augment 1039-6>
active T
comment "WEB-IIS srch.htm access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1146-5>
active T
comment "WEB-MISC Ecommerce import.txt access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 121-5>
active F
comment "BACKDOOR Infector 1.6 Client to Server Connection Request"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 2119-5>
active T
comment IMAP rename literal overflow attempt
comment "pcre: /\sRENAME\s[^\n]*?\s\{/smi"
payload "/((^)|(\n+))[\x20\x09\x0b][rR][eE][nN][aA][mM][eE][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/imap.rules
<delete>
payload "/.*[rR][eE][nN][aA][mM][eE]/"
</delete>
</augment>
<augment 2424-3>
active T
comment NNTP sendsys overflow attempt
comment "pcre: /^sendsys\x3a[^\n]{21}/smi"
payload "/((^)|(\n+))[sS][eE][nN][dD][sS][yY][sS]\x3a[^\n]{21}/"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/nntp.rules
<delete>
payload "/.*[sS][eE][nN][dD][sS][yY][sS]/"
</delete>
</augment>
<augment 370-7>
active F
comment "ICMP PING BeOS4.x"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1050-7>
active T
comment "WEB-MISC iPlanet GETPROPERTIES attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 967-11>
active T
comment "WEB-FRONTPAGE dvwssr.dll access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 1487-4>
active T
comment "WEB-IIS /iisadmpwd/aexp2.htr access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1861-7>
active T
comment "WEB-MISC Linksys router default username and password login attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2348-6>
active T
comment "NETBIOS SMB-DS DCERPC print spool bind attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1259-5>
active T
comment "WEB-MISC SWEditServlet access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1206-10>
active T
comment "WEB-CGI cachemgr.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1542-6>
active T
comment "WEB-CGI cgimail access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2560-2>
active T
comment "EXPLOIT Oracle Web Cache MOVE overflow attempt"
comment pcre: /^MOVE[^s]{432}/sm
payload /((^)|(\n+))MOVE[^s]{432}/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
<delete>
payload /.*MOVE/
</delete>
</augment>
<augment 944-6>
active T
comment "WEB-FRONTPAGE fpremadm.exe access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 110-4>
active T
comment "BACKDOOR netbus getinfo"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 2086-4>
active T
comment "WEB-CGI streaming server parse_xml.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1721-4>
active T
comment "WEB-CGI adcycle access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2477-3>
active T
comment "NETBIOS SMB-DS Create AndX Request winreg unicode attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1663-6>
active T
comment "WEB-MISC *%0a.pl access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1764-6>
active T
comment "WEB-CGI Nortel Contivity cgiproc DOS attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1093-10>
active T
comment "WEB-CGI cached_feed.cgi moreover shopping cart directory traversal"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 264-6>
active T
comment "DNS EXPLOIT x86 Linux overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/dns.rules
</augment>
<augment 1859-5>
active T
comment "WEB-MISC Sun JavaServer default password login attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 804-9>
active T
comment "WEB-CGI SWSoft ASPSeek Overflow attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1691-3>
active T
comment "ORACLE ALTER USER attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/oracle.rules
</augment>
<augment 718-7>
active T
comment "TELNET login incorrect"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/telnet.rules
</augment>
<augment 2464-6>
active T
comment "EXPLOIT EIGRP prefix length overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 448-7>
active F
comment "ICMP Source Quench undefined code"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1189-6>
active T
comment "WEB-MISC Netscape Enterprise Server directory view"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2248-3>
active T
comment "WEB-IIS DirectoryListing.asp access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 2029-5>
active T
comment "RPC yppasswd new password overflow attempt UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 865-8>
active T
comment "WEB-CGI ksh access"
requires-reverse-signature ! http_error
requires-signature ! http_shell_check
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 921-7>
active T
comment "WEB-COLDFUSION admin encrypt attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 1205-6>
active T
comment "WEB-CGI axs.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 841-7>
active T
comment "WEB-CGI pfdisplay.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2021-4>
active T
comment "RPC mountd UDP unmount request"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 219-6>
active T
comment "BACKDOOR HidePak backdoor attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 686-5>
active T
comment "MS-SQL xp_reg* - registry access"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 1939-4>
active T
comment "MISC bootp hardware address length overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 638-5>
active T
comment "SHELLCODE SGI NOOP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/shellcode.rules
</augment>
<augment 1828-6>
active T
comment "WEB-MISC iPlanet Search directory traversal attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2136-2>
active T
comment "WEB-MISC philboard_admin.asp authentication bypass attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1645-6>
active T
comment "WEB-CGI testcgi access"
dst-ip == local_nets
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 624-6>
active F
comment "SCAN SYN FIN"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/scan.rules
</augment>
<augment 290-7>
active T
comment "POP3 EXPLOIT qpopper overflow"
requires-reverse-signature ! pop_return_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/pop3.rules
</augment>
<augment 640-6>
active T
comment "SHELLCODE AIX NOOP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/shellcode.rules
</augment>
<augment 1995-2>
active T
comment "WEB-CGI alya.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1411-10>
active T
comment "SNMP public access udp"
requires-reverse-signature snmp_userver_ok_return
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/snmp.rules
</augment>
<augment 2456-3>
active F
comment "CHAT Yahoo IM file transfer request"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 1524-9>
active T
comment "WEB-MISC AxisStorpoint CD attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1661-4>
active T
comment "WEB-IIS cmd32.exe access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 809-11>
active T
comment "WEB-CGI whois_raw.cgi arbitrary command execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2386-6>
active T
comment "WEB-IIS NTLM ASN.1 vulnerability scan attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 272-7>
active T
comment "DOS IGMP dos attack"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/dos.rules
</augment>
<augment 2301-4>
active T
comment "WEB-PHP Advanced Poll booth.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 2334-2>
active T
comment FTP Yak! FTP server default account login attempt
comment "pcre: /^USER\s+y049575046/smi"
payload "/((^)|(\n+))USER[\x20\x09\x0b]+y049575046/"
sigaction SIG_LOG
requires-reverse-signature ! ftp_server_error
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload "/.*[uU][sS][eE][rR]/"
payload "/.*[yY]049575046/"
</delete>
</augment>
<augment 1402-4>
active T
comment "WEB-IIS iissamples access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1243-11>
active T
comment "WEB-IIS ISAPI .ida attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 483-5>
active F
comment "ICMP PING CyberKit 2.2 Windows"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp.rules
</augment>
<augment 480-5>
active F
comment "ICMP PING speedera"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp.rules
</augment>
<augment 316-6>
active T
comment "EXPLOIT x86 Linux mountd overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 2536-3>
active T
comment "POP3 SSLv3 Server_Hello request"
requires-reverse-signature ! pop_return_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/pop3.rules
</augment>
<augment 618-8>
active F
comment "SCAN Squid Proxy attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/scan.rules
</augment>
<augment 1085-8>
active T
comment "WEB-PHP strings overflow"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 2557-2>
active T
comment "EXPLOIT Oracle Web Cache LOCK overflow attempt"
comment pcre: /^LOCK[^s]{432}/sm
payload /((^)|(\n+))LOCK[^s]{432}/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
<delete>
payload /.*LOCK/
</delete>
</augment>
<augment 265-7>
active T
comment "DNS EXPLOIT x86 Linux overflow attempt ADMv2"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/dns.rules
</augment>
<augment 2446-4>
active T
comment "EXPLOIT ICQ SRV_MULTI/SRV_META_USER email overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 2453-3>
active F
comment "CHAT Yahoo IM conference invitation"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 832-11>
active T
comment "WEB-CGI perl.exe access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1587-12>
active T
comment "WEB-MISC cgitest.exe access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1575-4>
active T
comment "WEB-MISC Domino mab.nsf access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1555-7>
active T
dst-ip == local_nets
comment "WEB-CGI DCShop access"
comment "only important if destination is local_nets"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 647-6>
active T
comment "SHELLCODE sparc setuid 0"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/shellcode.rules
</augment>
<augment 2514-7>
active T
comment "NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1232-8>
active T
comment "WEB-MISC VirusWall catinfo access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1196-10>
active T
comment "WEB-CGI SGI InfoSearch fname attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1573-6>
active T
comment "WEB-CGI cgiforum.pl attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1989-4>
active F
comment "CHAT MSN file transfer reject"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 2505-7>
active T
comment "WEB-MISC SSLv3 invalid data version attempt"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1594-10>
active T
comment "WEB-CGI FormHandler.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 551-7>
active F
comment "P2P napster download attempt"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/p2p.rules
</augment>
<augment 2080-6>
active T
comment "RPC portmap nlockmgr request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1987-6>
active T
comment "MISC xfs overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 699-7>
active T
comment "MS-SQL xp_printstatements possible buffer overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 2459-3>
active F
comment "CHAT Yahoo IM webcam offer invitation"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 651-8>
active T
comment "SHELLCODE x86 stealth NOOP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/shellcode.rules
</augment>
<augment 2486-5>
active T
comment "DOS ISAKMP invalid identification payload attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/dos.rules
</augment>
<augment 2325-2>
active T
comment "WEB-IIS VP-ASP ShopDisplayProducts.asp access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1898-8>
active T
comment "EXPLOIT kadmind buffer overflow attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 1215-6>
active T
comment "WEB-CGI ministats admin access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2545-4>
active T
comment "EXPLOIT AFP FPLoginExt username buffer overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 1162-7>
active T
comment "WEB-MISC cart 32 AdminPwd access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 576-8>
active T
comment "RPC portmap amountd request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1714-4>
active T
comment "WEB-CGI newdesk access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 241-7>
active T
comment "DDOS shaft synflood"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 382-7>
active F
comment "ICMP PING Windows"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2235-5>
active T
comment "WEB-MISC SpamExcp.dll access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 821-12>
active T
comment "WEB-CGI imagemap.exe overflow attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2207-6>
active T
comment "WEB-CGI fileseek.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 364-7>
active F
comment "ICMP IRDP router selection"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 509-6>
active T
comment "WEB-MISC PCCS mysql database admin tool access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 825-6>
active F
comment "WEB-CGI glimpse access"
comment "informational only"
comment "old signature from 06-01-1999"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1443-4>
active T
comment "TFTP GET passwd"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/tftp.rules
</augment>
<augment 1228-6>
active T
comment "SCAN nmap XMAS"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/scan.rules
</augment>
<augment 1460-5>
active T
comment "WEB-CGI bb-histsvc.sh access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2268-4>
active T
comment SMTP MAIL FROM sendmail prescan too long addresses overflow
comment "pcre: /^MAIL FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"
payload "/((^)|(\n+))[mM][aA][iI][lL] [fF][rR][oO][mM]:[\x20\x09\x0b]+[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{200,}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}/"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
<delete>
payload /.*[mM][aA][iI][lL] [fF][rR][oO][mM]\x3A/
</delete>
</augment>
<augment 916-7>
active T
comment "WEB-COLDFUSION getodbcdsn access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 1547-11>
active T
comment "WEB-CGI csSearch.cgi arbitrary command execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1845-15>
active T
comment IMAP list literal overflow attempt
comment "pcre: /\sLIST\s[^\n]*?\s\{/smi"
payload "/((^)|(\n+))[\x20\x09\x0b][lL][iI][sS][tT][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/imap.rules
<delete>
payload "/.*[lL][iI][sS][tT]/"
</delete>
</augment>
<augment 708-8>
active T
comment "MS-SQL/SMB xp_enumresultset possible buffer overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 276-5>
active T
comment "DOS Real Audio Server"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/dos.rules
</augment>
<augment 1599-7>
active T
comment "WEB-CGI search.cgi access"
http /.*[\/\\]search\.cgi\?.*letter\=[^\&]*?\.\.[\\\/]/
<delete>
http /.*[\/\\]search\.cgi/
</delete>
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2564-4>
active T
comment "NETBIOS NS lookup short response attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1105-5>
active T
comment "WEB-MISC BigBrother access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 680-6>
active T
comment "MS-SQL/SMB sa login failed"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 1003-7>
active T
comment "WEB-IIS cmd? access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1356-5>
active T
comment "WEB-ATTACKS perl execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 2548-1>
active T
comment "MISC HP Web JetAdmin setinfo access"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 675-6>
active T
comment "MS-SQL xp_setsqlsecurity possible buffer overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 2222-5>
active T
comment "WEB-CGI nph-exploitscanget.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2218-6>
active T
dst-ip == local_nets
comment "WEB-CGI service.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1658-7>
active T
comment "WEB-CGI pagelog.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1256-8>
active T
comment "WEB-IIS CodeRed v2 root.exe access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1813-5>
active T
comment "ICMP digital island bandwidth query"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp.rules
</augment>
<augment 2251-11>
active T
comment "NETBIOS DCERPC Remote Activation bind attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 422-7>
active T
comment "ICMP Mobile Registration Reply undefined code"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 973-10>
active T
comment "WEB-IIS *.idc attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1706-7>
active T
comment "WEB-CGI echo.bat access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1637-7>
active F
comment "WEB-CGI yabb access"
comment "informational only"
comment "old signature from 2000"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1748-7>
active F
comment "FTP command overflow attempt"
requires-reverse-signature ! ftp_server_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ftp.rules
</augment>
<augment 868-9>
active T
comment "WEB-CGI rsh access"
requires-reverse-signature ! http_error
requires-signature ! http_shell_check
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 424-7>
active T
comment "ICMP Mobile Registration Request undefined code"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2085-4>
active T
comment "WEB-CGI parse_xml.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 619-5>
active T
comment "SCAN cybercop os probe"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/scan.rules
</augment>
<augment 1732-9>
active T
comment "RPC portmap rwalld request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2403-4>
active T
comment "NETBIOS SMB Session Setup AndX request unicode username overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 610-5>
active T
comment "RSERVICES rsh root"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rservices.rules
</augment>
<augment 1021-11>
active T
comment "WEB-IIS ism.dll attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1307-9>
active T
dst-ip == local_nets
comment "WEB-CGI store.cgi access"
comment "verify application is not vulnerable"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 850-5>
active T
comment "WEB-CGI wais.pl access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2392-4>
active T
comment FTP RETR overflow attempt
comment "pcre: /^RETR\s[^\n]{100}/smi"
eval dataSizeG100
ftp "/((^)|(\n+))[rR][eE][tT][rR][\x20\x09\x0b][^\n]{100}/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload "/.*[rR][eE][tT][rR]/"
</delete>
</augment>
<augment 1053-10>
active T
comment "WEB-CGI ads.cgi command execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 920-7>
active T
comment "WEB-COLDFUSION datasource attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 1590-7>
active T
comment "WEB-CGI faqmanager.cgi arbitrary file access attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1755-14>
active T
comment IMAP partial body buffer overflow attempt
comment pcre: /\sPARTIAL.*BODY\[[^\]]{1024}/smi
payload "/((^)|(\n+))[\x20\x09\x0b][pP][aA][rR][tT][iI][aA][lL].*[bB][oO][dD][yY]\[[^\]]{1024}/"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/imap.rules
<delete>
payload "/.*[pP][aA][rR][tT][iI][aA][lL].*.*[bB][oO][dD][yY]\[/"
</delete>
</augment>
<augment 1852-3>
active F
comment "WEB-MISC robots.txt access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 924-7>
active T
comment "WEB-COLDFUSION admin decrypt attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 2225-1>
active T
comment "WEB-CGI gozila.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1125-8>
active T
comment "WEB-MISC webcart access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 612-6>
active T
comment "RPC rusers query UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 228-3>
active T
comment "DDOS TFN client command BE"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 1182-17>
active T
comment "WEB-MISC cgitest.exe attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 696-7>
active T
comment "MS-SQL/SMB xp_showcolv possible buffer overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 356-5>
active T
comment "FTP passwd retrieval attempt"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
<delete>
payload /.*passwd/
</delete>
payload /[\x20\x09\x0b\/.]*passwd[\x20\x09\x0b]*$/
snort-rule-file snort_rules/rules2.2/ftp.rules
</augment>
<augment 1251-6>
active T
comment "INFO TELNET Bad Login"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/info.rules
</augment>
<augment 704-6>
active T
comment "MS-SQL xp_sprintf possible buffer overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 2145-3>
active T
comment "WEB-PHP TextPortal admin.php default password admin attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 239-2>
active T
comment "DDOS shaft handler to agent"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 1895-8>
active T
comment "EXPLOIT kadmind buffer overflow attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 2079-6>
active T
comment "RPC portmap nlockmgr request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 986-6>
active T
comment "WEB-IIS MSProxy access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 942-6>
active T
comment "WEB-FRONTPAGE orders.htm access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 1458-6>
active T
comment "WEB-CGI user_update_passwd.pl access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2217-6>
active T
comment "WEB-CGI printmail.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1752-4>
active T
comment "MISC AIM AddExternalApp attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 957-6>
active T
comment "WEB-FRONTPAGE registrations.txt access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 945-6>
active T
comment "WEB-FRONTPAGE fpadmin.htm access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 1572-7>
active T
comment "WEB-CGI commerce.cgi arbitrary file access attempt"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 261-6>
active T
comment "DNS EXPLOIT named overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/dns.rules
</augment>
<augment 1068-6>
active T
comment "WEB-MISC tftp attempt"
requires-reverse-signature ! http_error
http /.*[tT][fF][tT][pP]\.[eE][xX][eE]/
<delete>
payload /.*[tT][fF][tT][pP]\.[eE][xX][eE]/
</delete>
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1326-6>
active T
comment "EXPLOIT ssh CRC32 overflow NOOP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 2537-3>
active T
comment "POP3 SSLv3 invalid Client_Hello attempt"
requires-reverse-signature ! pop_return_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/pop3.rules
</augment>
<augment 2438-3>
active T
comment "WEB-CLIENT RealPlayer playlist file URL overflow attempt"
comment pcre: /^file\x3a\x2f\x2f[^\n]{400}/smi
payload /((^)|(\n+))[fF][iI][lL][eE]\x3a\x2f\x2f[^\n]{400}/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-client.rules
<delete>
payload /.*[fF][iI][lL][eE]\x3A\/\//
</delete>
</augment>
<augment 580-9>
active T
comment "RPC portmap nisd request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2372-2>
active F
comment "WEB-PHP Photopost PHP Pro showphoto.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 2441-3>
active T
comment WEB-MISC NetObserve authentication bypass attempt
comment pcre: /^Cookie\x3a[^\n]*?login=0/smi
http /((^)|(\n+))[cC][oO][oO][kK][iI][eE]\x3a[^\n]*?[lL][oO][gG][iI][nN]=0/
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
<delete>
payload /.*[lL][oO][gG][iI][nN]=0/
payload /.*[cC][oO][oO][kK][iI][eE]\x3A/
</delete>
</augment>
<augment 653-8>
active T
comment "SHELLCODE x86 unicode NOOP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/shellcode.rules
</augment>
<augment 2418-3>
active T
comment "MISC MS Terminal Server no encryption session initiation attmept"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 1664-5>
active T
comment "WEB-MISC mkplog.exe access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 221-3>
active T
comment "DDOS TFN Probe"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 2554-2>
active T
comment "EXPLOIT Oracle Web Cache POST overflow attempt"
comment pcre: /^POST[^s]{432}/sm
payload /((^)|(\n+))POST[^s]{432}/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
<delete>
payload /.*POST/
</delete>
</augment>
<augment 1986-4>
active F
comment "CHAT MSN file transfer request"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 2300-4>
active T
comment "WEB-PHP Advanced Poll admin_tpl_new.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1261-10>
active T
comment "EXPLOIT AIX pdnsd overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 1531-6>
active T
comment "WEB-CGI bb-hist.sh attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 404-6>
active F
comment "ICMP Destination Unreachable Protocol Unreachable"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2115-2>
active T
comment "WEB-CGI album.pl access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1598-7>
active T
comment "WEB-CGI Home Free search.cgi directory traversal attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1700-8>
active F
comment "WEB-CGI imagemap.exe access"
comment "informational only"
comment "old signature from 10-22-1999"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1064-6>
active T
comment "WEB-MISC wsh attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1882-10>
active T
comment "ATTACK-RESPONSES id check returned userid"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/attack-responses.rules
</augment>
<augment 1412-13>
active T
comment "SNMP public access tcp"
requires-reverse-signature snmp_userver_ok_return
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/snmp.rules
</augment>
<augment 2190-3>
active T
comment "NETBIOS DCERPC invalid bind attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 578-8>
active T
comment "RPC portmap cmsd request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1208-6>
active T
comment "WEB-CGI responder.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2524-7>
active T
comment "NETBIOS DCERPC LSASS direct bind attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 153-5>
active T
comment "BACKDOOR DonaldDick 1.53 Traffic"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 2495-5>
active T
comment "NETBIOS SMB DCEPRC ORPCThis request flood attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 2053-2>
active F
comment "WEB-CGI proces_bug.cgi access"
comment "informational only"
comment "not exploit worthy"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2238-5>
active T
comment "WEB-MISC WebLogic ConsoleHelp view source attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2324-2>
active T
comment "WEB-IIS VP-ASP shopsearch.asp access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1409-10>
active T
comment "SNMP community string buffer overflow attempt"
requires-reverse-signature snmp_userver_ok_return
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/snmp.rules
</augment>
<augment 2124-3>
active T
comment "BACKDOOR Remote PC Access connection attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 1123-9>
active T
comment "WEB-MISC ?PageServices access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 591-10>
active T
comment "RPC portmap ypupdated request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2155-5>
active T
comment "WEB-PHP ttforum remote file include attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 357-5>
active T
comment "FTP piss scan"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
</augment>
<augment 622-6>
active T
comment "SCAN ipEye SYN scan"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/scan.rules
</augment>
<augment 643-7>
active F
comment "SHELLCODE HP-UX NOOP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/shellcode.rules
</augment>
<augment 908-8>
active T
comment "WEB-COLDFUSION administrator access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 106-8>
active T
comment "BACKDOOR ACKcmdC trojan scan"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 716-10>
active F
comment "TELNET access"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/telnet.rules
</augment>
<augment 2401-4>
active T
comment "NETBIOS SMB Session Setup AndX request username overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1154-5>
active T
comment "WEB-MISC Domino names.nsf access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1046-6>
active T
comment "WEB-IIS site/iisamples access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 2261-4>
active T
comment SMTP SEND FROM sendmail prescan too many addresses overflow
comment "pcre: /^SEND FROM\x3a\s*[^\n]*?<[^\n]* ..."
payload "/((^)|(\n+))[sS][eE][nN][dD] [fF][rR][oO][mM]\x3a[\x20\x09\x0b]*[^\n]*?<[^\n]*? <[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? <[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? <[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? <[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? <[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</"
sigaction SIG_LOG
requires-reverse-signature ! smtp_server_fail
snort-rule-file snort_rules/rules2.2/smtp.rules
<delete>
payload /.*[sS][eE][nN][dD] [fF][rR][oO][mM]\x3A/
</delete>
</augment>
<augment 1998-4>
active F
comment "WEB-PHP calendar.php access"
comment "informational only"
comment "too general"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 390-5>
active T
comment "ICMP Alternate Host Address"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1515-9>
active T
comment "WEB-CGI input2.bat access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1734-16>
active T
comment FTP USER overflow attempt
comment "pcre: /^USER\s[^\n]{100}/smi"
eval dataSizeG100
ftp "/((^)|(\n+))[uU][sS][eE][rR][\x20\x09\x0b][^\n]{100}/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload "/.*[uU][sS][eE][rR]/"
</delete>
</augment>
<augment 2006-10>
active T
comment "RPC portmap kcms_server request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1080-13>
active T
comment "WEB-MISC unify eWave ServletExec upload"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2547-2>
active T
comment "MISC HP Web JetAdmin remote file upload attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 1041-6>
active T
comment "WEB-IIS uploadn.asp access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 2210-5>
active T
comment "WEB-CGI global.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2183-5>
active F
comment "Sendmail SMTP Content-Transfer-Encoding overflow attempt"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
comment "Fair amount of false positives, haven't found a way to fill this out to make it more accurate"
comment "Released on 2003-03-30"
</augment>
<augment 1840-5>
active T
comment "WEB-CLIENT Javascript document.domain attempt"
requires-signature http_msie_client
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-client.rules
</augment>
<augment 1351-5>
active T
comment "WEB-ATTACKS bin/tclsh execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 806-11>
active T
comment "WEB-CGI yabb directory traversal attempt"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1881-6>
active T
comment "WEB-MISC bad HTTP/1.1 request, Potential worm attack"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1372-5>
active T
comment "WEB-ATTACKS /etc/shadow access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
comment "Many false positives are possible"
payload /.*\/[eE][tT][cC]\/[sS][hH][aA][dD][oO][wW].{1,}root:.*:.*:.*:.*:.*:.*:/
<delete>
payload /.*\/[eE][tT][cC]\/[sS][hH][aA][dD][oO][wW]/
</delete>
</augment>
<augment 1418-11>
active T
comment "SNMP request tcp"
requires-reverse-signature snmp_tserver_ok_return
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/snmp.rules
</augment>
<augment 2230-5>
active T
comment "WEB-MISC NetGear router default password login attempt admin/password"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1508-5>
active T
comment "WEB-CGI alibaba.pl access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1760-3>
active T
comment "OTHER-IDS ISS RealSecure 6 event collector connection attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/other-ids.rules
</augment>
<augment 1043-7>
active T
comment "WEB-IIS viewcode.asp access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 678-6>
active T
comment "MS-SQL/SMB sp_delete_alert log file deletion"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 950-7>
active T
comment "WEB-FRONTPAGE cfgwiz.exe access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 1042-8>
active T
comment "WEB-IIS view source via translate header"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1444-3>
active T
comment "TFTP Get"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/tftp.rules
</augment>
<augment 1582-4>
active T
comment "WEB-MISC Domino collect4.nsf access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1099-6>
active T
comment "WEB-MISC cybercop scan"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 614-7>
active T
comment "BACKDOOR hack-a-tack attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 2003-6>
active F
comment "MS-SQL Worm propagation attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 1474-7>
active T
comment "WEB-CGI cal_make.pl access"
requires-reverse-signature ! http_error
http /.*[\/\\]cal_make\.pl(\.\.\/){2,}/
<delete>
http /.*[\/\\]cal_make\.pl/
</delete>
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 689-6>
active T
comment "MS-SQL/SMB xp_reg* registry access"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 411-5>
active F
comment "ICMP IPV6 I-Am-Here"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2382-8>
active T
comment "NETBIOS SMB NTLMSSP invalid mechtype attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 2402-5>
active T
comment "NETBIOS SMB-DS Session Setup AndX request username overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 2573-1>
active T
comment "WEB-IIS SmarterTools SmarterMail frmCompose.asp access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1212-5>
active T
comment "WEB-MISC Admin_files access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2243-4>
active T
comment "WEB-MISC ndcgi.exe access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 642-6>
active T
comment "SHELLCODE HP-UX NOOP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/shellcode.rules
</augment>
<augment 2028-5>
active T
comment "RPC yppasswd old password overflow attempt TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1294-10>
active T
comment "NETBIOS nimda .nws"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1305-6>
active T
comment "WEB-CGI txt2html.cgi directory traversal attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 882-5>
active F
comment "WEB-CGI calendar access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 994-7>
active T
comment "WEB-IIS /scripts/iisadmin/default.htm access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 906-7>
active T
comment "WEB-COLDFUSION getfile.cfm access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 1914-10>
active T
comment "RPC STATD TCP stat mon_name format string exploit attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1226-4>
active T
comment "X11 xopen"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/x11.rules
</augment>
<augment 605-6>
active T
comment "RSERVICES rlogin login failure"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rservices.rules
</augment>
<augment 685-5>
active T
comment "MS-SQL sp_adduser - database user creation"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 1740-5>
active T
comment "WEB-PHP DNSTools authentication bypass attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 2318-3>
active T
comment MISC CVS non-relative path access attempt
comment "pcre: m?^Argument\s+/?smi,/^Directory/smiR"
payload "/((^)|(\n+))[aA][Rr][Gg][Uu}[Mm][Ee][Nn][Tt][\x20\x09\x0b]]+/"
payload "/.*[Dd][Ii][Rr][Ee][Cc][Tt][Oo][Rr][Yy]/"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
<delete>
payload "/.*Argument/"
</delete>
</augment>
<augment 185-5>
active T
comment "BACKDOOR CDK"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 1940-3>
active T
comment "MISC bootp invalid hardware type"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 152-6>
active T
comment "BACKDOOR BackConstruction 2.1 Connection"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 623-5>
active F
comment "SCAN NULL"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/scan.rules
</augment>
<augment 1276-14>
active T
comment "RPC portmap ypserv request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 141-5>
active F
comment "BACKDOOR HackAttack 1.20 Connect"
comment "too many false positives as this is in the Linux ephemeral range"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 1415-9>
active T
comment "SNMP Broadcast request"
requires-reverse-signature snmp_userver_ok_return
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/snmp.rules
</augment>
<augment 1770-3>
active T
comment "WEB-MISC .FBCIndex access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1639-6>
active T
comment "CHAT IRC DCC file transfer request"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 1272-10>
active T
comment "RPC portmap sadmind request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1640-6>
active T
comment "CHAT IRC DCC chat request"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 698-8>
active T
comment "MS-SQL/SMB xp_proxiedmetadata possible buffer overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 2413-7>
active T
comment "EXPLOIT ISAKMP delete hash with empty hash attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 1430-7>
active T
comment "TELNET Solaris memory mismanagement exploit attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/telnet.rules
</augment>
<augment 2200-6>
active T
comment "WEB-CGI dnewsweb.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1088-9>
active T
dst-ip == local_nets
comment "WEB-CGI eXtropia webstore directory traversal"
requires-reverse-signature ! http_error
<delete>
http /.*[\/\\]web_store\.cgi/
payload /.*page=\.\.\//
</delete>
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1263-11>
active T
comment "RPC portmap amountd request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 354-5>
active T
comment "FTP iss scan"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
</augment>
<augment 1766-7>
active T
comment "WEB-MISC search.dll directory listing attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1363-5>
active T
comment "WEB-ATTACKS X application to remote host attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 1386-8>
active T
comment "MS-SQL/SMB raiserror possible buffer overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 2211-5>
active T
comment "WEB-CGI guestserver.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 827-7>
active T
comment "WEB-CGI info2www access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1595-10>
active T
comment "WEB-IIS htimage.exe access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1194-8>
active T
comment "WEB-CGI sojourn.cgi File attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 608-5>
active T
comment "RSERVICES rsh echo + +"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rservices.rules
</augment>
<augment 481-5>
active T
comment "ICMP TJPingPro1.1Build 2 Windows"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp.rules
</augment>
<augment 939-6>
active T
comment "WEB-FRONTPAGE posting"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 1610-11>
active T
comment "WEB-CGI formmail arbitrary command execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
http /.*[\/\\]formmail{0,5}\?/
<delete>
http /.*[\/\\]formmail/
</delete>
</augment>
<augment 2061-4>
active T
comment "WEB-MISC Tomcat null byte directory listing attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 817-10>
active T
comment "WEB-CGI dcboard.cgi invalid user addition attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 501-4>
active T
comment "MISC source route lssre"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 388-5>
active T
comment "ICMP Address Mask Request"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 625-6>
active F
comment "SCAN XMAS"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/scan.rules
</augment>
<augment 1193-10>
active T
comment "WEB-MISC oracle web arbitrary command execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1545-7>
active T
comment "DOS Cisco attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/dos.rules
</augment>
<augment 2458-3>
active F
comment "CHAT Yahoo IM successful chat join"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 232-5>
active T
comment "DDOS Trin00 Daemon to Master *HELLO* message detected"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 1062-6>
active T
comment "WEB-MISC nc.exe attempt"
comment "sig too general - add some clarity. remove if noise continues"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
http /.*[nN][cC]\.[eE][xX][eE]\x20.{5}/
<delete>
payload /.*[nN][cC]\.[eE][xX][eE]/
</delete>
</augment>
<augment 935-6>
active T
comment "WEB-COLDFUSION startstop DOS access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 2376-3>
active T
comment "EXPLOIT ISAKMP first payload certificate request length overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 2180-2>
active F
comment "P2P BitTorrent announce request"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/p2p.rules
</augment>
<augment 2443-4>
active T
comment "EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 1856-7>
active T
comment "DDOS Stacheldraht handler->agent ficken"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 1254-8>
active T
comment "WEB-PHP PHPLIB remote command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1536-8>
active T
comment "WEB-CGI calendar_admin.pl arbitrary command execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1224-10>
active T
comment "WEB-MISC ROADS search.pl attempt"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 853-9>
active F
comment "WEB-CGI wrap access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
comment "informational only"
</augment>
<augment 1433-5>
active T
comment "WEB-MISC .history access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1157-7>
active T
comment "WEB-MISC Netscape PublishingXpert access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1269-10>
active T
comment "RPC portmap rexd request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1048-9>
active T
comment "WEB-MISC Netscape Enterprise directory listing attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 145-5>
active T
comment "BACKDOOR GirlFriendaccess"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 641-6>
active T
comment "SHELLCODE Digital UNIX NOOP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/shellcode.rules
</augment>
<augment 1394-5>
active T
comment "SHELLCODE x86 NOOP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/shellcode.rules
</augment>
<augment 2572-2>
active T
comment "WEB-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1814-6>
active T
comment "WEB-MISC CISCO VoIP DOS ATTEMPT"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1343-5>
active T
comment "WEB-ATTACKS /usr/bin/cc command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 184-6>
active F
comment "BACKDOOR Q access"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 2227-2>
active T
comment "WEB-PHP forum_details.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1843-6>
active T
comment "BACKDOOR trinity connection attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 446-7>
active T
comment "ICMP SKIP undefined code"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2196-6>
active F
comment "WEB-CGI catgy.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1534-8>
active T
comment "WEB-CGI agora.cgi attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1958-5>
active T
comment "RPC sadmind TCP PING"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 104-7>
active T
comment "BACKDOOR - Dagger_1.4.0_client_connect"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 2015-5>
active T
comment "RPC portmap UNSET attempt UDP 111"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1710-4>
active T
comment "WEB-CGI bbs_forum.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 519-6>
active T
comment "TFTP parent directory"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/tftp.rules
</augment>
<augment 1344-5>
active T
comment "WEB-ATTACKS cc command attempt"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 1792-8>
active T
comment NNTP return code buffer overflow attempt
comment "pcre: /^200\s[^\n]{64}/smi"
payload "/((^)|(\n+))200[\x20\x09\x0b][^\n]{64}/"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/nntp.rules
<delete>
payload "/.*200/"
</delete>
</augment>
<augment 2481-3>
active T
comment "NETBIOS SMB-DS DCERPC shutdown unicode little endian attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 2467-3>
active T
comment "NETBIOS SMB D$ share unicode access"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 429-6>
active T
comment "ICMP Photuris Reserved"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1338-6>
active T
comment "WEB-ATTACKS chown command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
http /.*\/[cC][hH][oO][wW][nN]([^-a-zA-Z0-9_.]|$)/
<delete>
payload /.*\/[cC][hH][oO][wW][nN]/
</delete>
</augment>
<augment 445-5>
active T
comment "ICMP SKIP"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1511-9>
active T
comment "WEB-CGI test.bat access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1214-5>
active F
comment "WEB-MISC intranet access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1222-9>
active T
comment "WEB-CGI pals-cgi arbitrary file access attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1860-4>
active T
comment "WEB-MISC Linksys router default password login attempt"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1303-7>
active T
comment "WEB-MISC cs.exe access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2049-2>
active F
comment "MS-SQL ping attempt"
src-port != 53
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
comment Informational only
</augment>
<augment 1422-10>
active T
comment "SNMP community string buffer overflow attempt with evasion"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/snmp.rules
</augment>
<augment 1932-3>
active T
comment "WEB-CGI rpc-smb.pl access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1455-5>
active F
comment "WEB-CGI calender.pl access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 292-8>
active T
comment "EXPLOIT x86 Linux samba overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 1678-5>
active T
comment "ORACLE select like '%' attempt backslash escaped"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/oracle.rules
</augment>
<augment 157-5>
active T
comment "BACKDOOR BackConstruction 2.1 Client FTP Open Request"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 1633-6>
active F
comment "CHAT AIM receive message"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 244-3>
active T
comment "DDOS mstream handler to agent"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 1350-5>
active F
comment "WEB-ATTACKS python access attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 1327-7>
active T
comment "EXPLOIT ssh CRC32 overflow"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 391-8>
active T
comment "ICMP Alternate Host Address undefined code"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 844-7>
active T
comment "WEB-CGI args.bat access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2379-3>
active T
comment "EXPLOIT ISAKMP forth payload certificate request length overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 358-5>
active T
comment "FTP saint scan"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
</augment>
<augment 719-7>
active T
comment "TELNET root login"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/telnet.rules
</augment>
<augment 460-7>
active T
comment "ICMP unassigned type 2"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1330-5>
active T
comment "WEB-ATTACKS wget command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
comment "would like to inspect contents of reply"
</augment>
<augment 2414-7>
active T
comment "EXPLOIT ISAKMP initial contact notification without SPI attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 1893-4>
active F
comment "SNMP missing community string attempt"
comment "this is related to NT 4.0 unpatched < sp 4, circa '99"
requires-reverse-signature snmp_userver_ok_return
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/snmp.rules
</augment>
<augment 2093-5>
active T
comment "RPC portmap proxy integer overflow attempt TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2241-5>
active T
comment "WEB-MISC cwmail.exe access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1903-8>
active T
comment IMAP rename overflow attempt
comment "pcre: /\sRENAME\s[^\n]{100}/smi"
payload "/((^)|(\n+))[\x20\x09\x0b][rR][eE][nN][aA][mM][eE][\x20\x09\x0b][^\n]{100}/"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/imap.rules
<delete>
payload "/.*[rR][eE][nN][aA][mM][eE]/"
</delete>
</augment>
<augment 2555-2>
active T
comment "EXPLOIT Oracle Web Cache TRACE overflow attempt"
comment pcre: /^TRACE[^s]{432}/sm
payload /((^)|(\n+))TRACE[^s]{432}/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
<delete>
payload /.*TRACE/
</delete>
</augment>
<augment 961-6>
active T
comment "WEB-FRONTPAGE services.cnf access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 1186-6>
active T
comment "WEB-MISC Netscape Enterprise Server directory view"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2546-1>
active T
comment "FTP MDTM overflow attempt"
comment pcre: /^MDTM\s[^\n]{100}/smi
payload /((^)|(\n+))[mM][dD][tT][mM][\x20\x09\x0b][^\n]{100}/
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload /.*[mM][dD][tT][mM]/
</delete>
</augment>
<augment 1873-4>
active T
comment "WEB-MISC globals.jsa access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 253-4>
active T
comment "DNS SPOOF query response PTR with TTL of 1 min. and no authority"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/dns.rules
</augment>
<augment 313-4>
active T
comment "EXPLOIT ntalkd x86 Linux overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 2051-3>
active T
comment "WEB-CGI cached_feed.cgi moreover shopping cart access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1725-6>
active T
comment "WEB-IIS +.htr code fragment attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1309-9>
active T
comment "WEB-CGI zsh access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1221-6>
active T
comment "WEB-MISC musicat empower access"
requires-reverse-signature ! http_error
http /.*[\/\\]empower\?DB=.{1,}/
<delete>
http /.*[\/\\]empower/
</delete>
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1617-8>
active T
comment "WEB-CGI Bugzilla doeditvotes.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1091-7>
active F
comment "WEB-MISC ICQ Webfront HTTP DOS"
comment "too general"
comment "too many false positives"
comment "exploit from year 2000"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1733-9>
active T
comment "RPC portmap rwalld request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1113-5>
active T
comment "WEB-MISC http directory traversal"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2050-5>
active T
comment "MS-SQL version overflow attempt"
sigaction SIG_FILE
# sigaction SIG_SUMMARY
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 1535-7>
active T
comment "WEB-CGI bizdbsearch access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1776-2>
active T
comment "MYSQL show databases attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/mysql.rules
</augment>
<augment 603-5>
active T
comment "RSERVICES rlogin echo++"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rservices.rules
</augment>
<augment 1291-8>
active T
comment "WEB-MISC sml3com access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 485-4>
active F
comment "ICMP Destination Unreachable Communication Administratively Prohibited"
sigaction SIG_FILE
# sigaction SIG_SUMMARY
snort-rule-file snort_rules/rules2.2/icmp.rules
</augment>
<augment 1280-9>
active T
comment "RPC portmap listing UDP 111"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1242-10>
active T
comment "WEB-IIS ISAPI .ida access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1889-5>
active T
comment "MISC slapper worm admin traffic"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 870-5>
active T
comment "WEB-CGI snorkerz.cmd access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1353-5>
active T
comment "WEB-ATTACKS bin/nasm command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 1233-9>
active F
comment "WEB-CLIENT Outlook EML access"
comment "too general"
comment "not an exploit"
requires-signature http_msie_client
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-client.rules
</augment>
<augment 2277-4>
active T
comment "WEB-MISC PeopleSoft PeopleBooks psdoccgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1922-6>
active T
comment "RPC portmap proxy attempt TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1644-8>
active T
comment "WEB-CGI test-cgi attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2425-3>
active T
comment NNTP senduuname overflow attempt
comment pcre: /^senduuname\x3a[^\n]{21}/smi
payload /((^)|(\n+))[sS][eE][nN][dD][uU][uU][nN][aA][mM][eE]\x3a[^\n]{21}/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/nntp.rules
<delete>
payload /.*[sS][eE][nN][dD][uU][uU][nN][aA][mM][eE]/
</delete>
</augment>
<augment 582-8>
active T
comment "RPC portmap rexd request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 952-6>
active T
comment "WEB-FRONTPAGE author.exe access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 1709-4>
active F
comment "WEB-CGI ad.cgi access"
comment "rule too general, no details provided to fix"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2047-2>
active F
comment "MISC rsyncd module list access"
comment "informational only, not exploit worthy"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 911-7>
active T
comment "WEB-COLDFUSION exprcalc access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 2219-6>
active T
comment "WEB-CGI setpasswd.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1543-12>
active F
comment "WEB-CGI cgiwrap access"
comment "too general to be useful"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1454-6>
active T
comment "WEB-CGI wwwwais access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 452-7>
active F
comment "ICMP Timestamp Reply undefined code"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2561-2>
active T
comment "MISC rsync backup-dir directory traversal attempt"
comment pcre: /--backup-dir\s+\x2e\x2e\x2f/
payload /--backup-dir[\x20\x09\x0b]+\x2e\x2e\x2f/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
<delete>
payload /.*--backup-dir/
</delete>
</augment>
<augment 1216-5>
active T
comment "WEB-MISC filemail access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2390-4>
active T
comment FTP STOU overflow attempt
comment pcre: /^STOU\s[^\n]{100}/smi
eval dataSizeG100
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
payload /((^)|(\n+))[sS][tT][oO][uU][\x20\x09\x0b][^\n]{100}/
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload /.*[sS][tT][oO][uU]/
</delete>
</augment>
<augment 491-8>
active T
comment "INFO FTP Bad login"
comment pcre: /^530\s+(Login|User)/smi
ftp /((^)|(\n+))530[\x20\x09\x0b]+([lL][oO][gG][iI][nN]|[uU][sS][eE][rR])/
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/info.rules
<delete>
payload /.*530 /
</delete>
</augment>
<augment 246-2>
active T
comment "DDOS mstream agent pong to handler"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 324-5>
active T
comment "FINGER null request"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/finger.rules
</augment>
<augment 2440-3>
active T
comment "WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt"
comment pcre: /^http\x3a\x2f\x2f[^\n]{400}/smi
payload /((^)|(\n+))[hH][tT]{2}[pP]\x3a\x2f\x2f[^\n]{400}/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-client.rules
</augment>
<augment 881-5>
active T
comment "WEB-CGI archie access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 829-9>
active T
comment "WEB-CGI nph-test-cgi access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 330-9>
active T
comment "FINGER redirection attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/finger.rules
</augment>
<augment 981-9>
active T
comment "WEB-IIS unicode directory traversal attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 847-7>
active T
comment "WEB-CGI campas access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1132-6>
active T
comment "WEB-MISC Netscape Unixware overflow"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2534-3>
active T
comment "MISC LDAP SSLv3 invalid Client_Hello attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 227-6>
active T
comment "DDOS Stacheldraht client spoofworks"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 1902-9>
active T
comment "IMAP lsub literal overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/imap.rules
payload /((^)|(\n+))[\x20\x09\x0b][lL][sS][uU][bB][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/
<delete>
payload /.*[lL][sS][uU][bB]/
</delete>
</augment>
<augment 1648-7>
active T
comment "WEB-CGI perl.exe command attempt"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1965-8>
active T
comment "RPC tooltalk TCP overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1723-7>
active T
comment "WEB-CGI emumail.cgi NULL attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1147-7>
active T
comment "WEB-MISC cat%20 access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2240-3>
active T
comment "WEB-MISC changepw.exe access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1825-6>
active F
dst-ip == local_nets
comment "WEB-CGI AlienForm af.cgi access"
comment "informational only"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1529-10>
active T
comment FTP SITE overflow attempt
comment "pcre: /^SITE\s[^\n]{100}/smi"
eval dataSizeG100
ftp "/((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b][^\n]{100}/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload "/.*[sS][iI][tT][eE]/"
</delete>
</augment>
<augment 486-4>
active F
comment "ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp.rules
</augment>
<augment 1459-5>
active T
comment "WEB-CGI bb-histlog.sh access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2213-6>
active T
comment "WEB-CGI mailfile.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 474-4>
active F
comment "ICMP superscan echo"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp.rules
</augment>
<augment 1383-6>
active F
comment "P2P Fastrack kazaa/morpheus GET request"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/p2p.rules
</augment>
<augment 2032-5>
active T
comment "RPC yppasswd user update TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1267-11>
active T
comment "RPC portmap nisd request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2308-6>
active T
comment "NETBIOS SMB DCERPC Workstation Service unicode bind attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 268-4>
active T
comment "DOS Jolt attack"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/dos.rules
</augment>
<augment 1072-9>
active T
comment "WEB-MISC Lotus Domino directory traversal"
requires-reverse-signature ! http_error
http /.*\.nsf[\/\\].*(\.\.\/){1,}.{2,}/
<delete>
http /.*\.nsf[\/\\]/
http /.*\.\.[\/\\]/
</delete>
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 613-5>
active F
comment "SCAN myscan"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/scan.rules
</augment>
<augment 251-3>
active T
comment "DDOS - TFN client command LE"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 400-7>
active F
comment "ICMP Destination Unreachable Network Unreachable for Type of Service"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1124-5>
active F
comment "WEB-MISC Ecommerce check.txt access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1805-4>
active T
comment "WEB-CGI Oracle reports CGI access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 889-7>
active T
comment "WEB-CGI ppdscgi.exe access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 432-6>
active T
comment "ICMP Photuris Valid Security Parameters, But Decryption Failed"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1862-7>
active T
comment "WEB-CGI mrtg.cgi directory traversal attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2473-3>
active T
comment "NETBIOS SMB ADMIN$ share unicode access"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 437-6>
active F
comment "ICMP Redirect for TOS and Network"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 904-7>
active T
comment "WEB-COLDFUSION exampleapp application.cfm"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 1930-3>
active T
comment "IMAP auth literal overflow attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/imap.rules
</augment>
<augment 230-5>
active T
comment "DDOS shaft client login to handler"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 583-9>
active T
comment "RPC portmap rstatd request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 837-8>
active T
comment "WEB-CGI uploader.exe access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1485-4>
active T
comment "WEB-IIS mkilog.exe access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 536-7>
active T
comment "NETBIOS SMB D$ share access"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1161-9>
active T
comment "WEB-PHP piranha passwd.php3 access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 648-7>
active T
comment "SHELLCODE x86 NOOP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/shellcode.rules
</augment>
<augment 1301-11>
active T
comment "WEB-PHP admin.php access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 713-7>
active F
comment "TELNET livingston DOS"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/telnet.rules
</augment>
<augment 1286-6>
active T
comment "WEB-IIS _mem_bin access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1554-9>
active T
dst-ip == local_nets
comment "WEB-CGI dbman db.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1909-10>
active T
comment "RPC CMSD TCP CMSD_INSERT buffer overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 286-9>
active T
comment "POP3 EXPLOIT x86 BSD overflow"
requires-reverse-signature ! pop_return_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/pop3.rules
</augment>
<augment 1816-3>
active T
comment "WEB-PHP directory.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
<delete>
http /.*[\/\\]directory\.php/
</delete>
http /.*[\/\\]directory\.php[\;\|]{1,}/
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 421-5>
active T
comment "ICMP Mobile Registration Reply"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1366-5>
active T
comment "WEB-ATTACKS mail command attempt"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 409-7>
active F
comment "ICMP Echo Reply undefined code"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2271-2>
active T
comment "BACKDOOR FsSniffer connection attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 1509-9>
active T
comment "WEB-CGI AltaVista Intranet Search directory traversal attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1202-5>
active T
comment "WEB-MISC search.vts access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2426-3>
active T
comment NNTP version overflow attempt
comment "pcre: /^version\x3a[^\n]{21}/smi"
payload "/((^)|(\n+))[vV][eE][rR][sS][iI][oO][nN]\x3a[^\n]{21}/"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/nntp.rules
<delete>
payload "/.*[vV][eE][rR][sS][iI][oO][nN]/"
</delete>
</augment>
<augment 1225-4>
active T
comment "X11 MIT Magic Cookie detected"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/x11.rules
</augment>
<augment 1994-3>
active T
comment "WEB-CGI vpasswd.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 538-10>
active T
comment "NETBIOS SMB IPC$ share unicode access"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 2034-7>
active T
comment "RPC ypserv maplist request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2138-2>
active T
comment "WEB-MISC logicworks.ini access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1355-5>
active T
comment "WEB-ATTACKS /usr/bin/perl execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 2022-4>
active T
comment "RPC mountd TCP unmountall request"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1708-7>
active T
comment "WEB-CGI hello.bat access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 454-7>
active F
comment "ICMP Timestamp Request undefined code"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2279-2>
active T
comment "WEB-PHP UpdateClasses.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 684-5>
active T
comment "MS-SQL sp_delete_alert log file deletion"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 922-6>
active T
comment "WEB-COLDFUSION displayfile access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 1954-5>
active T
comment "RPC AMD UDP pid request"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 323-5>
active T
comment "FINGER root query"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/finger.rules
</augment>
<augment 2430-3>
active T
comment NNTP newgroup overflow attempt
comment "pcre: /^newgroup\x3a[^\n]{21}/smi"
payload "/((^)|(\n+))[nN][eE][wW][gG][rR][oO][uU][pP]\x3a[^\n]{21}/"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/nntp.rules
<delete>
payload "/.*[nN][eE][wW][gG][rR][oO][uU][pP]/"
</delete>
</augment>
<augment 2432-2>
active F
comment "NNTP article post without path attempt"
comment pcre: ! /^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si
comment Negation of a pattern is not supported
payload /((^)|(\n+))[tT][aA][kK][eE][tT][hH][iI][sS].*?[pP][aA][tT][hH]\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/
sigaction SIG_LOG
snort-rule-file snort_rules2.2/nntp.rules
<delete>
payload /.*[tT][aA][kK][eE][tT][hH][iI][sS]/
</delete>
</augment>
<augment 903-7>
active T
comment "WEB-COLDFUSION cfcache.map access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 2460-3>
active F
comment CHAT Yahoo IM webcam request
comment "informational only"
comment pcre translate
payload "/((^)|(\n+))\x3c([rR][eE][qQ][iI][mM][gG]|[rR][vV][wW][cC][fF][gG])\x3e/"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 1097-6>
active T
comment "WEB-CGI Talentsoft Web+ exploit attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 406-6>
active F
comment "ICMP Destination Unreachable Source Route Failed"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 550-8>
active F
comment "P2P napster new user login"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/p2p.rules
</augment>
<augment 1371-5>
active F
comment "WEB-ATTACKS /etc/motd access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
comment "informational only"
</augment>
<augment 943-6>
active T
comment "WEB-FRONTPAGE fpsrvadm.exe access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 852-8>
active T
comment "WEB-CGI wguest.exe access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 306-9>
active F
comment "EXPLOIT VQServer admin"
comment Too many false positives!!!!!!!!!!!!!!
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 399-6>
active F
comment "ICMP Destination Unreachable Host Unreachable"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 891-5>
active T
comment "WEB-CGI upload.pl access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1396-8>
active T
comment "WEB-CGI zml.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 691-5>
active T
comment "MS-SQL shellcode attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 1255-8>
active T
comment "WEB-PHP PHPLIB remote command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 910-5>
active T
comment "WEB-COLDFUSION fileexists.cfm access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 2122-7>
active T
comment POP3 UIDL negative arguement attempt
comment "pcre: /^UIDL\s+-\d/smi"
payload "/((^)|(\n+))[uU][iI][dD][lL][\x20\x09\x0b]+-[0-9]/"
requires-reverse-signature ! pop_return_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/pop3.rules
<delete>
payload "/.*[uU][iI][dD][lL]/"
</delete>
</augment>
<augment 1414-11>
active T
comment "SNMP private access tcp"
requires-reverse-signature snmp_tserver_ok_return
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/snmp.rules
</augment>
<augment 1288-6>
active T
comment "WEB-FRONTPAGE /_vti_bin/ access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 1354-5>
active T
comment "WEB-ATTACKS nasm command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 307-9>
active T
comment "EXPLOIT CHAT IRC topic overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 1962-7>
active T
comment "RPC portmap RQUOTA request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2199-6>
active T
comment "WEB-CGI multidiff.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1037-10>
active T
dst-ip == local_nets
comment "WEB-IIS showcode.asp access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 463-7>
active T
comment "ICMP unassigned type 7 undefined code"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1510-9>
active T
comment "WEB-CGI test.bat arbitrary command execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 487-4>
active F
comment "ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp.rules
</augment>
<augment 1365-5>
active T
comment "WEB-ATTACKS rm command attempt"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 1576-4>
active T
comment "WEB-MISC Domino cersvr.nsf access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1038-8>
active T
comment "WEB-IIS site server config access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 377-7>
active T
comment "ICMP PING Network Toolbox 3 Windows"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 433-8>
active T
comment "ICMP Photuris undefined code!"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2502-7>
active T
comment "POP3 SSLv3 invalid data version attempt"
requires-reverse-signature ! pop_return_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/pop3.rules
</augment>
<augment 2375-3>
active T
comment "BACKDOOR DoomJuice file upload attempt"
payload /^\x85\x13<\x9E\xA2/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
<delete>
payload /\x85\x13<\x9E\xA2/
</delete>
</augment>
<augment 1589-4>
active T
comment "WEB-MISC musicat empower attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2233-5>
active T
comment "WEB-MISC SFNofitication.dll access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1370-5>
active T
comment "WEB-ATTACKS /etc/inetd.conf access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 1651-4>
active T
comment "WEB-CGI enivorn.pl access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1369-5>
active T
comment "WEB-ATTACKS /bin/ls command attempt"
requires-reverse-signature ! http_error
http /.*[\/\\]bin[\/\\]ls[^a-zA-Z0-9_.-]/
<delete>
http /.*[\/\\]bin[\/\\]ls/
</delete>
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 1468-7>
active T
comment "WEB-CGI Web Shopper shopper.cgi attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2565-1>
active T
comment "WEB-PHP modules.php access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 626-7>
active T
comment "SCAN cybercop os PA12 attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/scan.rules
</augment>
<augment 1956-5>
active F
comment "RPC AMD UDP version request"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2480-3>
active T
comment "NETBIOS SMB-DS DCERPC shutdown unicode attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 897-10>
active T
comment "WEB-CGI pals-cgi access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1158-10>
active T
comment "WEB-MISC windmail.exe access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 664-13>
active T
comment SMTP RCPT TO decode attempt
comment "pcre: /^rcpt to\:\s+decode/smi"
payload "/((^)|(\n+))[rR][cC][pP][tT][\x20\x09\x0b][tT][oO]:[\x20\x09\x0b]+[dD][eE][cC][oO][dD][eE]/"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
<delete>
payload /.*rcpt to\x3A.*.*[dD][eE][cC][oO][dD][eE]/
</delete>
</augment>
<augment 2395-3>
active T
comment "WEB-MISC InteractiveQuery.jsp access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 877-8>
active T
comment "WEB-CGI rksh access"
requires-reverse-signature ! http_error
requires-signature ! http_shell_check
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 585-7>
active T
comment "RPC portmap sadmind request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2368-4>
active T
comment "WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1512-9>
active T
comment "WEB-CGI input.bat arbitrary command execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1470-5>
active T
comment "WEB-CGI listrec.pl access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2500-4>
active T
comment "MISC LDAP SSLv3 invalid data version attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 245-3>
active T
comment "DDOS mstream handler ping to agent"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 1407-8>
active T
comment "WEB-PHP smssend.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1331-5>
active T
comment "WEB-ATTACKS uname -a command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 2457-2>
active F
comment "CHAT Yahoo IM message"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 2550-2>
active T
comment "EXPLOIT winamp XM module name overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 1809-9>
active T
comment "WEB-MISC Apache Chunked-Encoding worm attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1483-9>
active T
comment "WEB-CGI ustorekeeper.pl access"
dst-ip == local_nets
requires-reverse-signature ! http_error
comment "informational only"
comment "verify that application is not vulnerable"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1614-8>
active T
comment "WEB-MISC Novell Groupwise gwweb.exe attempt"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1480-9>
active T
comment "WEB-CGI ttawebtop.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 670-7>
active T
comment "SMTP sendmail 8.6.9 exploit"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
</augment>
<augment 1248-13>
active T
comment "WEB-FRONTPAGE rad fp30reg.dll access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 2130-5>
active T
comment "WEB-IIS IISProtect siteadmin.asp access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1380-4>
active T
comment "WEB-IIS cross-site scripting attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1337-6>
active T
comment "WEB-ATTACKS chgrp command attempt"
requires-reverse-signature ! http_error
http /.*\/[cC][hH][gG][rR][pP]([^-a-zA-Z0-9_.]|$)/
<delete>
payload /.*\/[cC][hH][gG][rR][pP]/
</delete>
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 2451-3>
active F
comment "CHAT Yahoo IM voicechat"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 928-5>
active T
comment "WEB-COLDFUSION exampleapp access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 926-7>
active T
comment "WEB-COLDFUSION set odbc ini attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 2242-4>
active T
comment "WEB-MISC ddicgi.exe access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2298-4>
active T
comment "WEB-PHP Advanced Poll admin_templates.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 2118-6>
active T
comment IMAP list overflow attempt
comment "pcre: /\sLIST\s[^\n]{100}/smi"
payload "/((^)|(\n+))[\x20\x09\x0b][lL][iI][sS][tT][\x20\x09\x0b][^\n]{100}/"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/imap.rules
<delete>
payload "/.*[lL][iI][sS][tT]/"
</delete>
</augment>
<augment 1442-4>
active T
comment "TFTP GET shadow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/tftp.rules
</augment>
<augment 1250-11>
active T
comment "WEB-MISC Cisco IOS HTTP configuration attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
comment "would like to inspect contents of reply"
</augment>
<augment 1996-3>
active T
comment "WEB-CGI viralator.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 418-7>
active F
comment "ICMP Information Request undefined code"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2478-3>
active T
comment "NETBIOS SMB-DS DCERPC bind winreg attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1241-5>
active T
comment "WEB-MISC SWEditServlet directory traversal attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1971-4>
active T
comment FTP SITE EXEC format string attempt
comment "pcre: /^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/smi"
ftp "/((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[eE][xX][eE][cC][\x20\x09\x0b][^\n]*?%[^\n]*?%/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload "/.*[sS][iI][tT][eE].*.*[eE][xX][eE][cC]/"
</delete>
</augment>
<augment 2286-2>
active T
comment "WEB-PHP friends.php access"
comment "added details for sql *injection*. rules differ for"
comment "other attacks, but this seems the most dangerous"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
http /.*[\/\\]friends\.php\x3fadmin\x3d[a-zA-Z0-9]{5,20}.* /
<delete>
http /.*[\/\\]friends\.php/
</delete>
</augment>
<augment 1522-10>
active T
comment "WEB-MISC ans.pl attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2192-8>
active T
comment "NETBIOS DCERPC ISystemActivator bind attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1926-6>
active T
comment "RPC mountd UDP exportall request"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1717-4>
active T
comment "WEB-CGI simplestguest.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2522-7>
active F
comment "WEB-MISC SSLv3 invalid Client_Hello attempt"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1738-5>
active T
comment "WEB-MISC global.inc access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2121-8>
active T
comment POP3 DELE negative arguement attempt
comment pcre: /^DELE\s+-\d/smi
payload /((^)|(\n+))[dD][eE][lL][eE]+-[0-9]/
requires-reverse-signature ! pop_return_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/pop3.rules
<delete>
payload "/.*[dD][eE][lL][eE]/"
</delete>
</augment>
<augment 1219-10>
active T
comment "WEB-CGI dfire.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 834-7>
active T
comment "WEB-CGI rwwwshell.pl access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1537-6>
active T
comment "WEB-CGI calendar_admin.pl access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 701-7>
active T
comment "MS-SQL xp_updatecolvbm possible buffer overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 1163-11>
active T
comment "WEB-CGI webdist.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1519-8>
active T
comment "WEB-MISC apache ?M=D directory list attempt"
comment "add additional filters"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
http /Content-language:.* /
eval isApacheLt1322
</augment>
<augment 846-8>
active T
comment "WEB-CGI bnbform.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 412-7>
active F
comment "ICMP IPV6 I-Am-Here undefined code"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 492-8>
active F
comment "INFO TELNET Bad Login"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/info.rules
</augment>
<augment 2422-2>
active F
comment "MULTIMEDIA realplayer .rt playlist download attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/multimedia.rules
</augment>
<augment 1110-7>
active T
comment "WEB-MISC apache source.asp file access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1484-5>
active T
comment "WEB-IIS /isapi/tstisapi.dll access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 2476-3>
active T
comment "NETBIOS SMB-DS Create AndX Request winreg attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 440-7>
active F
comment "ICMP Reserved for Security Type 19 undefined code"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 503-6>
active T
comment "MISC Source Port 20 to <1024"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 2471-3>
active T
comment "NETBIOS SMB-DS C$ share access"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 458-7>
active T
comment "ICMP unassigned type 1"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2568-1>
active T
comment "WEB-CGI Emumail emumail.fcgi access"
requires-reverse-signature ! http_error
http /.*[\/\\]emumail\.fcgi\?./
<delete>
http /.*[\/\\]emumail\.fcgi/
</delete>
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1359-5>
active T
comment "WEB-ATTACKS ping command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 1569-5>
active T
comment "WEB-CGI loadpage.cgi directory traversal attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1405-5>
active F
comment "WEB-CGI AHG search.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 813-9>
active T
comment "WEB-CGI webplus directory traversal"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 700-8>
active T
comment "MS-SQL/SMB xp_updatecolvbm possible buffer overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 1078-8>
active F
comment "WEB-MISC counter.exe access"
comment "'99 exploit against iis 4.0, remove"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 866-8>
active T
comment "WEB-CGI post-query access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 314-9>
active T
comment "DNS EXPLOIT named tsig overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/dns.rules
</augment>
<augment 2137-2>
active T
comment "WEB-MISC philboard_admin.asp access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2069-5>
active T
comment "WEB-MISC chip.ini access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 991-8>
active T
comment "WEB-IIS achg.htr access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1566-7>
active T
comment "WEB-CGI eshop.pl access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2116-3>
active T
comment "WEB-CGI chipcfg.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1872-3>
active T
comment "WEB-MISC Oracle Dynamic Monitoring Services dms access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1832-7>
active F
comment "CHAT ICQ forced user addition"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 1399-11>
active T
comment "WEB-PHP PHP-Nuke remote file include attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
<delete>
payload /.*[fF][iI][lL][eE]=/
http /.*[\/\\]index\.php/
</delete>
http /.*[\/\\]index\.php.*[fF][iI][lL][eE]=([hH][tT][tT][pP][sS]?|[fF][tT][pP])/
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 954-6>
active T
comment "WEB-FRONTPAGE form_results.htm access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 1736-6>
active T
comment "WEB-PHP squirrel mail spell-check arbitrary command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1469-5>
active T
comment "WEB-CGI Web Shopper shopper.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 705-7>
active T
comment "MS-SQL xp_showcolv possible buffer overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 1177-6>
active T
comment "WEB-MISC Netscape Enterprise Server directory view"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2521-5>
active F
comment "WEB-MISC SSLv3 Server_Hello request"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 869-8>
active T
comment "WEB-CGI dumpenv.pl access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 811-9>
active F
comment "WEB-CGI websitepro path access"
comment "informational only"
comment "not exploit worthy"
comment "too general"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1769-3>
active T
comment "WEB-MISC .DS_Store access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 963-6>
active T
comment "WEB-FRONTPAGE svcacl.cnf access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 1137-9>
active T
comment "WEB-PHP Phorum authentication access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1066-6>
active T
comment "WEB-MISC telnet attempt"
requires-reverse-signature ! http_error
http /.*[tT][eE][lL][nN][eE][tT]\.[eE][xX][eE]/
<delete>
payload /.*[tT][eE][lL][nN][eE][tT]\.[eE][xX][eE]/
</delete>
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2182-6>
active F
comment "BACKDOOR typot trojan traffic"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 892-8>
active T
comment "WEB-CGI AnyForm2 access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2012-2>
active T
comment "MISC CVS missing cvsroot response"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 2307-5>
active T
comment WEB-PHP PayPal Storefront arbitrary command execution attempt
comment pcre: /page=(http|https|ftp)/i
http /[pP][aA][gG][eE]=(http|https|ftp)/
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
<delete>
payload /.*page=/
</delete>
</augment>
<augment 2404-5>
active T
comment "NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1913-10>
active T
comment "RPC STATD UDP stat mon_name format string exploit attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2518-10>
active T
comment "POP3 PCT Client_Hello overflow attempt"
requires-reverse-signature ! pop_return_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/pop3.rules
</augment>
<augment 1945-4>
active T
comment "WEB-IIS unicode directory traversal attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 2493-5>
active T
comment "NETBIOS SMB DCERPC ISystemActivator unicode bind attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 2517-10>
active T
comment "IMAP PCT Client_Hello overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/imap.rules
</augment>
<augment 389-7>
active F
comment "ICMP Address Mask Request undefined code"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 443-5>
active F
comment "ICMP Router Selection"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2563-4>
active F
comment "NETBIOS NS lookup response name overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 2284-3>
active T
comment "WEB-PHP rolis guestbook remote file include attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 420-7>
active F
comment "ICMP Mobile Host Redirect undefined code"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1917-6>
active F
comment "SCAN UPnP service discover attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/scan.rules
</augment>
<augment 820-9>
active T
comment "WEB-CGI anaconda directory transversal attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1746-11>
active T
comment "RPC portmap cachefsd request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 414-7>
active F
comment "ICMP IPV6 Where-Are-You undefined code"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 220-6>
active F
dst-ip == local_nets
comment "BACKDOOR HideSource backdoor attempt"
comment "old signature from 1997"
comment "moved check to hot-ids.bro"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 300-7>
active T
comment "EXPLOIT nlps x86 Solaris overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 601-6>
active T
comment "RSERVICES rlogin LinuxNIS"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rservices.rules
</augment>
<augment 1096-6>
active T
comment "WEB-MISC Talentsoft Web+ internal IP Address access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2302-4>
active T
comment "WEB-PHP Advanced Poll poll_ssi.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1570-5>
active T
dst-ip == local_nets
comment "WEB-CGI loadpage.cgi access"
requires-reverse-signature ! http_error
http /.*[\/\\]loadpage\.cgi\?{1,}\//
<delete>
http /.*[\/\\]loadpage\.cgi/
</delete>
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2519-9>
active T
comment "SMTP Client_Hello overflow attempt"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
</augment>
<augment 885-9>
active F
comment "WEB-CGI bash access"
comment "sig too general, shell check does not keep man pages from triggering this"
requires-reverse-signature ! http_error
requires-signature ! http_shell_check
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 569-14>
active T
comment "RPC snmpXdmi overflow attempt TCP"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2378-3>
active T
comment "EXPLOIT ISAKMP third payload certificate request length overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 1674-5>
active T
comment "ORACLE connect_data remote version detection attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/oracle.rules
</augment>
<augment 914-5>
active T
comment "WEB-COLDFUSION beaninfo access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 322-10>
active T
comment "FINGER search query"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/finger.rules
</augment>
<augment 365-8>
active F
comment "ICMP PING undefined code"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2191-3>
active T
comment "NETBIOS SMB DCERPC invalid bind attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 2037-5>
active T
comment "RPC network-status-monitor mon-callback request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 968-6>
active T
comment "WEB-FRONTPAGE register.htm access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 901-10>
active T
comment "WEB-CGI webspirs.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 609-5>
active T
comment "RSERVICES rsh froot"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rservices.rules
</augment>
<augment 513-10>
active T
comment "MISC Cisco Catalyst Remote Access"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 457-7>
active F
comment "ICMP Traceroute undefined code"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1067-6>
active T
comment "WEB-MISC net attempt"
requires-reverse-signature ! http_error
http /.*[^a-zA-Z0-9_.-][nN][eE][tT]\.[eE][xX][eE]/
<delete>
payload /.*[nN][eE][tT]\.[eE][xX][eE]/
</delete>
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 332-8>
active T
comment "FINGER 0 query"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/finger.rules
</augment>
<augment 2323-2>
active T
comment "WEB-CGI quickstore.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 692-6>
active T
comment "MS-SQL/SMB shellcode attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 851-7>
active T
comment "WEB-CGI files.pl access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 105-7>
active T
comment "BACKDOOR - Dagger_1.4.0"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 599-11>
active T
comment "RPC portmap listing TCP 32771"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1847-8>
active F
comment "WEB-MISC webalizer access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
comment "informational only"
</augment>
<augment 1071-6>
active T
comment "WEB-MISC .htpasswd access"
requires-reverse-signature ! http_error
http /.*\/\.[hH][tT][pP][aA][sS][sS][wW][dD]/
<delete>
payload /.*\.[hH][tT][pP][aA][sS][sS][wW][dD]/
</delete>
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 620-9>
active F
comment "SCAN Proxy Port 8080 attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/scan.rules
</augment>
<augment 635-3>
active T
comment "SCAN XTACACS logout"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/scan.rules
</augment>
<augment 1265-9>
active T
comment "RPC portmap cmsd request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1669-5>
active T
comment "WEB-CGI /cgi-dos/ access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1949-5>
active T
comment "RPC portmap SET attempt TCP 111"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1581-4>
active T
comment "WEB-MISC Domino ntsync4.nsf access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2008-4>
active T
comment "MISC CVS invalid user authentication response"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 431-6>
active F
comment "ICMP Photuris Valid Security Parameters, But Authentication Failed"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1406-11>
active T
comment "WEB-CGI agora.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1871-4>
active T
comment "WEB-MISC Oracle XSQLConfig.xml access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1292-8>
active T
comment "ATTACK-RESPONSES directory listing"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/attack-responses.rules
</augment>
<augment 109-5>
active T
comment "BACKDOOR netbus active"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 1789-3>
active T
comment "CHAT IRC dns request"
comment "informational only"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 1925-6>
active F
comment "RPC mountd TCP exportall request"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1618-14>
active T
comment "WEB-IIS .asp chunked Transfer-Encoding"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1501-8>
active T
comment "WEB-CGI a1stats a1disp3.cgi directory traversal attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 249-7>
active T
comment "DDOS mstream client to handler"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 2454-3>
active F
comment "CHAT Yahoo IM conference logon success"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 2439-3>
active T
comment "WEB-CLIENT RealPlayer playlist http URL overflow attempt"
comment pcre: /^http\x3a\x2f\x2f[^\n]{400}/smi
payload /((^)|(\n+))[hH][tT]{2}[pP]\x3a\x2f\x2f[^\n]{400}/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-client.rules
</augment>
<augment 2472-3>
active T
comment "NETBIOS SMB-DS C$ share unicode access"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1070-7>
active T
comment "WEB-MISC WebDAV search access"
requires-signature http_iis_server
http /((^)|(\n+))[sS][eE][aA][rR][cC][hH]/
requires-reverse-signature ! http_error
sigaction SIG_FILE
# sigaction SIG_SUMMARY
snort-rule-file snort_rules/rules2.2/web-misc.rules
<delete>
payload /.{0,1}[sS][eE][aA][rR][cC][hH] /
</delete>
</augment>
<augment 283-10>
active T
comment "EXPLOIT Netscape 4.7 client overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 947-6>
active T
comment "WEB-FRONTPAGE orders.txt access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 2126-6>
active F
comment "MISC Microsoft PPTP Start Control Request buffer overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 1918-6>
active F
comment "SCAN SolarWinds IP scan attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/scan.rules
</augment>
<augment 1358-5>
active T
comment "WEB-ATTACKS traceroute command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 2236-5>
active T
comment "WEB-MISC spamrule.dll access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 376-7>
active F
comment "ICMP PING Microsoft Windows"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2335-2>
active T
comment "FTP RMD / attempt"
requires-reverse-signature ! ftp_server_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ftp.rules
</augment>
<augment 495-7>
active T
comment "ATTACK-RESPONSES command error"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/attack-responses.rules
</augment>
<augment 2523-6>
active F
comment "DOS BGP spoofed connection reset attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/dos.rules
</augment>
<augment 1972-10>
active T
comment FTP PASS overflow attempt
comment "pcre: /^PASS\s[^\n]{100}/smi"
eval dataSizeG100
ftp "/((^)|(\n+))[pP][aA][sS][sS][\x20\x09\x0b][^\n]{100}/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload "/.*[pP][aA][sS][sS]/"
</delete>
</augment>
<augment 2374-4>
active T
comment FTP NLST overflow attempt
comment "pcre: /^NLST\s[^\n]{100}/smi"
eval dataSizeG100
ftp "/((^)|(\n+))[nNlLsStT][\x20\x09\x0b][^\n]{100}/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload "/.*[nN][lL][sS][tT]/"
</delete>
</augment>
<augment 2088-5>
active T
comment "RPC ypupdated arbitrary command attempt UDP"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 327-8>
active T
comment "FINGER remote command pipe execution attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/finger.rules
</augment>
<augment 2535-3>
active F
comment "POP3 SSLv3 Client_Hello request"
requires-reverse-signature ! pop_return_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/pop3.rules
</augment>
<augment 317-6>
active T
comment "EXPLOIT x86 Linux mountd overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 856-5>
active T
comment "WEB-CGI environ.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1527-7>
active T
comment "WEB-MISC basilix mysql.class access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1065-6>
active T
comment "WEB-MISC rcmd attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1324-6>
active T
comment "EXPLOIT ssh CRC32 overflow /bin/sh"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 507-4>
active T
comment "MISC PCAnywhere Attempted Administrator Login"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 899-8>
active T
comment "WEB-CGI Amaya templates sendtemp.pl directory traversal attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2337-7>
active T
comment "TFTP PUT filename overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/tftp.rules
</augment>
<augment 819-7>
active F
comment "WEB-CGI mmstdod.cgi access"
comment "informational only"
comment "old signature from 03-01-2001"
requires-reverse-signature ! http_error
http /.*[\/\\]smartsearch\.cgi.*\|/
<delete>
http /.*[\/\\]smartsearch\.cgi/
</delete>
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1743-5>
active T
comment "WEB-PHP Blahz-DNS dostuff.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1083-6>
active T
comment "WEB-MISC unify eWave ServletExec DOS"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2228-4>
active T
comment "WEB-PHP phpMyAdmin db_details_importdocsql.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 979-9>
active T
comment "WEB-IIS ASP contents view"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1230-8>
active T
comment "WEB-MISC VirusWall FtpSave access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2377-3>
active T
comment "EXPLOIT ISAKMP second payload certificate request length overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 905-7>
active T
comment "WEB-COLDFUSION application.cfm access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 1759-5>
active T
comment "MS-SQL xp_cmdshell program execution 445"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 1585-4>
active T
comment "WEB-MISC Domino agentrunner.nsf access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 965-6>
active T
comment "WEB-FRONTPAGE writeto.cnf access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 2367-4>
active T
comment "WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 980-7>
active T
comment "WEB-IIS CGImail.exe access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 2041-2>
active T
comment "MISC xtacacs failed login response"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 1829-5>
active T
comment "WEB-MISC Tomcat TroubleShooter servlet access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 946-6>
active T
comment "WEB-FRONTPAGE fpadmcgi.exe access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 1593-10>
active T
comment "WEB-CGI FormHandler.cgi external site redirection attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 473-4>
active F
comment "ICMP redirect net"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp.rules
</augment>
<augment 925-5>
active T
comment "WEB-COLDFUSION mainframeset access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 1195-8>
active T
comment "WEB-CGI sojourn.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1899-8>
active T
comment "EXPLOIT kadmind buffer overflow attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 1907-10>
active T
comment "RPC CMSD UDP CMSD_CREATE buffer overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2203-6>
active T
comment "WEB-CGI everythingform.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 993-7>
active T
comment "WEB-IIS iisadmin access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 2567-1>
active T
comment "WEB-CGI Emumail init.emu access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1649-7>
active T
comment "WEB-CGI perl command attempt"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2497-6>
active T
comment "IMAP SSLv3 invalid data version attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/imap.rules
</augment>
<augment 2055-2>
active F
comment "WEB-CGI enter_bug.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
comment "Informational only"
</augment>
<augment 1213-5>
active T
comment "WEB-MISC backup access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1631-6>
active F
comment "CHAT AIM login"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 466-4>
active F
comment "ICMP L3retriever Ping"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp.rules
</augment>
<augment 917-7>
active T
comment "WEB-COLDFUSION db connections flush attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 697-8>
active T
comment "MS-SQL/SMB xp_peekqueue possible buffer overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 1152-5>
active T
comment "WEB-MISC Domino domlog.nsf access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1283-9>
active T
comment "WEB-IIS outlook web dos"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1462-5>
active T
comment "WEB-CGI bb-replog.sh access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 805-10>
active F
comment "WEB-CGI webspeed access"
comment "informational only, not exploit worthy"
comment "old signature from 2000"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1266-10>
active T
comment "RPC portmap mountd request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1204-6>
active T
comment "WEB-CGI ax-admin.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1010-7>
active T
comment "WEB-IIS encoding access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 482-5>
active F
comment "ICMP PING WhatsupGold Windows"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp.rules
</augment>
<augment 688-6>
active T
comment "MS-SQL sa login failed"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 890-10>
active T
comment "WEB-CGI sendform.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 587-8>
active T
comment "RPC portmap status request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1401-4>
active T
comment "WEB-IIS /msadc/samples/ access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 355-5>
active T
comment "FTP pass wh00t"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
</augment>
<augment 405-6>
active F
comment "ICMP Destination Unreachable Source Host Isolated"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 828-5>
active T
comment "WEB-CGI maillist.pl access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 238-6>
active F
comment "DDOS TFN server response"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 2148-4>
active T
comment "WEB-PHP BLNews objects.inc.php4 access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1103-8>
active T
comment "WEB-MISC Netscape admin passwd"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2419-2>
active F
comment "MULTIMEDIA realplayer .ram playlist download attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/multimedia.rules
</augment>
<augment 410-5>
active F
comment "ICMP Fragment Reassembly Time Exceeded"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2082-9>
active T
comment "RPC portmap rpc.xfsmd request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 929-7>
active T
comment "WEB-COLDFUSION CFUSION_VERIFYMAIL access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 2281-2>
active T
comment "WEB-PHP Setup.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 2226-5>
active T
comment "WEB-PHP pmachine remote file include attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 413-5>
active F
comment "ICMP IPV6 Where-Are-You"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 564-7>
active F
comment "P2P Napster Client Data"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/p2p.rules
</augment>
<augment 1747-11>
active T
comment "RPC portmap cachefsd request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 644-5>
active T
comment "SHELLCODE sparc NOOP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/shellcode.rules
</augment>
<augment 1375-6>
active T
comment "WEB-MISC sadmind worm access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1719-4>
active T
comment "WEB-CGI talkback.cgi directory traversal attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1507-9>
active T
comment "WEB-CGI alibaba.pl arbitrary command execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1081-10>
active T
comment "WEB-MISC Netscape Servers suite DOS"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1943-3>
active T
comment "WEB-MISC /Carello/add.exe access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1815-4>
active T
comment "WEB-PHP directory.php arbitrary command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 2011-4>
active T
comment "MISC CVS invalid directory response"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 1260-10>
active T
comment "WEB-MISC long basic authorization string"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1602-6>
active T
comment "WEB-CGI htsearch access"
comment "add sanity checking to sig to reduce noise"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
<delete>
http /.*[\/\\]htsearch/
</delete>
http /.*[\/\\]htsearch\x3f.*\x3d[\x22\x60].*[\x22\x60].* /
</augment>
<augment 216-6>
active T
comment "BACKDOOR MISC Linux rootkit satori attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 1891-8>
active T
comment "RPC status GHBN format string attack"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1526-8>
active T
comment "WEB-MISC basilix sendmail.inc access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2195-6>
active T
comment "WEB-CGI alert.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2462-6>
active T
comment "EXPLOIT IGMP IGAP account overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 1220-5>
active T
comment "WEB-MISC ultraboard access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1854-7>
active T
comment "DDOS Stacheldraht handler->agent niggahbitch"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 277-5>
active F
comment "DOS Real Server template.html"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/dos.rules
</augment>
<augment 469-3>
active F
comment "ICMP PING NMAP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp.rules
</augment>
<augment 1532-7>
active T
comment "WEB-CGI bb-hostscv.sh attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 281-5>
active T
comment "DOS Ascend Route"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/dos.rules
</augment>
<augment 258-6>
active F
comment "DNS EXPLOIT named 8.2->8.2.1"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/dns.rules
</augment>
<augment 959-6>
active T
comment "WEB-FRONTPAGE service.pwd"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 2559-2>
active T
comment "EXPLOIT Oracle Web Cache COPY overflow attempt"
comment pcre: /^COPY[^s]{432}/sm
payload /((^)|(\n+))COPY[^s]{432}/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
<delete>
payload /.*COPY/
</delete>
</augment>
<augment 2149-1>
active T
comment "WEB-PHP Turba status.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 2237-5>
active T
comment "WEB-MISC cgiWebupdate.exe access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1084-8>
active T
comment "WEB-MISC Allaire JRUN DOS attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2073-3>
active T
comment "WEB-MISC globals.pl access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1374-5>
active T
comment "WEB-ATTACKS .htgroup access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
<delete>
http /.*\.htgroup/
</delete>
http /.*\.htgroup[\x20\x09\x0b]*$/
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 1128-5>
active T
comment "WEB-MISC cpshost.dll access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1122-5>
active T
comment "WEB-MISC /etc/passwd"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
payload /.*\/[eE][tT][cC]\/[pP][aA][sS][sS][wW][dD].{1,}root:x:0:0/
<delete>
payload /.*\/[eE][tT][cC]\/[pP][aA][sS][sS][wW][dD]/
</delete>
</augment>
<augment 1012-10>
active T
comment "WEB-IIS fpcount attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 645-5>
active T
comment "SHELLCODE sparc NOOP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/shellcode.rules
</augment>
<augment 1398-10>
active T
comment "EXPLOIT CDE dtspcd exploit attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 2543-3>
active F
comment "SMTP TLS SSLv3 Server_Hello request"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/smtp.rules
</augment>
<augment 2139-5>
active T
comment "WEB-MISC /*.shtml access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 229-5>
active T
comment "DDOS Stacheldraht client check skillz"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 373-6>
active F
comment "ICMP PING Flowpoint2200 or Network Management Software"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 969-5>
active T
comment "WEB-IIS WebDAV file lock attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1087-8>
active T
comment "WEB-MISC whisker tab splice attack"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 842-7>
active T
comment "WEB-CGI aglimpse access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2146-3>
active T
comment "WEB-PHP TextPortal admin.php default password 12345 attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1866-10>
active T
comment POP3 USER overflow attempt
comment "pcre: /^USER\s[^\n]{50,}/smi"
payload "/((^)|(\n+))[uU][sS][eE][rR][\x20\x09\x0b][^\n]{50,}/"
requires-reverse-signature ! pop_return_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/pop3.rules
<delete>
payload "/.*[uU][sS][eE][rR]/"
</delete>
</augment>
<augment 1906-8>
active T
comment "RPC AMD TCP amqproc_mount plog overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2175-5>
active T
comment "NETBIOS SMB winreg unicode access"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1699-7>
active F
comment "P2P Fastrack kazaa/morpheus traffic"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/p2p.rules
</augment>
<augment 498-6>
active T
comment "ATTACK-RESPONSES id check returned root"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/attack-responses.rules
</augment>
<augment 976-10>
active T
comment "WEB-IIS .bat? access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 907-5>
active T
comment "WEB-COLDFUSION addcontent.cfm access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 2177-4>
active T
comment "NETBIOS SMB startup folder unicode access"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 616-4>
active T
comment "SCAN ident version request"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/scan.rules
</augment>
<augment 2562-3>
active T
comment "WEB-MISC McAfee ePO file upload attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 183-4>
active F
comment "BACKDOOR SIGNATURE - Q ICMP"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 1472-9>
active F
comment "WEB-CGI book.cgi access"
comment "informational only"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1393-12>
active T
comment "MISC AIM AddGame attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 893-7>
active T
comment "WEB-CGI MachineInfo access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 115-5>
active T
comment "BACKDOOR netbus active"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 2100-2>
active T
comment "BACKDOOR SubSeven 2.1 Gold server connection response"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 450-8>
active F
comment "ICMP Time-To-Live Exceeded in Transit undefined code"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2087-5>
active T
comment "Sendmail SMTP From comment overflow attempt"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
payload /.*From\x3A<><><><><><><><><><><><><><><><><><><><><><>.{1}\x28.{1}\x29/
<delete>
payload /.*From\x3A.*.*<><><><><><><><><><><><><><><><><><><><><><>.{1}.*\x28.{1}.*\x29/
</delete>
</augment>
<augment 951-10>
active T
comment "WEB-FRONTPAGE authors.pwd access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 1395-8>
active T
comment "WEB-CGI zml.cgi attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1198-7>
active T
comment "WEB-MISC Netscape Enterprise Server directory view"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1563-6>
active T
comment "WEB-MISC login.htm attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1290-10>
active F
comment "WEB-CLIENT readme.eml autoload attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-client.rules
</augment>
<augment 2549-1>
active T
comment "MISC HP Web JetAdmin file write attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 1403-5>
active T
comment "WEB-MISC viewcode access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 966-9>
active T
comment "WEB-FRONTPAGE .... request"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 843-7>
active T
comment "WEB-CGI anform2 access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1191-6>
active T
comment "WEB-MISC Netscape Enterprise Server directory view"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1413-10>
active T
comment "SNMP private access udp"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/snmp.rules
</augment>
<augment 1533-7>
active T
comment "WEB-CGI bb-hostscv.sh access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1092-7>
active T
comment "WEB-CGI Armada Style Master Index directory traversal"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 331-10>
active T
comment "FINGER cybercop query"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/finger.rules
</augment>
<augment 1577-4>
active T
comment "WEB-MISC Domino setup.nsf access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2496-5>
active F
comment "NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 471-3>
active T
comment "ICMP icmpenum v1.1.1"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp.rules
</augment>
<augment 2120-3>
active T
comment IMAP create literal buffer overflow attempt
comment pcre: /\sCREATE\s[^\n]*?\s\{/smi
payload /((^)|(\n+))[\x20\x09\x0b][cC][rR][eE][aA][tT][eE][\x20\x09\x0b][^\n]*?\s\{/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/imap.rules
<delete>
payload /.*[cC][rR][eE][aA][tT][eE]/
</delete>
</augment>
<augment 1436-4>
active F
comment "MULTIMEDIA Quicktime User Agent access"
comment "informational only, not exploit worthy"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/multimedia.rules
</augment>
<augment 302-6>
active T
comment "EXPLOIT Redhat 7.0 lprd overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 1077-6>
active T
comment "WEB-MISC queryhit.htm access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 248-4>
active F
comment "DDOS mstream handler to client"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 1467-7>
active T
comment "WEB-CGI directorypro.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 867-9>
active T
comment "WEB-CGI visadmin.exe access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2201-5>
active T
comment "WEB-CGI download.cgi access"
comment "add f=../ to sig for refinement"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
http /.*[\/\\]download\.cgi.*f\x3d\x2e\x2e\x2f.* /
<delete>
http /.*[\/\\]download\.cgi/
</delete>
</augment>
<augment 1908-9>
active T
comment "RPC CMSD TCP CMSD_CREATE buffer overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1357-5>
active T
comment "WEB-ATTACKS nt admin addition attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 1175-10>
active T
comment "WEB-MISC wwwboard.pl access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1905-8>
active T
comment "RPC AMD UDP amqproc_mount plog overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1957-5>
active T
comment "RPC sadmind UDP PING"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1495-6>
active T
comment "WEB-CGI SIX webboard generate.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1628-10>
active T
comment "WEB-CGI FormHandler.cgi directory traversal attempt attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1778-4>
active T
comment "FTP EXPLOIT STAT ? dos attempt"
requires-reverse-signature ! ftp_server_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ftp.rules
</augment>
<augment 2266-4>
active T
comment SMTP SOML FROM sendmail prescan too long addresses overflow
comment pcre: /^SOML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi
payload /((^)|(\n+))[sS][oO][mM][lL] [fF][rR][oO][mM]:[\x20\x09\x0b]+[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{200,}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
<delete>
payload /.*[sS][oO][mM][lL] [fF][rR][oO][mM]\x3A/
</delete>
</augment>
<augment 1293-10>
active T
comment "NETBIOS nimda .eml"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1446-6>
active T
comment SMTP vrfy root
comment pcre: /^vrfy\s+root/smi
payload /((^)|(\n+))[vV][rR][fF][yY][\x20\x09\x0b]+[rR][oO][oO][tT]/
sigaction SIG_FILE
requires-reverse-signature ! smtp_server_fail
snort-rule-file snort_rules/rules2.2/smtp.rules
<delete>
payload /.*[vV][rR][fF][yY].{1}.*[rR][oO][oO][tT]/
</delete>
</augment>
<augment 2384-8>
active T
comment "NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1119-7>
active T
comment "WEB-MISC mlog.phtml access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2178-13>
active T
comment FTP USER format string attempt
comment pcre: /^USER\s[^\n]*?%[^\n]*?%/smi
ftp /((^)|(\n+))[uU][sS][eE][rR][\x20\x09\x0b][^\n]*?%[^\n]*?%/
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload /.*[uU][sS][eE][rR]/
</delete>
</augment>
<augment 854-7>
active T
comment "WEB-CGI classifieds.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2220-6>
active T
comment "WEB-CGI simplestmail.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 931-6>
active T
comment "WEB-COLDFUSION cfmlsyntaxcheck.cfm access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 1806-7>
active T
comment "WEB-IIS .htr chunked Transfer-Encoding"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 2492-5>
active F
comment "NETBIOS SMB DCERPC ISystemActivator bind attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1715-4>
active T
comment "WEB-CGI register.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
http /.*[\/\\]register\.cgi/
payload /SEND_MAIL/
<delete>
http /.*[\/\\]register\.cgi/
</delete>
snort-rule-file snort_rules/rules2.2/web-cgi.rules
comment "Informational only"
</augment>
<augment 2574-1>
active T
comment "FTP RETR format string attempt"
comment pcre: /^RETR\s[^\n]*?%[^\n]*?%/smi
ftp /((^)|(\n+))[rR][eE][tT][rR][\x20\x09\x0b][^\n]*?%[^\n]*?%/
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload /.*[rR][eE][tT][rR]/
</delete>
</augment>
<augment 661-6>
active T
comment "SMTP majordomo ifs"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
</augment>
<augment 840-7>
active T
comment "WEB-CGI perlshop.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2209-5>
active T
comment "WEB-CGI getdoc.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
<delete>
http /.*[\/\\]getdoc\.cgi/
</delete>
http /.*[\/\\]getdoc\.cgi\?.*form-attachment.*command/
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1289-4>
active T
comment "TFTP GET Admin.dll"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/tftp.rules
</augment>
<augment 607-5>
active T
comment "RSERVICES rsh bin"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rservices.rules
</augment>
<augment 679-6>
active T
comment "MS-SQL/SMB sp_adduser database user creation"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 2326-3>
active T
comment "WEB-IIS sgdynamo.exe access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1702-5>
active F
comment "WEB-CGI Amaya templates sendtemp.pl access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 915-5>
active T
comment "WEB-COLDFUSION evaluate.cfm access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 2033-8>
active T
comment "RPC ypserv maplist request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 835-9>
active T
comment "WEB-CGI test-cgi access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1333-6>
active T
comment WEB-ATTACKS id command attempt
http /.*;[iI][dD]([;|\x20\x09\x0b]|$)./
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
<delete>
payload /.*\x3B[iI][dD]/
</delete>
</augment>
<augment 826-7>
active T
comment "WEB-CGI htmlscript access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 159-6>
active T
comment "BACKDOOR NetMetro File List"
dst-ip == local_nets
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 1015-6>
active T
comment "WEB-IIS getdrvs.exe access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1173-5>
active T
comment "WEB-MISC architext_query.pl access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1104-9>
active T
comment "WEB-MISC whisker space splice attack"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 353-6>
active T
comment "FTP adm scan"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
</augment>
<augment 1712-4>
active T
comment "WEB-CGI bslist.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 362-12>
active T
comment "FTP tar parameters"
requires-reverse-signature ! ftp_server_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ftp.rules
</augment>
<augment 990-6>
active T
comment "WEB-IIS _vti_inf access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1668-6>
active T
comment "WEB-CGI /cgi-bin/ access"
comment "under most conditions the root of cgi-bin should never return a list or valid document"
comment "tune for site specific"
http /.*[\/\\]cgi-bin[\/\\]$/
requires-reverse-signature ! http_error
<delete>
http /.*[\/\\]cgi-bin[\/\\]/
payload /.*\/[cC][gG][iI]-[bB][iI][nN]\/ [hH][tT][tT][pP]/
</delete>
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2150-7>
active T
comment "WEB-PHP ttCMS header.php remote file include attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 2468-3>
active T
comment "NETBIOS SMB-DS D$ share access"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 2013-2>
active T
comment "MISC CVS invalid module response"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 665-5>
active T
comment "SMTP sendmail 5.6.5 exploit"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
</augment>
<augment 1550-10>
active T
comment SMTP ETRN overflow attempt
comment pcre: /^ETRN\s[^\n]{500}/smi
payload /((^)|(\n+))[eE][tT][rR][nN]][\x20\x09\x0b][^\n]{500}/
sigaction SIG_LOG
requires-reverse-signature ! smtp_server_fail
snort-rule-file snort_rules/rules2.2/smtp.rules
<delete>
payload /.*ETRN/
</delete>
</augment>
<augment 1428-5>
active T
comment "MULTIMEDIA audio galaxy keepalive"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/multimedia.rules
</augment>
<augment 2260-5>
active T
comment SMTP VRFY overflow attempt
comment pcre: /^VRFY[^\n]{255,}/smi
payload /((^)|(\n+))[vV][rR][fF][yY][^\n]{255,}/
requires-reverse-signature ! smtp_server_fail
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
<delete>
payload /.*[vV][rR][fF][yY]/
</delete>
</augment>
<augment 1024-8>
active T
comment "WEB-IIS newdsn.exe access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 2252-11>
active T
comment "NETBIOS SMB-DS DCERPC Remote Activation bind attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 848-9>
active T
comment "WEB-CGI view-source directory traversal"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2296-4>
active T
comment "WEB-PHP Advanced Poll admin_stats.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1335-5>
active T
comment "WEB-ATTACKS kill command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 2488-4>
active T
comment "SMTP WinZip MIME content-disposition buffer overflow"
comment pcre: /name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi
comment pcre: /name=s*[^\r\n\x3b\s\x2c]{300}/smi
payload /[nN][aA][mM][eE]=[^\r\n]*?\.(([mM][iI]]mM])|([uU]{2}[eE])|([uU]{2})|([bB]64)|([bB][hH][xX])|([hH][qQ][xX])|([xX]{2}[eE]))/
payload /[nN][aA][mM][eE]=s*[^\r\n\x3b\x20\x09\x0b\x2c]{300}/
requires-reverse-signature ! smtp_server_fail
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
</augment>
<augment 1660-4>
active T
comment "WEB-IIS trace.axd access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 2018-4>
active T
comment "RPC mountd TCP dump request"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1985-1>
active F
comment "BACKDOOR Doly 1.5 server response"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 1308-5>
active T
comment "WEB-CGI sendmessage.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1323-6>
active F
comment "EXPLOIT rwhoisd format string attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 1901-10>
active T
comment "ATTACK-RESPONSES successful kadmind buffer overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/attack-responses.rules
</augment>
<augment 2070-2>
active T
comment "WEB-MISC post32.exe arbitrary command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1164-10>
active T
comment "WEB-MISC shopping cart access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 706-7>
active T
comment "MS-SQL xp_peekqueue possible buffer overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 392-5>
active F
comment "ICMP Datagram Conversion Error"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1384-8>
active T
comment "MISC UPnP malformed advertisement"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 823-6>
active F
comment "WEB-CGI cvsweb.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
comment "informational only"
</augment>
<augment 1156-6>
active T
comment "WEB-MISC apache DOS attempt"
requires-signature ! http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1742-5>
active T
comment "WEB-PHP Blahz-DNS dostuff.php modify user attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 155-5>
active T
comment "BACKDOOR NetSphere 1.31.337 access"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 1217-7>
active T
comment "WEB-MISC plusmail access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1969-3>
active T
comment "WEB-MISC ion-p remote file access"
dst-ip == local_nets
http /.*[\/\\]ion-p\?.*(c:\\|\.\.\/)/
requires-reverse-signature ! http_error
<delete>
http /.*[\/\\]ion-p/
</delete>
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2176-4>
active T
comment "NETBIOS SMB startup folder access"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1438-6>
active F
comment "MULTIMEDIA Windows Media Video download"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/multimedia.rules
</augment>
<augment 988-7>
active T
comment "WEB-IIS SAM Attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 2541-5>
active F
comment "SMTP TLS SSLv3 invalid data version attempt"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/smtp.rules
</augment>
<augment 983-9>
active T
comment "WEB-IIS unicode directory traversal attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1950-5>
active T
comment "RPC portmap SET attempt UDP 111"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1130-5>
active T
comment "WEB-MISC .wwwacl access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1434-5>
active T
comment "WEB-MISC .bash_history access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 864-7>
active T
comment "WEB-CGI day5datanotifier.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1118-5>
active T
comment "WEB-MISC ls%20-l"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2256-3>
active T
comment "RPC sadmind query with root credentials attempt UDP"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2239-3>
active T
comment "WEB-MISC redirect.exe access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2570-6>
active T
comment "WEB-MISC Invalid HTTP Version String"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2542-3>
active F
comment "SMTP TLS SSLv3 Client_Hello request"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/smtp.rules
</augment>
<augment 895-7>
active F
comment "WEB-CGI redirect access"
comment "sig too general for general use"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 654-13>
active T
comment SMTP RCPT TO overflow
comment pcre: /^RCPT TO\s[^\n]{300}/ism
payload /((^)|(\n+))[rR][cC][pP][tT] [tT][oO][\x20\x09\x0b][^\n]{300}/
sigaction SIG_LOG
requires-reverse-signature ! smtp_server_fail
snort-rule-file snort_rules/rules2.2/smtp.rules
</augment>
<augment 2435-2>
active F
comment "WEB-CLIENT Microsoft emf metafile access"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-client.rules
comment "Informational only"
</augment>
<augment 1516-10>
active T
comment "WEB-CGI envout.bat arbitrary command execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 260-9>
active T
comment "DNS EXPLOIT named overflow ADMROCKS"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/dns.rules
</augment>
<augment 2455-3>
active F
comment "CHAT Yahoo IM conference message"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 312-6>
active F
comment "EXPLOIT ntpdx overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
comment "Too general"
comment "Better handled by the ntp.bro policy"
</augment>
<augment 1199-11>
active T
comment "WEB-MISC Compaq Insight directory traversal"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2327-2>
active T
comment "WEB-MISC bsml.pl access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2259-5>
active T
comment SMTP EXPN overflow attempt
comment "pcre: /^EXPN[^\n]{255,}/smi"
payload "/((^)|(\n+))[eE][xX][pP][nN][^\n]{255,}/"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
<delete>
payload "/.*[eE][xX][pP][nN]/"
</delete>
</augment>
<augment 2280-2>
active T
comment "WEB-PHP Title.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 2106-7>
active T
comment IMAP lsub overflow attempt
comment "pcre: /\sLSUB\s[^\n]{100}/smi"
payload "/((^)|(\n+))[\x20\x09\x0b][lL][sS][uU][bB][\x20\x09\x0b][^\n]{100}/"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/imap.rules
<delete>
payload "/.*LSUB/"
</delete>
</augment>
<augment 646-5>
active T
comment "SHELLCODE sparc NOOP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/shellcode.rules
</augment>
<augment 1141-10>
active F
comment "WEB-MISC handler access"
comment "Disabled because it is too general"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1273-10>
active T
comment "RPC portmap selection_svc request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1451-6>
active T
comment "WEB-CGI NPH-publish access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1701-4>
active T
comment "WEB-CGI calendar-admin.pl access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1716-6>
active T
dst-ip == local_nets
payload /_MAILTO.*\;/
comment "WEB-CGI gbook.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1149-12>
active F
comment "WEB-CGI count.cgi access"
comment "circa '97, remove rule as too general"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 593-18>
active T
comment "RPC portmap snmpXdmi request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 407-7>
active F
comment "ICMP Destination Unreachable cndefined code"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1812-5>
active T
comment "EXPLOIT gobbles SSH exploit attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 2002-4>
active T
comment "WEB-PHP remote include path"
comment "add better rule"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
<delete>
http /.*\.php/
</delete>
http /.*\.php.*[pP][aA][tT][hH]\x3d(http|https|ftp)\x2fi/
</augment>
<augment 1423-12>
active T
comment "WEB-PHP content-disposition memchr overflow"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 2525-6>
active F
comment "NETBIOS SMB DCERPC LSASS direct bind attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 672-6>
active T
comment SMTP vrfy decode
comment "pcre: /^vrfy\s+decode/smi"
payload "/((^)|(\n+))[vV][rR][fF][yY][\x20\x09\x0b]+[dD][eE][cC][oO][dD][eE]/"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/smtp.rules
<delete>
payload "/.*[vV][rR][fF][yY].{1}.*[dD][eE][cC][oO][dD][eE]/"
</delete>
</augment>
<augment 1624-5>
active T
comment "FTP large PWD command"
requires-reverse-signature ! ftp_server_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ftp.rules
</augment>
<augment 2204-6>
active T
comment "WEB-CGI ezadmin.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 301-7>
active T
comment "EXPLOIT LPRng overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 2292-4>
active T
comment "WEB-PHP Advanced Poll admin_logout.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 2179-4>
active T
comment FTP PASS format string attempt
comment "pcre: /^PASS\s[^\n]*?%[^\n]*?%/smi"
ftp "/((^)|(\n+))[pP][aA][sS][sS]\x20\x09\x0b][^\n]*?%[^\n]*?%/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload "/.*[pP][aA][sS][sS]/"
</delete>
</augment>
<augment 630-5>
active T
comment "SCAN synscan portscan"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/scan.rules
</augment>
<augment 147-5>
active T
comment "BACKDOOR GateCrasher"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 304-9>
active F
comment "EXPLOIT SCO calserver overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 2214-6>
active T
comment "WEB-CGI mailview.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1727-7>
active T
comment "WEB-CGI SGI InfoSearch fname access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1641-5>
active T
comment "DOS DB2 dos attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/dos.rules
</augment>
<augment 1924-6>
active T
comment "RPC mountd UDP export request"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1245-10>
active T
comment "WEB-IIS ISAPI .idq access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 2221-6>
active T
comment "WEB-CGI ws_mail.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2507-6>
active F
comment "NETBIOS DCERPC LSASS bind attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1340-5>
active T
comment "WEB-ATTACKS tftp command attempt"
requires-reverse-signature ! http_error
requires-signature ! http_cool_dll
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 1476-5>
active T
comment "WEB-CGI sdbsearch.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2193-9>
active T
comment "NETBIOS SMB-DS DCERPC ISystemActivator bind attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1869-5>
active T
comment "WEB-CGI story.pl access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1165-9>
active T
comment "WEB-MISC Novell Groupwise gwweb.exe access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2215-6>
active T
comment "WEB-CGI nsManager.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2267-4>
active T
comment SMTP MAIL FROM sendmail prescan too many addresses overflow
comment "pcre: /^MAIL FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*? ..."
payload "/((^)|(\n+))[mM][aA][iI][lL] [fF][rR][oO][mM]\x3a\x20*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
<delete>
payload /.*[mM][aA][iI][lL] [fF][rR][oO][mM]\x3A/
</delete>
</augment>
<augment 2255-3>
active T
comment "RPC sadmind query with root credentials attempt TCP"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 703-7>
active F
comment "MS-SQL/SMB xp_setsqlsecurity possible buffer overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 1211-6>
active T
comment "WEB-CGI web-map.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2465-3>
active T
comment "NETBIOS SMB-DS IPC$ share access"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1160-11>
active T
comment "WEB-MISC Netscape dir index wp"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1082-8>
active F
comment "WEB-MISC amazon 1-click cookie theft"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 909-6>
active T
comment "WEB-COLDFUSION datasource username attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 1155-5>
active T
comment "WEB-MISC Ecommerce checks.txt access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2287-4>
active T
comment "WEB-PHP Advanced Poll admin_comment.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 927-7>
active T
comment "WEB-COLDFUSION settings refresh attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 378-7>
active F
comment "ICMP PING Ping-O-MeterWindows"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2544-3>
active F
comment "SMTP TLS SSLv3 invalid Client_Hello attempt"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/smtp.rules
</augment>
<augment 1842-9>
active T
comment IMAP login buffer overflow attempt
comment "pcre: /\sLOGIN\s[^\n]{100}/smi"
payload "/((^)|(\n+))[\x20\x09\x0b]LOGIN[\x20\x09\x0b][^\n]{100}/"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/imap.rules
<delete>
payload "/.*LOGIN/"
</delete>
</augment>
<augment 932-7>
active T
comment "WEB-COLDFUSION application.cfm access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 499-4>
active F
comment "ICMP Large ICMP Packet"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp.rules
</augment>
<augment 838-9>
active T
comment "WEB-CGI webgais access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2448-2>
active T
comment "WEB-MISC setinfo.hts access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 465-3>
active T
comment "ICMP ISS Pinger"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp.rules
</augment>
<augment 674-6>
active T
comment "MS-SQL xp_displayparamstmt possible buffer overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 590-12>
active T
comment "RPC portmap ypserv request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1787-7>
active T
comment "WEB-CGI csPassword.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1244-10>
active T
comment "WEB-IIS ISAPI .idq attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 971-7>
active T
comment "WEB-IIS ISAPI .printer access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1662-5>
active T
comment "WEB-MISC /~ftp access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1054-7>
active T
comment WEB-MISC weblogic/tomcat .jsp view source attempt
comment "pcre: /^\w+\s+[^\n\s\?]*\.jsp/smi"
http "/((^)|(\n+))[a-zA-Z0-9_]+[\x20\x09\x0b]+[^\n\x20\x09\x0b\?]*\.[jJ][sS][pP]/"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
<delete>
http "/.*\.jsp/"
</delete>
</augment>
<augment 1737-6>
active T
comment "WEB-PHP squirrel mail theme arbitrary command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1892-6>
active T
comment "SNMP null community string attempt"
requires-reverse-signature snmp_userver_ok_return
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/snmp.rules
</augment>
<augment 2269-4>
active T
comment SMTP RCPT TO sendmail prescan too many addresses overflow
comment "pcre: /^RCPT TO\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<"
payload "/((^)|(\n+))[rR][cC][pP][tT] [tT][oO]\x3a\x20*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
<delete>
payload /.*[rR][cC][pP][tT] [tT][oO]\x3A/
</delete>
</augment>
<augment 1679-4>
active F
comment "ORACLE describe attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/oracle.rules
</augment>
<augment 259-7>
active T
comment "DNS EXPLOIT named overflow ADM"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/dns.rules
</augment>
<augment 415-5>
active F
comment "ICMP Information Reply"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2045-8>
active T
comment "RPC snmpXdmi overflow attempt UDP"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2133-5>
active T
comment "WEB-IIS MS BizTalk server access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 2339-2>
active T
comment "TFTP NULL command attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/tftp.rules
</augment>
<augment 1819-5>
active T
comment "MISC Alcatel PABX 4400 connection attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 1479-8>
active T
comment "WEB-CGI ttawebtop.cgi arbitrary file attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 995-10>
active T
comment "WEB-IIS ism.dll access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1159-10>
active T
comment "WEB-MISC webplus access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 427-6>
active F
comment "ICMP Parameter Problem Unspecified Error"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2091-8>
active T
comment "WEB-IIS WEBDAV nessus safe scan attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1604-6>
active F
comment "WEB-MISC iChat directory traversal attempt"
comment "too general"
comment "old signature from 1999"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 381-6>
active F
comment "ICMP PING Sun Solaris"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1117-6>
active T
comment "WEB-MISC Lotus EditDoc attempt"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1176-5>
active T
comment "WEB-MISC order.log access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 677-6>
active T
comment "MS-SQL/SMB sp_password password change"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 871-7>
active T
comment "WEB-CGI survey.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2489-2>
active T
comment "EXPLOIT esignal STREAMQUOTE buffer overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 1030-7>
active T
comment "WEB-IIS search97.vts access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 2539-3>
active F
comment "SMTP SSLv3 Server_Hello request"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/smtp.rules
</augment>
<augment 1408-8>
active T
comment "DOS MSDTC attempt"
comment "change payload-size == 1024"
payload-size "== 1024"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/dos.rules
</augment>
<augment 1638-5>
active T
comment "SCAN SSH Version map attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/scan.rules
</augment>
<augment 1133-11>
active T
comment "SCAN cybercop os probe"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/scan.rules
</augment>
<augment 2057-5>
active T
comment "WEB-MISC helpout.exe access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1988-3>
active F
comment "CHAT MSN file transfer accept"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 1625-5>
active F
comment "FTP large SYST command"
comment Too many false positives for normal FTP traffic
requires-reverse-signature ! ftp_server_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ftp.rules
</augment>
<augment 417-5>
active F
comment "ICMP Information Request"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1562-11>
active T
comment FTP SITE CHOWN overflow attempt
comment pcre: /^SITE\s+CHOWN\s[^\n]{100}/smi
eval dataSizeG100
ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[cC][hH][oO][wW][nN][\x20\x09\x0b][^\n]{100}/
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload /.*[sS][iI][tT][eE].*.*[cC][hH][oO][wW][nN]/
</delete>
</augment>
<augment 1131-5>
active T
comment "WEB-MISC .wwwacl access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2479-3>
active F
comment "NETBIOS SMB-DS DCERPC bind winreg unicode attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1849-7>
active T
comment "WEB-MISC webfind.exe access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 402-7>
active F
comment "ICMP Destination Unreachable Port Unreachable"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1188-6>
active T
comment "WEB-MISC Netscape Enterprise Server directory view"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 250-4>
active T
comment "DDOS mstream handler to client"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 652-9>
active T
comment "SHELLCODE Linux shellcode"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/shellcode.rules
</augment>
<augment 1345-5>
active T
comment "WEB-ATTACKS /usr/bin/cpp command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 1218-5>
active T
comment "WEB-MISC adminlogin access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 627-7>
active T
comment "SCAN cybercop os SFU12 probe"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/scan.rules
</augment>
<augment 1235-8>
active T
comment "WEB-MISC VirusWall FtpSaveCVP access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1580-4>
active T
comment "WEB-MISC Domino events4.nsf access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1711-4>
active T
comment "WEB-CGI bsguest.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1009-4>
active T
comment "WEB-IIS directory listing"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1544-5>
active T
comment "WEB-MISC Cisco Catalyst command execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1915-9>
active T
comment "RPC STATD UDP monitor mon_name format string exploit attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2272-4>
active T
comment FTP LIST integer overflow attempt
comment "pcre: /^LIST\s+\x22-W\s+\d+/smi"
ftp "/((^)|(\n+))[lL][iI][sS][tT][\x20\x09\x0b]+\x22-W[\x20\x09\x0b]+[0-9]+/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload "/.*[lL][iI][sS][tT]/"
</delete>
</augment>
<augment 1948-4>
active T
comment "DNS zone transfer UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/dns.rules
</augment>
<augment 103-7>
active T
comment "BACKDOOR subseven 22"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 663-13>
active T
comment SMTP rcpt to command attempt
comment "pcre: /^rcpt\s+to\:\s+[|\x3b]/smi"
payload "/((^)|(\n+))[rR][cC][pP][tT][\x20\x09\x0b][tT][oO]:[\x20\x09\x0b]+[|\x3b]/"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
<delete>
payload /.*[rR][cC][pP][tT] [tT][oO]\x3A/
</delete>
</augment>
<augment 1959-7>
active T
comment "RPC portmap NFS request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2317-4>
active T
comment "MISC CVS non-relative path error response"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 1140-11>
active T
comment "WEB-MISC guestbook.pl access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1718-4>
active T
comment "WEB-CGI statusconfig.pl access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 462-7>
active F
comment "ICMP unassigned type 7"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 436-6>
active F
comment "ICMP Redirect for TOS and Host"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 579-8>
active T
comment "RPC portmap mountd request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 900-11>
active F
comment "WEB-CGI webspirs.cgi directory traversal attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 287-6>
active T
comment "POP3 EXPLOIT x86 BSD overflow"
requires-reverse-signature ! pop_return_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/pop3.rules
</augment>
<augment 1992-5>
active T
comment "FTP LIST directory traversal attempt"
requires-reverse-signature ! ftp_server_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ftp.rules
</augment>
<augment 1404-5>
active F
comment "WEB-MISC showcode access"
comment "duplicate of 1037"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 575-8>
active T
comment "RPC portmap admind request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 502-2>
active T
comment "MISC source route ssrr"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 1574-7>
active T
comment "WEB-CGI directorypro.cgi attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1258-10>
active T
comment "WEB-MISC HP OpenView Manager DOS"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1827-7>
active T
comment "WEB-MISC Tomcat servlet mapping cross site scripting attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1008-7>
active T
comment "WEB-IIS del attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 2208-5>
active T
comment "WEB-CGI fom.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2007-10>
active T
comment "RPC kcms_server directory traversal attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1174-8>
active T
comment "WEB-CGI /cgi-bin/jj access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2412-3>
active T
comment "ATTACK-RESPONSES successful cross site scripting forced download attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/attack-responses.rules
</augment>
<augment 2366-4>
active T
comment "WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 886-11>
active F
comment "WEB-CGI phf access"
comment "too general a sig, attack circa '99"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1921-5>
active T
comment FTP SITE ZIPCHK overflow attempt
comment pcre: /^SITE\s+ZIPCHK\s[^\n]{100}/smi
eval dataSizeG100
ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[zZ][iI][pP][cC][hH][kK][\x20\x09\x0b][^\n]{100}/
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload /.*[sS][iI][tT][eE].{1}.*[zZ][iI][pP][cC][hH][kK]/
</delete>
</augment>
<augment 1488-8>
active T
dst-ip == local_nets
comment "WEB-CGI store.cgi directory traversal attempt"
comment "verify application is not vulnerable"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1150-6>
active T
comment "WEB-MISC Domino catalog.nsf access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 541-9>
active F
comment "CHAT ICQ access"
comment "informational only, not exploit worthy"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 2388-4>
active T
comment "WEB-CGI streaming server view_broadcast.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 702-8>
active T
comment "MS-SQL/SMB xp_displayparamstmt possible buffer overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 2202-6>
active T
comment "WEB-CGI edit_action.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 972-8>
active F
comment "WEB-IIS %2E-asp access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 584-11>
active T
comment "RPC portmap rusers request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2315-6>
active T
comment "NETBIOS DCERPC Workstation Service direct service bind attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1877-5>
active T
comment "WEB-CGI printenv access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
http /.*\/cgi-bin[^\/]*\/printenv/
comment "Informational only"
<delete>
http /.*[\/\\]printenv/
</delete>
</augment>
<augment 1013-9>
active T
comment "WEB-IIS fpcount access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 518-6>
active T
comment "TFTP Put"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/tftp.rules
</augment>
<augment 860-8>
active T
comment "WEB-CGI snork.bat access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1999-4>
active T
comment "WEB-PHP edit_image.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 453-5>
active F
comment "ICMP Timestamp Request"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 669-8>
active F
comment "SMTP sendmail 8.6.9 exploit"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
</augment>
<augment 1020-10>
active T
comment "WEB-IIS isc$data attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 2352-7>
active F
comment "NETBIOS DCERPC ISystemActivator path overflow attempt big endian"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 208-5>
active T
comment "BACKDOOR PhaseZero Server Active on Network"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 1824-6>
active F
dst-ip == local_nets
comment "WEB-CGI alienform.cgi access"
comment "informational only"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 574-8>
active T
comment "RPC mountd TCP export request"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1427-4>
active T
comment "SNMP PROTOS test-suite-trap-app attempt"
requires-reverse-signature snmp_userver_ok_return
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/snmp.rules
</augment>
<augment 1098-8>
active T
comment "WEB-MISC SmartWin CyberOffice Shopping Cart access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2159-8>
active T
comment "MISC BGP invalid type 0"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 807-11>
active F
comment "WEB-CGI /wwwboard/passwd.txt access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1961-7>
active T
comment "RPC portmap RQUOTA request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 552-7>
active F
comment "P2P napster upload request"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/p2p.rules
</augment>
<augment 1022-8>
active T
comment "WEB-IIS jet vba access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 863-7>
active T
comment "WEB-CGI day5datacopier.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2054-4>
active T
comment "WEB-CGI enter_bug.cgi arbitrary command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2450-3>
active F
comment "CHAT Yahoo IM successful logon"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 1120-8>
active T
comment "WEB-MISC mylog.phtml access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 710-7>
active T
comment "TELNET EZsetup account attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/telnet.rules
</augment>
<augment 416-7>
active F
comment "ICMP Information Reply undefined code"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 875-9>
active T
comment "WEB-CGI win-c-sample.exe access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1302-7>
active T
comment "WEB-MISC console.exe access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2020-4>
active T
comment "RPC mountd TCP unmount request"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1090-7>
active T
comment "WEB-CGI Allaire Pro Web Shell attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2010-4>
active T
comment "MISC CVS double free exploit attempt response"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 1672-10>
active T
comment FTP CWD ~ attempt
comment pcre: /^CWD\s+~/smi
ftp /((^)|(\n+))CWD[\x20\x09\x0b]+~/
requires-reverse-signature ! ftp_server_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload /.*CWD/
</delete>
</augment>
<augment 1051-9>
active T
comment "WEB-CGI technote main.cgi file directory traversal attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 898-9>
active T
comment "WEB-CGI commerce.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1578-4>
active F
comment "WEB-MISC Domino statrep.nsf access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1397-6>
active T
comment "WEB-CGI wayboard attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 423-5>
active F
comment "ICMP Mobile Registration Request"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1878-5>
active T
comment "WEB-CGI sdbsearch.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2030-6>
active T
comment "RPC yppasswd new password overflow attempt TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 673-5>
active T
comment "MS-SQL sp_start_job - program execution"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 1450-5>
active T
comment "SMTP expn *@"
comment "pcre: /^expn\s+\*@/smi"
payload "/((^)|(\n+))[eE][xX][pP][nN][\x20\x09\x0b]\*@/"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
<delete>
payload "/.*[eE][xX][pP][nN]/"
payload "/.*\*@/"
</delete>
</augment>
<augment 1106-9>
active T
comment "WEB-CGI Poll-it access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1844-9>
active T
comment IMAP authenticate overflow attempt
comment "pcre: /\sAUTHENTICATE\s[^\n]{100}/smi"
payload "/((^)|(\n+))[\x20\x09\x0b][aA][uU][tT][hH][eE][nN][tT][iI][cC][aA][tT][eE][\x20\x09\x0b][^\n]{100}/"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/imap.rules
<delete>
payload "/.*[aA][uU][tT][hH][eE][nN][tT][iI][cC][aA][tT][eE]/"
</delete>
</augment>
<augment 671-8>
active T
comment "SMTP sendmail 8.6.9c exploit"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
</augment>
<augment 894-8>
active T
comment "WEB-CGI bb-hist.sh access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2206-6>
active T
comment "WEB-CGI ezman.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 375-6>
active F
comment "ICMP PING LINUX/*BSD"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1148-5>
active T
comment "WEB-MISC Ecommerce import.txt access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 695-7>
active T
comment "MS-SQL/SMB xp_sprintf possible buffer overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 857-10>
active T
comment "WEB-CGI faxsurvey access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2474-3>
active T
comment "NETBIOS SMB-DS ADMIN$ share access"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1894-8>
active T
comment "EXPLOIT kadmind buffer overflow attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 1011-7>
active T
comment "WEB-IIS exec-src access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 397-6>
active F
comment "ICMP Destination Unreachable Host Precedence Violation"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 255-11>
active T
comment "DNS zone transfer TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/dns.rules
</augment>
<augment 1774-3>
active T
comment "WEB-PHP bb_smilies.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 2501-8>
active F
comment "POP3 SSLv3 invalid timestamp attempt"
requires-reverse-signature ! pop_return_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/pop3.rules
</augment>
<augment 430-6>
active F
comment "ICMP Photuris Unknown Security Parameters Index"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 707-8>
active T
comment "MS-SQL xp_proxiedmetadata possible buffer overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 1332-5>
active T
comment "WEB-ATTACKS /usr/bin/id command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 667-5>
active T
comment "SMTP sendmail 8.6.10 exploit"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
</augment>
<augment 2216-6>
active T
comment "WEB-CGI readmail.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2558-2>
active T
comment "EXPLOIT Oracle Web Cache MKCOL overflow attempt"
comment pcre: /^MKCOL[^s]{432}/sm
payload /((^)|(\n+))MKCOL[^s]{432}/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
<delete>
payload /.*MKCOL/
</delete>
</augment>
<augment 2205-6>
active F
dst-ip == local_nets
comment "WEB-CGI ezboard.cgi access"
comment "Too general"
comment "vulnerabilities are too broad"
comment "Suggestion: analyze site version of software and test for vulnerability, make any adjustments, and then disable this rule."
requires-reverse-signature ! http_error
http /.*[\/\\]ezboard\.cgi/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1910-10>
active T
comment "RPC CMSD udp CMSD_INSERT buffer overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 668-6>
active T
comment "SMTP sendmail 8.6.10 exploit"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
</augment>
<augment 311-11>
active T
comment "EXPLOIT Netscape 4.7 unsucessful overflow"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 2351-7>
active F
comment "NETBIOS DCERPC ISystemActivator path overflow attempt little endian"
comment "Functions not supported"
comment "Better suited to a Bro analizer"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1951-5>
active T
comment "RPC mountd TCP mount request"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1185-10>
active T
comment "WEB-CGI bizdbsearch attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1608-5>
active T
comment "WEB-CGI htmlscript attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 278-5>
active T
comment "DOS Real Server template.html"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/dos.rules
</augment>
<augment 812-9>
active F
comment "WEB-CGI webplus version access"
comment "informational only"
comment "old signature from 04-10-2000"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1707-7>
active T
comment "WEB-CGI hello.bat arbitrary command execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2526-6>
active F
comment "NETBIOS SMB-DS DCERPC LSASS direct bind attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1642-7>
active T
comment "WEB-CGI document.d2w access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1751-5>
active T
comment "EXPLOIT cachefsd buffer overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 1591-6>
active T
comment "WEB-CGI faqmanager.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1336-5>
active T
comment "WEB-ATTACKS chmod command attempt"
requires-reverse-signature ! http_error
http /.*\/[cC][hH][mM][oO][dD]([^-a-zA-Z0-9_.]|$)/
<delete>
payload /.*\/[bB][iI][nN]\/[cC][hH][mM][oO][dD]/
</delete>
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 1029-7>
active T
comment "WEB-IIS scripts-browse access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 380-7>
active F
comment "ICMP PING Seer Windows"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 808-8>
active F
comment "WEB-CGI webdriver access"
comment "informational only"
comment "old signature from 12-30-2000"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2410-2>
active T
comment "WEB-PHP IGeneric Free Shopping Cart page.php access"
dst-ip == local_nets
http /.*[\/\\]page\.php\?.*script/
<delete>
http /.*[\/\\]page\.php/
</delete>
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1475-4>
active T
comment "WEB-CGI mailit.pl access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2151-4>
active T
comment "WEB-PHP ttCMS header.php access"
requires-reverse-signature ! http_error
sigaction SIG_QUIET
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1730-7>
active T
comment "WEB-CGI ustorekeeper.pl directory traversal attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 310-8>
active T
comment "EXPLOIT x86 windows MailMax overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 2510-7>
active F
comment "NETBIOS SMB DCERPC LSASS bind attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 2293-4>
active T
comment "WEB-PHP Advanced Poll admin_password.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1492-5>
active T
comment "WEB-MISC RBS ISP /newuser directory traversal attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2538-3>
active F
comment "SMTP SSLv3 Client_Hello request"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/smtp.rules
</augment>
<augment 2428-3>
active T
comment NNTP ihave overflow attempt
comment "pcre: /^ihave\x3a[^\n]{21}/smi"
payload "/((^)|(\n+))[iI][hH][aA][vV][eE]\x3a[^\n]{21}/"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/nntp.rules
<delete>
payload "/.*[iI][hH][aA][vV][eE]/"
</delete>
</augment>
<augment 1810-9>
active T
comment "ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/attack-responses.rules
</augment>
<augment 1912-9>
active T
comment "RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2017-12>
active T
comment "RPC portmap espd request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 497-8>
active T
comment "ATTACK-RESPONSES file copied ok"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/attack-responses.rules
</augment>
<augment 1964-8>
active T
comment "RPC tooltalk UDP overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 936-5>
active T
comment "WEB-COLDFUSION gettempdirectory.cfm access "
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 505-5>
active T
comment "MISC Insecure TIMBUKTU Password"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 1506-7>
active T
comment "WEB-CGI alchemy http server NUL arbitrary command execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1923-6>
active T
comment "RPC portmap proxy attempt UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1390-5>
active T
comment "SHELLCODE x86 inc ebx NOOP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/shellcode.rules
</augment>
<augment 2264-4>
active T
comment SMTP SAML FROM sendmail prescan too long addresses overflow
comment "pcre: /^SAML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"
payload "/((^)|(\n+))[sS][aA][mM][lL] [fF][rR][oO][mM]:[\x20\x09\x0b]+[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{200,}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}/"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
<delete>
payload /.*[sS][aA][mM][lL] [fF][rR][oO][mM]\x3A/
</delete>
</augment>
<augment 709-7>
active T
comment "TELNET 4Dgifts SGI account attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/telnet.rules
</augment>
<augment 606-5>
active T
comment "RSERVICES rlogin root"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rservices.rules
</augment>
<augment 1788-3>
active T
comment "WEB-CGI csPassword password.cgi.tmp access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2469-3>
active T
comment "NETBIOS SMB-DS D$ share unicode access"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 226-6>
active T
comment "DDOS Stacheldraht server response"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 1095-6>
active T
comment "WEB-MISC Talentsoft Web+ Source Code view access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 490-6>
active F
comment "INFO battle-mail traffic"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/info.rules
</augment>
<augment 2181-2>
active F
comment "P2P BitTorrent transfer"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/p2p.rules
</augment>
<augment 1385-11>
active T
comment "WEB-MISC mod-plsql administration access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1109-8>
active T
comment "WEB-MISC ROXEN directory list attempt"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2105-4>
active T
comment IMAP authenticate literal overflow attempt
comment "pcre: /\sAUTHENTICATE\s[^\n]*?\s\{/smi"
payload "/((^)|(\n+))[\x20\x09\x0b][aA][uU][tT][hH][eE][nN][tT][iI][cC][aA][tT][eE][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/imap.rules
<delete>
payload "/.*[aA][uU][tT][hH][eE][nN][tT][iI][cC][aA][tT][eE]/"
</delete>
</augment>
<augment 231-3>
active T
comment "DDOS Trin00 Daemon to Master message detected"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 1439-5>
active F
comment "MULTIMEDIA Shoutcast playlist redirection"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/multimedia.rules
</augment>
<augment 1838-8>
active T
comment EXPLOIT SSH server banner overflow
comment "pcre: /^SSH-\s[^\n]{200}/ism"
payload "/((^)|(\n+))[sS][sS][hH]-[\x20\x09\x0b][^\n]{200}/"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
<delete>
payload "/.*[sS][sS][hH]-/"
</delete>
</augment>
<augment 1597-7>
active F
comment "WEB-CGI guestbook.cgi access"
comment "too general"
comment "informational only"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1858-5>
active T
comment "WEB-MISC CISCO PIX Firewall Manager directory traversal attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 449-6>
active F
comment "ICMP Time-To-Live Exceeded in Transit"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 830-7>
active F
comment "WEB-CGI NPH-publish access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
comment "duplicate of 1451-6"
</augment>
<augment 1349-5>
active F
comment "WEB-ATTACKS bin/python access attempt"
comment "informational only"
comment "too general"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 1368-6>
active T
comment "WEB-ATTACKS /bin/ls| command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 2101-9>
active T
comment "NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 2529-3>
active F
comment "IMAP SSLv3 Client_Hello request"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/imap.rules
</augment>
<augment 2031-5>
active T
comment "RPC yppasswd user update UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1025-6>
active T
comment "WEB-IIS perl access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 2490-3>
active T
comment "EXPLOIT esignal SNAPQUOTE buffer overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 810-11>
active F
comment "WEB-CGI whois_raw.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
comment "duplicate of 1410"
</augment>
<augment 2349-5>
active F
comment "NETBIOS SMB-DS DCERPC enumerate printers request attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 2312-2>
active T
comment "SHELLCODE x86 0x71FB7BAB NOOP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/shellcode.rules
</augment>
<augment 1166-8>
active T
comment "WEB-MISC ws_ftp.ini access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 997-6>
active T
comment "WEB-IIS asp-dot attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 2306-4>
active T
comment WEB-PHP gallery arbitrary command execution attempt
comment pcre: /GALLERY_BASEDIR=(http|https|ftp)/i
http /.*[gG][aA][lL][lL][eE][rR][yY]_[bB][aA][sS][eE][dD][iI][rR]=(http|https|ftp)/
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
<delete>
payload /.*GALLERY_BASEDIR=/
</delete>
</augment>
<augment 1973-6>
active T
comment FTP MKD overflow attempt
comment pcre: /^MKD\s[^\n]{100}/smi
eval dataSizeG100
ftp /((^)|(\n+))[mM][kK][dD][\x20\x09\x0b][^\n]{100}/
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload /.*[mM][kK][dD]/
</delete>
</augment>
<augment 1279-14>
active T
comment "RPC portmap snmpXdmi request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 120-5>
active T
comment "BACKDOOR Infector 1.6 Server to Client"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 2310-8>
active T
comment "NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1876-4>
active T
comment "WEB-CGI nph-publish.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1558-5>
active T
comment "WEB-MISC Delegate whois overflow attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2396-2>
active T
comment "WEB-CGI CCBill whereami.cgi arbitrary command execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1757-3>
active T
comment "WEB-MISC b2 arbitrary command execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1888-8>
active T
comment FTP SITE CPWD overflow attempt
comment "pcre: /^SITE\s+CPWD\s[^\n]{100}/smi"
eval dataSizeG100
ftp "/((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[cC][pP][wW][dD][\x20\x09\x0b][^\n]{100}/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload "/.*[sS][iI][tT][eE].*.*[cC][pP][wW][dD]/"
</delete>
</augment>
<augment 508-7>
active T
comment "MISC gopher proxy"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 2095-6>
active T
comment "RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2491-5>
active F
comment "NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1178-6>
active T
comment "WEB-PHP Phorum read access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1419-9>
active T
comment "SNMP trap udp"
requires-reverse-signature snmp_userver_ok_return
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/snmp.rules
</augment>
<augment 1553-7>
active T
comment "WEB-CGI /cart/cart.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2288-4>
active T
comment "WEB-PHP Advanced Poll admin_edit.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 271-4>
active T
comment "DOS UDP echo+chargen bomb"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/dos.rules
</augment>
<augment 308-8>
active T
comment "EXPLOIT NextFTP client overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 2294-4>
active F
comment "WEB-PHP Advanced Poll admin_preview.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 2035-6>
active T
comment "RPC portmap network-status-monitor request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2123-2>
active T
comment "ATTACK-RESPONSES Microsoft cmd.exe banner"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/attack-responses.rules
</augment>
<augment 1234-8>
active T
comment "WEB-MISC VirusWall FtpSaveCSP access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2147-7>
active T
comment "WEB-PHP BLNews objects.inc.php4 remote file include attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1381-5>
active T
comment "WEB-MISC Trend Micro OfficeScan attempt"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 371-7>
active F
comment "ICMP PING Cisco Type.x"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 522-2>
active T
comment "MISC Tiny Fragments"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 1417-9>
active F
comment "SNMP request udp"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/snmp.rules
</augment>
<augment 639-5>
active T
comment "SHELLCODE SGI NOOP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/shellcode.rules
</augment>
<augment 1457-6>
active T
comment "WEB-CGI user_update_admin.pl access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 334-5>
active T
comment "FTP .forward"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
</augment>
<augment 1979-4>
active F
comment "WEB-MISC perl post attempt"
comment "too general"
comment "perl POST attempts are normal in the real world"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 225-6>
active T
comment "DDOS Stacheldraht gag server response"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 2291-4>
active T
comment "WEB-PHP Advanced Poll admin_license.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1851-6>
active T
comment "WEB-MISC active.log access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1848-5>
active T
comment "WEB-MISC webcart-lite access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2487-4>
active T
comment "SMTP WinZip MIME content-type buffer overflow"
comment pcre: /name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi
comment pcre: /(name|id|number|total|boundary)=\s*[^\r\n\x3b\s\x2c]{300}/smi
payload /[nN][aA][mM][eE]=[^\r\n]*?\.([mM][iI][mM]|[uU]{2}[eE]?|[bB]64|[bB][hH][xX]|[hH][qQ][xX]|[xX]{2}[eE])/
payload /([nN][aA][mM][eE]|[iI][dD]|[nN][uU][mM][bB][eE][rR]|[tT][oO][tT][aA][lL]|[bB][oO][uU][nN][dD][aA][rR][yY])=[\x20\x09\x0b]*[^\r\n\x3b\s\x2c]{300}/
requires-reverse-signature ! smtp_server_fail
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
</augment>
<augment 2553-2>
active T
comment "EXPLOIT Oracle Web Cache PUT overflow attempt"
comment pcre: /^PUT[^s]{432}/sm
payload /((^)|(\n+))PUT[^s]{432}/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
<delete>
payload /.*PUT/
</delete>
</augment>
<augment 2009-2>
active T
src-ip == local_nets
comment "MISC CVS invalid repository response"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 459-7>
active F
comment "ICMP unassigned type 1 undefined code"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2437-5>
active T
comment WEB-CLIENT RealPlayer arbitrary javascript command attempt
comment "pcre: /^Content-Type\x3a\s+application\x2fsmi.*?<area[\s\n\r]+href=[\x22\x27]file\x3ajavascript\x3a/smi"
requires-signature http_real_client
http "/((^)|(\n+))[cC][oO][nN][tT][eE][nN][tT]-[tT][yY][pP][eE]\x3a[\x20\x09\x0b][aA][pP][pP][lL][iI][cC][aA][tT][iI][oO][nN]\x2f[sS][mM][iI].*?<[aA][rR][eE][aA][\x20\x09\x0b\n\r]+href=[\x22\x27][fF][iI][lL][eE]\x3ajavascript\x3a/"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-client.rules
<delete>
payload /.*[cC][oO][nN][tT][eE][nN][tT]-[tT][yY][pP][eE]\x3A/
</delete>
</augment>
<augment 1904-7>
active T
comment "IMAP find overflow attempt"
comment pcre: /\sFIND\s[^\n]{100}/smi
payload /((^)|(\n+))[\x20\x09\x0b][fF][iI][nN][dD][\x20\x09\x0b][^\n]{100}/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/imap.rules
<delete>
payload /.*[fF][iI][nN][dD]/
</delete>
</augment>
<augment 1636-8>
active T
comment MISC Xtramail Username overflow attempt
comment pcre: /^Username\:[^\n]{100}/smi
payload /((^)|(\n+))[uU][sS][eE][rR][nN][aA][mM][eE]\:[^\n]{100}/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
<delete>
payload /.*[uU][sS][eE][rR][nN][aA][mM][eE]\x3A/
</delete>
</augment>
<augment 1790-4>
active T
comment "CHAT IRC dns response"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 815-9>
active F
comment "WEB-CGI websendmail access"
comment "informational only"
comment "old signature from 06-01-1999"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2016-6>
active T
comment "RPC portmap status request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1493-5>
active T
comment "WEB-MISC RBS ISP /newuser access"
comment "port 8002 needs to be referencd and some ../ needs to be there as well"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
http /.*\x3a8002.*[\/\\]newuser\x3f.*\x2e\x2e[\/\\]/
<delete>
http /.*[\/\\]newuser/
</delete>
</augment>
<augment 581-9>
active T
comment "RPC portmap pcnfsd request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 577-13>
active F
comment "RPC portmap bootparam request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 223-3>
active T
comment "DDOS Trin00 Daemon to Master PONG message detected"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 305-9>
active T
comment "EXPLOIT delegate proxy overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 2383-9>
active T
comment "NETBIOS SMB-DS DCERPC NTLMSSP invalid mechtype attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 243-2>
active T
comment "DDOS mstream agent to handler"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 2072-3>
active T
dst-ip == local_nets
comment "WEB-MISC lyris.pl admin access"
requires-reverse-signature ! http_error
http /POST.*[\/\\]lyris\.pl/
payload /list_admin=T/
event "WEB-MISC lyris.pl admin access"
<delete>
http /.*[\/\\]lyris\.pl/
event "WEB-MISC lyris.pl access"
</delete>
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 472-4>
active T
comment "ICMP redirect host"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp.rules
</augment>
<augment 369-6>
active F
comment "ICMP PING BayRS Router"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2470-3>
active T
comment "NETBIOS SMB C$ share unicode access"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1650-6>
active T
comment "WEB-CGI tst.bat access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 615-8>
active F
comment "SCAN SOCKS Proxy attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/scan.rules
</augment>
<augment 1868-5>
active T
comment "WEB-CGI story.pl arbitrary file read attempt"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 693-5>
active T
comment "MS-SQL shellcode attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 2052-3>
active T
comment "WEB-CGI overflow.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1145-7>
active T
comment "WEB-MISC /~root access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1448-10>
active T
comment "MISC MS Terminal server request"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 266-6>
active T
comment "DNS EXPLOIT x86 FreeBSD overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/dns.rules
</augment>
<augment 2092-5>
active F
comment "RPC portmap proxy integer overflow attempt UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2576-2>
active T
comment "ORACLE generate_replication_support prefix overflow attempt"
comment "pcre: /(package|procedure)_prefix[\s\r\n]*=>[\s\r\n]*('[^']{1000,}|"[^"]{1000,})/Rsmi"
payload "/([pP][aA][cC][kK][aA][gG][eE]|[pP][rR][oO][cC][eE][dD][uU][rR][eE])_[pP][rR][eE][fF][iI][xX][\x20\x09\x0b\r\n]*=>[\x20\x09\x0b\r\n]*('[^']{1000,}|"[^"]{1000,})/"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/oracle.rules
</augment>
<augment 2125-8>
active T
comment "FTP CWD Root directory transversal attempt"
requires-reverse-signature ! ftp_server_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ftp.rules
</augment>
<augment 516-3>
active T
comment "MISC SNMP NT UserList"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 1539-6>
active F
comment "WEB-CGI /cgi-bin/ls access"
comment "too many false positives"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1916-9>
active T
comment "RPC STATD TCP monitor mon_name format string exploit attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 595-16>
active T
comment "RPC portmap espd request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 534-6>
active T
comment "NETBIOS SMB CD.."
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 2482-3>
active F
comment "NETBIOS SMB-DS DCERPC shutdown attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 949-6>
active T
comment "WEB-FRONTPAGE registrations.htm access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 824-9>
active F
comment "WEB-CGI php.cgi access"
comment "informational only"
comment "too general"
comment "old signature from 06-01-1999"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2197-7>
active T
comment "WEB-CGI cvsview2.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 540-11>
active F
comment "CHAT MSN message"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 1461-5>
active T
comment "WEB-CGI bb-rep.sh access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 395-6>
active F
comment "ICMP Destination Unreachable Destination Network Unknown"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1616-6>
active F
comment "DNS named version attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/dns.rules
</augment>
<augment 1500-6>
active T
comment "WEB-MISC ExAir access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2262-4>
active T
comment SMTP SEND FROM sendmail prescan too long addresses overflow
comment pcre: /^SEND FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi
payload /((^)|(\n+))[sS][eE][nN][dD] [fF][rR][oO][mM]:[\x20\x09\x0b]+[a-zA-Z0-9\x5f\x20\x09\x0b@\.]{0,200}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{200,}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}/
requires-reverse-signature ! smtp_server_fail
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
<delete>
payload /.*[sS][eE][nN][dD] [fF][rR][oO][mM]\x3A/
</delete>
</augment>
<augment 2504-6>
active T
comment "SMTP SSLv3 invalid data version attempt"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/smtp.rules
</augment>
<augment 2089-5>
active T
comment "RPC ypupdated arbitrary command attempt TCP"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1513-9>
active T
comment "WEB-CGI input.bat access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 682-6>
active T
comment "MS-SQL xp_enumresultset possible buffer overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 2282-2>
active T
comment "WEB-PHP GlobalFunctions.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 2508-6>
active F
comment "NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 117-6>
active T
comment "BACKDOOR Infector.1.x"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 158-5>
active T
comment "BACKDOOR BackConstruction 2.1 Server FTP Open Reply"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 1763-6>
active T
comment "WEB-CGI Nortel Contivity cgiproc DOS attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1762-4>
active T
comment "WEB-CGI phf arbitrary command execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1179-7>
active T
comment "WEB-PHP Phorum violation access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1494-6>
active T
comment "WEB-CGI SIX webboard generate.cgi attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1834-5>
active T
comment "WEB-PHP PHP-Wiki cross site scripting attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 2475-3>
active T
comment "NETBIOS SMB-DS ADMIN$ share unicode access"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 964-6>
active T
comment "WEB-FRONTPAGE users.pwd access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 320-9>
active T
comment "FINGER cmd_rootsh backdoor attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/finger.rules
</augment>
<augment 878-6>
active T
comment "WEB-CGI w3tvars.pm access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1452-5>
active T
comment "WEB-CGI args.cmd access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1101-7>
active T
comment "WEB-MISC Webtrends HTTP probe"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1441-4>
active T
comment "TFTP GET nc.exe"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/tftp.rules
</augment>
<augment 1207-7>
active T
comment "WEB-MISC htgrep access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1019-8>
active T
comment "WEB-IIS index server file source code attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1339-5>
active T
comment "WEB-ATTACKS chsh command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 1240-5>
active T
comment "EXPLOIT MDBMS overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 1557-7>
active T
comment "WEB-CGI DCShop auth_user_file.txt access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1264-13>
active T
comment "RPC portmap bootparam request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 933-7>
active T
comment "WEB-COLDFUSION onrequestend.cfm access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 512-4>
active T
comment "MISC PCAnywhere Failed Login"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 1525-9>
active T
comment "WEB-MISC Axis Storpoint CD access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1348-5>
active T
comment "WEB-ATTACKS g++ command attempt"
requires-reverse-signature ! http_error
sigaction SIG_QUIET
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 902-7>
active T
comment "WEB-CGI tstisapi.dll access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1767-6>
active T
comment "WEB-MISC search.dll access"
comment "requires sambar web server"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
eval isNotIIS
eval isNotApache
</augment>
<augment 1047-9>
active T
comment "WEB-MISC Netscape Enterprise DOS"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1089-9>
active T
comment "WEB-CGI shopping cart directory traversal"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 687-5>
active T
comment "MS-SQL xp_cmdshell - program execution"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 2552-2>
active T
comment "EXPLOIT Oracle Web Cache HEAD overflow attempt"
comment pcre: /^HEAD[^s]{432}/sm
payload /((^)|(\n+))HEAD[^s]{432}/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 384-5>
active F
comment "ICMP PING"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 836-7>
active T
comment "WEB-CGI textcounter.pl access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1722-4>
active T
comment "WEB-CGI MachineInfo access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 873-8>
active F
comment "WEB-CGI scriptalias access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 477-2>
active F
comment "ICMP Source Quench"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp.rules
</augment>
<augment 2198-6>
active T
comment "WEB-CGI cvslog.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 859-7>
active T
comment "WEB-CGI man.sh access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 662-5>
active T
comment "SMTP sendmail 5.5.5 exploit"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
</augment>
<augment 441-6>
active F
comment "ICMP Router Advertisement"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 880-8>
active T
comment "WEB-CGI LWGate access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1017-8>
active T
comment "WEB-IIS idc-srch attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 326-9>
active T
comment "FINGER remote command execution attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/finger.rules
</augment>
<augment 2234-5>
active T
comment "WEB-MISC TOP10.dll access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 359-5>
active T
comment "FTP satan scan"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
</augment>
<augment 2420-2>
active F
comment "MULTIMEDIA realplayer .rmp playlist download attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/multimedia.rules
</augment>
<augment 2429-3>
active T
comment NNTP sendme overflow attempt
comment "pcre: /^sendme\x3a[^\n]{21}/smi"
payload /((^)|(\n+))[sS][eE][nN][dD][mM][eE]\x3a[^\n]{21}/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/nntp.rules
<delete>
payload /.*[sS][eE][nN][dD][mM][eE]/
</delete>
</augment>
<augment 2513-7>
active F
comment "NETBIOS SMB-DS DCERPC LSASS unicode bind attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 2427-3>
active T
comment "NNTP checkgroups overflow attempt"
comment pcre: /^checkgroups\x3a[^\n]{21}/smi
payload /((^)|(\n+))[cC][hH][eE][cC][kK][gG][rR][oO][uU][pP][sS]\x3a[^\n]{21}/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/nntp.rules
<delete>
payload /.*[cC][hH][eE][cC][kK][gG][rR][oO][uU][pP][sS]/
</delete>
</augment>
<augment 2485-4>
active T
comment "WEB-CLIENT Nortan antivirus sysmspam.dll load attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-client.rules
</augment>
<augment 488-4>
active F
comment "INFO Connection Closed MSG from Port 80"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/info.rules
</augment>
<augment 2483-3>
active F
comment "NETBIOS SMB-DS DCERPC shutdown little endian attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 2129-9>
active T
comment "WEB-IIS nsiislog.dll access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1486-4>
active T
comment "WEB-IIS ctss.idc access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 923-7>
active T
comment "WEB-COLDFUSION getodbcin attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 2245-5>
active T
comment "WEB-MISC Webnews.exe access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2370-2>
active T
comment "WEB-MISC BugPort config.conf file access"
requires-reverse-signature ! http_error
sigaction SIG_QUIET
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2531-3>
active F
comment "IMAP SSLv3 invalid Client_Hello attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/imap.rules
</augment>
<augment 2244-4>
active T
comment "WEB-MISC VsSetCookie.exe access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1172-10>
active T
comment "WEB-CGI bigconf.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1168-5>
active T
comment "WEB-MISC mall log order access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1167-7>
active T
comment "WEB-MISC rpm_query access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 530-10>
active T
comment "NETBIOS NT NULL session"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 2466-3>
active T
comment "NETBIOS SMB-DS IPC$ share unicode access"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1920-6>
active T
comment FTP SITE NEWER overflow attempt
comment pcre: /^SITE\s+NEWER\s[^\n]{100}/smi
eval dataSizeG100
ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[nN][eE][wW][eE][rR][\x20\x09\x0b][^\n]{100}/
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload /.*[sS][iI][tT][eE].*.*[nN][eE][wW][eE][rR]/
</delete>
</augment>
<augment 1410-9>
active T
comment "WEB-CGI dcboard.cgi access"
comment "too general but low occurence"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1579-4>
active T
comment "WEB-MISC Domino webadmin.nsf access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 403-6>
active F
comment "ICMP Destination Unreachable Precedence Cutoff in effect"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2389-4>
active T
comment FTP RNTO overflow attempt
comment pcre: /^RNTO\s[^\n]{100}/smi
eval dataSizeG100
ftp /((^)|(\n+))[rR][nN][tT][oO][\x20\x09\x0b][^\n]{100}/
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload /.*[rR][nN][tT][oO]/
</delete>
</augment>
<augment 2158-5>
active F
comment "MISC BGP invalid length"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 2417-1>
active T
comment "FTP format string attempt"
comment pcre: /\s+.*?%.*?%/smi
ftp /[\x20\x09\x0b]+.*?%.*?%/
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
</augment>
<augment 1275-10>
active T
comment "RPC portmap yppasswd request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2290-4>
active T
comment "WEB-PHP Advanced Poll admin_help.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1253-11>
active T
comment "TELNET bsd exploit client finishing"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/telnet.rules
</augment>
<augment 2185-7>
active T
comment "RPC mountd UDP mount path overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 387-7>
active F
comment "ICMP Address Mask Reply undefined code"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 274-5>
active T
comment "DOS ath"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/dos.rules
</augment>
<augment 1362-5>
active T
comment "WEB-ATTACKS xterm command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 2423-2>
active T
comment NNTP article post without path attempt
comment pcre: /^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si
http /((^)|(\n+))[tT][aA][kK][eE][tT][hH][iI][sS].*?[pP][Aa][Tt][Hh]\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/nntp.rules
<delete>
http /.*\.rp/
</delete>
</augment>
<augment 1741-5>
active T
comment "WEB-PHP DNSTools access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1822-7>
active F
comment "WEB-CGI alienform.cgi directory traversal attempt"
comment "merged with s2b-1823-7"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2569-1>
active F
comment "WEB-MISC cPanel resetpass access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2043-2>
active T
comment "MISC isakmp login failed"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 1586-4>
active T
comment "WEB-MISC Domino mail.box access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 542-10>
active T
comment "CHAT IRC nick change"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 1643-6>
active F
comment "WEB-CGI db2www access"
comment "too general to be useful"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2577-2>
active F
comment "WEB-CLIENT local resource redirection attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-client.rules
</augment>
<augment 2299-4>
active T
comment "WEB-PHP Advanced Poll admin_tpl_misc_new.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 275-10>
active T
comment "DOS NAPTHA"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/dos.rules
</augment>
<augment 1890-8>
active T
comment "RPC status GHBN format string attack"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1284-10>
active T
comment "WEB-CLIENT readme.eml download attempt"
requires-signature http_msie_client
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-client.rules
</augment>
<augment 368-6>
active F
comment "ICMP PING BSDtype"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1735-4>
active T
comment "WEB-CLIENT XMLHttpRequest attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-client.rules
</augment>
<augment 379-7>
active F
comment "ICMP PING Pinger Windows"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1605-6>
active T
dst-ip == local_nets
comment "DOS iParty DOS attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/dos.rules
</augment>
<augment 2094-6>
active T
comment "RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2540-3>
active F
comment "SMTP SSLv3 invalid Client_Hello attempt"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/smtp.rules
</augment>
<augment 2004-5>
active F
comment "MS-SQL Worm propagation attempt OUTBOUND"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 2391-4>
active T
comment FTP APPE overflow attempt
comment pcre: /^APPE\s[^\n]{100}/smi
eval dataSizeG100
payload /((^)|(\n+))[aA][pP][pP][eE][\x20\x09\x0b][^\n]{100}/
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload /.*[aA][pP][pP][eE]/
</delete>
</augment>
<augment 2025-9>
active T
comment "RPC yppasswd username overflow attempt UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 532-8>
active T
comment "NETBIOS SMB ADMIN$ share access"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 2431-3>
active T
comment NNTP rmgroup overflow attempt
comment pcre: /^rmgroup\x3a[^\n]{21}/smi
payload /((^)|(\n+))[rR][mM][gG][rR][oO][uU][pP]\x3a[^\n]{21}/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/nntp.rules
<delete>
payload /.*[rR][mM][gG][rR][oO][uU][pP]/
</delete>
</augment>
<augment 162-4>
active T
comment "BACKDOOR Matrix 2.0 Server access"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 1552-4>
active T
comment "WEB-MISC cvsweb version access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1652-6>
active T
comment "WEB-CGI campus attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 222-2>
active T
comment "DDOS tfn2k icmp possible communication"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 1435-6>
active T
comment "DNS named authors attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/dns.rules
</augment>
<augment 535-6>
active T
comment "NETBIOS SMB CD..."
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1549-16>
active T
comment SMTP HELO overflow attempt
comment pcre: /^HELO\s[^\n]{500}/smi
payload /((^)|(\n+))[hH][eE][lL][oO][\x20\x09\x0b][^\n]{500}/
sigaction SIG_LOG
requires-reverse-signature ! smtp_server_fail
snort-rule-file snort_rules/rules2.2/smtp.rules
<delete>
payload /.*HELO/
</delete>
</augment>
<augment 1613-7>
active F
dst-ip == local_nets
http /[\/]handler.{1,}?\;.{2,}\|/
comment "WEB-MISC handler attempt"
comment "old IRIX web server vulnerability"
requires-reverse-signature ! http_error
<delete>
http /.*[\/\\]handler/
http /.*\x7C/
</delete>
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 419-5>
active F
comment "ICMP Mobile Host Redirect"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 858-7>
active T
comment "WEB-CGI filemail access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 315-6>
active T
comment "EXPLOIT x86 Linux mountd overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 1523-10>
active T
comment "WEB-MISC ans.pl access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1726-4>
active T
comment "WEB-IIS doctodep.btr access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 2528-7>
active F
comment "SMTP TLS PCT Client_Hello overflow attempt"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
</augment>
<augment 884-14>
active T
comment "WEB-CGI formmail access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
http /.*[\/\\]formmail{0,5}\?/
<delete>
http /.*[\/\\]formmail/
</delete>
</augment>
<augment 1086-12>
active T
comment "WEB-PHP strings overflow"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1271-14>
active T
comment "RPC portmap rusers request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1517-9>
active T
comment "WEB-CGI envout.bat access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1115-7>
active T
comment "WEB-MISC ICQ webserver DOS"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1919-12>
active T
comment FTP CWD overflow attempt
comment "pcre: /^CWD\s[^\n]{100}/smi"
eval dataSizeG100
ftp "/((^)|(\n+))[cC][wW][dD][\x20\x09\x0b][^\n]{100}/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload "/.*[cC][wW][dD]/"
</delete>
</augment>
<augment 1947-4>
active T
comment "WEB-MISC answerbook2 arbitrary command execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1841-5>
active T
comment "WEB-CLIENT Javascript URL host spoofing attempt"
requires-signature http_old_gecko_client
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-client.rules
</augment>
<augment 439-6>
active F
comment "ICMP Reserved for Security Type 19"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2285-2>
active T
comment "WEB-PHP rolis guestbook access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 996-8>
active T
comment "WEB-IIS anot.htr access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1571-8>
active T
comment "WEB-CGI dcforum.cgi directory traversal attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 478-3>
active T
comment "ICMP Broadscan Smurf Scanner"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp.rules
</augment>
<augment 1880-4>
active T
comment "WEB-MISC oracle web application server access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1934-6>
active T
comment POP2 FOLD overflow attempt
comment pcre: /^FOLD\s[^\n]{256}/smi
payload /((^)|(\n+))[fF][oO][lL][dD][\x20\x09\x0b][^\n]{256}/
requires-reverse-signature ! pop_return_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/pop2.rules
<delete>
payload /.*FOLD/
</delete>
</augment>
<augment 861-12>
active T
comment "WEB-CGI w3-msql access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1304-7>
active T
comment "WEB-CGI txt2html.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 998-7>
active T
comment "WEB-IIS asp-srch attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 254-4>
active T
comment "DNS SPOOF query response with TTL of 1 min. and no authority"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/dns.rules
</augment>
<augment 941-6>
active T
comment "WEB-FRONTPAGE contents.htm access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 611-7>
active T
comment "RSERVICES rlogin login failure"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rservices.rules
</augment>
<augment 2421-2>
active F
comment "MULTIMEDIA realplayer .smi playlist download attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/multimedia.rules
</augment>
<augment 2313-2>
active T
comment "SHELLCODE x86 0x71FB7BAB NOOP unicode"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/shellcode.rules
</augment>
<augment 2511-9>
active F
comment "NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1538-13>
active T
comment "NNTP AUTHINFO USER overflow attempt"
comment pcre: /^AUTHINFO\s+USER\s[^\n]{200}/smi
payload /((^)|(\n+))[aA][uU][tT][hH][iI][nN][fF][oO][\x20\x09\x0b]+[uU][sS][eE][rR][\x20\x09\x0b][^\n]{200}/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/nntp.rules
<delete>
payload /.*[aA][uU][tT][hH][iI][nN][fF][oO].*.*[uU][sS][eE][rR]/
</delete>
</augment>
<augment 1373-6>
active T
comment "WEB-ATTACKS conf/httpd.conf attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 1129-5>
active T
comment "WEB-MISC .htaccess access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2445-4>
active T
comment "EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 1896-8>
active T
comment "EXPLOIT kadmind buffer overflow attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 2380-3>
active T
comment "EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 2447-4>
active T
comment "WEB-MISC ServletManager access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1911-10>
active T
comment "RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2444-4>
active T
comment "EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 438-9>
active F
comment "ICMP Redirect undefined code"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 500-4>
active T
comment "MISC source route lssr"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 1937-5>
active T
comment POP3 LIST overflow attempt
comment "pcre: /^LIST\s[^\n]{10}/smi"
payload "/((^)|(\n+))[lL][iI][sS][tT][\x20\x09\x0b][^\n]{10}/"
requires-reverse-signature ! pop_return_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/pop3.rules
<delete>
payload "/.*[lL][iI][sS][tT]/"
</delete>
</augment>
<augment 2247-3>
active T
comment "WEB-IIS UploadScript11.asp access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1060-6>
active T
comment "WEB-MISC xp_availablemedia attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2184-7>
active T
comment "RPC mountd TCP mount path overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 385-4>
active F
comment "ICMP traceroute"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1328-5>
active T
comment "WEB-ATTACKS ps command attempt"
requires-reverse-signature ! http_error
http /.*[\/\\]bin[\/\\]ps([^-_a-zA-Z0-9.]|$)/
<delete>
http /.*[\/\\]bin[\/\\]ps/
</delete>
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 650-8>
active F
comment "SHELLCODE x86 setuid 0"
sigaction SIG_FILE
dst-ip == local_nets
snort-rule-file snort_rules/rules2.2/shellcode.rules
comment "Short binary pattern"
comment "Mild suspicion"
comment "too many false positives"
</augment>
<augment 2303-4>
active F
comment "WEB-PHP Advanced Poll popup.php access"
comment "informational only"
comment "too general"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 598-12>
active T
comment "RPC portmap listing TCP 111"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2283-2>
active T
comment "WEB-PHP DatabaseFunctions.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 408-5>
active F
comment "ICMP Echo Reply"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2494-5>
active F
comment "NETBIOS DCEPRC ORPCThis request flood attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 955-6>
active T
comment "WEB-FRONTPAGE access.cnf access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 1560-6>
active F
comment "WEB-MISC /doc/ access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1853-6>
active T
comment "BACKDOOR win-trin00 connection attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 1052-8>
active T
comment "WEB-CGI technote print.cgi directory traversal attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2532-3>
active F
comment "MISC LDAP SSLv3 Client_Hello request"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 1739-6>
active T
comment "WEB-PHP DNSTools administrator authentication bypass attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 529-7>
active T
comment "NETBIOS DOS RFPoison"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1941-8>
active T
comment "TFTP GET filename overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/tftp.rules
</augment>
<augment 839-7>
active F
comment "WEB-CGI finger access"
comment "informational only"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2027-5>
active T
comment "RPC yppasswd old password overflow attempt UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 428-7>
active F
comment "ICMP Parameter Problem undefined Code"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1440-5>
active F
comment "MULTIMEDIA Icecast playlist redirection"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/multimedia.rules
</augment>
<augment 1656-4>
active T
comment "WEB-CGI pfdispaly.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1612-8>
active T
comment "WEB-MISC ftp.pl attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2038-5>
active T
comment "RPC network-status-monitor mon-callback request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1136-5>
active T
comment "WEB-MISC cd.."
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1611-5>
active F
dst-ip == local_nets
comment "WEB-CGI eXtropia webstore access"
comment "informational only"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1807-9>
active T
comment "WEB-MISC Chunked-Encoding transfer attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
eval isApacheLt1322
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1300-7>
active T
comment "WEB-PHP admin.php file upload attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1953-5>
active T
comment "RPC AMD TCP pid request"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 119-5>
active T
comment "BACKDOOR Doly 2.0 access"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 1057-6>
active T
comment "WEB-MISC ftp attempt"
requires-reverse-signature ! http_error
http /.*[fF][tT][pP]\.[eE][xX][eE]/
<delete>
payload /.*[fF][tT][pP]\.[eE][xX][eE]/
</delete>
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 337-10>
active T
comment FTP CEL overflow attempt
comment "pcre: /^CEL\s[^\n]{100}/smi"
eval dataSizeG100
ftp "/((^)|(\n+))[cC][eE][lL][\x20\x09\x0b][^\n]{100}/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload "/.*[cC][eE][lL]/"
</delete>
</augment>
<augment 2297-4>
active T
comment "WEB-PHP Advanced Poll admin_templates_misc.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1974-6>
active T
comment FTP REST overflow attempt
comment "pcre: /^REST\s[^\n]{100}/smi"
eval dataSizeG100
ftp "/((^)|(\n+))[rR][eE][sS][tT][\x20\x09\x0b][^\n]{100}/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload "/.*[rR][eE][sS][tT]/"
</delete>
</augment>
<augment 1277-9>
active T
comment "RPC portmap ypupdated request UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 649-8>
active T
comment "SHELLCODE x86 setgid 0"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/shellcode.rules
comment "Short binary pattern"
comment "Mild suspicion"
</augment>
<augment 2023-4>
active T
comment "RPC mountd UDP unmountall request"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2350-7>
active F
comment "NETBIOS DCERPC ISystemActivator bind accept"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1875-4>
active T
dst-ip == local_nets
comment "WEB-CGI cgicso access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 328-8>
active T
comment "FINGER bomb attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/finger.rules
</augment>
<augment 2461-3>
active F
comment "CHAT Yahoo IM webcam watch"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 1777-4>
active T
comment "FTP EXPLOIT STAT * dos attempt"
requires-reverse-signature ! ftp_server_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ftp.rules
</augment>
<augment 1963-9>
active T
comment "RPC RQUOTA getquota overflow attempt UDP"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 862-9>
active T
comment "WEB-CGI csh access"
requires-reverse-signature ! http_error
requires-signature ! http_shell_check
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 537-11>
active T
comment "NETBIOS SMB IPC$ share access"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 2556-2>
active T
comment "EXPLOIT Oracle Web Cache DELETE overflow attempt"
comment pcre: /^DELETE[^s]{432}/sm
payload /((^)|(\n+))DELETE[^s]{432}/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 694-6>
active T
comment "MS-SQL/SMB shellcode attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 1187-12>
active T
comment "WEB-MISC SalesLogix Eviewer web command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2516-10>
active T
comment "MISC LDAP PCT Client_Hello overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 161-4>
active T
comment "BACKDOOR Matrix 2.0 Client connect"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 1388-12>
active T
comment MISC UPnP Location overflow
comment pcre: /^Location\:[^\n]{128}/smi
payload /((^)|(\n+))[lL][oO][cC][aA][tT][iI][oO][nN]\x3a[^\n]{128}/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
<delete>
payload /.*[lL][oO][cC][aA][tT][iI][oO][nN]\x3A/
</delete>
</augment>
<augment 1615-5>
active T
comment "WEB-MISC htgrep attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2249-3>
active T
comment "WEB-IIS /pcadmin/login.asp access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1437-5>
active F
comment "MULTIMEDIA Windows Media audio download"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/multimedia.rules
</augment>
<augment 146-5>
active T
comment "BACKDOOR NetSphere access"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 2566-1>
active T
comment "WEB-PHP PHPBB viewforum.php access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 2046-6>
active T
comment IMAP partial body.peek buffer overflow attempt
comment "pcre: /\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi"
payload "/((^)|(\n+))[\x20\x09\x0b][pP][aA][rR][tT][iI][aA][lL].*[bB][oO][dD][yY]\.[pP][eE][eE][kK]\[[^\]]{1024}/"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/imap.rules
<delete>
payload "/.*[pP][aA][rR][tT][iI][aA][lL].*.*[bB][oO][dD][yY]\.[pP][eE][eE][kK]\[/"
</delete>
</augment>
<augment 1731-7>
active T
comment "WEB-CGI a1stats access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 279-3>
active T
comment "DOS Bay/Nortel Nautica Marlin"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/dos.rules
</augment>
<augment 2571-1>
active T
comment "WEB-IIS SmarterTools SmarterMail frmGetAttachment.aspx access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 425-6>
active F
comment "ICMP Parameter Problem Bad Length"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1606-6>
active F
comment "WEB-CGI icat access"
requires-reverse-signature ! http_error
http /.*[\/\\]icat([^\.][^h][^t][^m]|$)/
<delete>
http /.*[\/\\]icat/
</delete>
sigaction SIG_LOG
comment "too many false positives"
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 975-12>
active T
comment "WEB-IIS Alternate Data streams ASP file access attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 163-8>
active T
comment "BACKDOOR WinCrash 1.0 Server Active"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 451-5>
active F
comment "ICMP Timestamp Reply"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 2024-8>
active T
comment "RPC RQUOTA getquota overflow attempt TCP"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2174-4>
active T
comment "NETBIOS SMB winreg access"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1635-13>
active T
comment POP3 APOP overflow attempt
comment "pcre: /^APOP\s[^\n]{256}/smi"
payload "/((^)|(\n+))[aA][pP][oO][pP][\x20\x09\x0b][^\n]{256}/"
requires-reverse-signature ! pop_return_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/pop3.rules
<delete>
payload "/.*[aA][pP][oO][pP]/"
</delete>
</augment>
<augment 394-6>
active F
comment "ICMP Destination Unreachable Destination Host Unknown"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 475-3>
active T
comment "ICMP traceroute ipopts"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp.rules
</augment>
<augment 2223-5>
active F
comment "WEB-CGI csNews.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
comment "Informational only"
</augment>
<augment 270-6>
active T
comment "DOS Teardrop attack"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/dos.rules
</augment>
<augment 2231-5>
active T
comment "WEB-MISC register.dll access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1400-4>
active T
comment "WEB-IIS /scripts/samples/ access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1184-6>
active T
comment "WEB-MISC Netscape Enterprise Server directory view"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1839-4>
active T
comment "WEB-MISC mailman cross site scripting attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1360-5>
active T
comment "WEB-ATTACKS netcat command attempt"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 1601-7>
active T
comment "WEB-CGI htsearch arbitrary file read attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 962-9>
active T
comment "WEB-FRONTPAGE shtml.exe access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 1180-12>
active T
comment "WEB-MISC get32.exe access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2551-2>
active T
comment "EXPLOIT Oracle Web Cache GET overflow attempt"
comment pcre: /^GET[^s]{432}/sm
payload /((^)|(\n+))GET[^s]{432}/
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 514-5>
active T
comment "MISC ramen worm"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 224-3>
active T
comment "DDOS Stacheldraht server spoof"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 2316-6>
active T
comment "NETBIOS DCERPC Workstation Service direct service access attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 247-4>
active T
comment "DDOS mstream client to handler"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 919-7>
active T
comment "WEB-COLDFUSION datasource passwordattempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 1835-5>
active T
comment "WEB-MISC Macromedia SiteSpring cross site scripting attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1758-3>
active T
comment "WEB-MISC b2 access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 953-7>
active T
comment "WEB-FRONTPAGE administrators.pwd access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 1465-8>
active T
comment "WEB-CGI auktion.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1367-5>
active T
comment "WEB-ATTACKS mail command attempt"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 1421-11>
active T
comment "SNMP AgentX/tcp request"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/snmp.rules
</augment>
<augment 2258-6>
active T
comment "NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1811-8>
active T
comment "ATTACK-RESPONSES successful gobbles ssh exploit uname"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/attack-responses.rules
</augment>
<augment 1183-8>
active T
comment "WEB-MISC Netscape Enterprise Server directory view"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 918-6>
active T
comment "WEB-COLDFUSION expeval access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
</augment>
<augment 2515-9>
active F
comment "WEB-MISC PCT Client_Hello overflow attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1270-11>
active T
comment "RPC portmap rstatd request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 2512-7>
active F
comment "NETBIOS SMB-DS DCERPC LSASS bind attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1347-5>
active T
comment "WEB-ATTACKS /usr/bin/g++ command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 1100-7>
active T
comment "WEB-MISC L3retriever HTTP Probe"
requires-reverse-signature ! http_error
sigaction SIG_QUIET
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1127-7>
active T
comment "WEB-MISC convert.bas access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2340-4>
active T
comment FTP SITE CHMOD overflow attempt
comment "pcre: /^SITE\s+CHMOD\s[^\n]{100}/smi"
eval dataSizeG100
ftp "/((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[cC][hH][mM][oO][dD][\x20\x09\x0b][^\n]{100}/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload "/.*[sS][iI][tT][eE].*.*[cC][hH][mM][oO][dD]/"
</delete>
</augment>
<augment 1504-6>
active F
comment "MISC AFS access"
comment "informational only, not exploit worthy"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 896-11>
active T
comment "WEB-CGI way-board access"
dst-ip == local_nets
requires-reverse-signature ! http_error
http /.*[\/\\]way-board\?db\=.{2,}\x00/
<delete>
http /.*[\/\\]way-board/
</delete>
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1855-7>
active T
comment "DDOS Stacheldraht agent->handler skillz"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 256-5>
active T
comment "DNS named authors attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/dns.rules
</augment>
<augment 989-8>
active T
comment "WEB-IIS Unicode2.pl script File permission canonicalization"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1352-5>
active T
comment "WEB-ATTACKS tclsh execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 1209-5>
active T
comment "WEB-MISC .nsconfig access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1900-10>
active T
comment "ATTACK-RESPONSES successful kadmind buffer overflow attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/attack-responses.rules
</augment>
<augment 366-7>
active F
comment "ICMP PING *NIX"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1361-5>
active T
comment "WEB-ATTACKS nmap command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 872-9>
active T
comment "WEB-CGI tcsh access"
requires-reverse-signature ! http_error
requires-signature ! http_shell_check
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1274-17>
active T
comment "RPC portmap ttdbserv request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1817-4>
active T
comment "WEB-IIS MS Site Server default login attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1079-11>
active T
comment "WEB-MISC WebDAV propfind access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2309-6>
active T
comment "NETBIOS SMB DCERPC Workstation Service bind attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1657-6>
active T
comment "WEB-CGI pagelog.cgi directory traversal attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 982-9>
active T
comment "WEB-IIS unicode directory traversal attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 845-7>
active T
comment "WEB-CGI AT-admin.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 849-8>
active F
comment "WEB-CGI view-source access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules2.2/web-cgi.rules
</augment>
<augment 655-8>
active T
comment "SMTP sendmail 8.6.9 exploit"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
</augment>
<augment 2278-6>
active T
comment "WEB-MISC negative Content-Length attempt"
comment pcre: /^Content-Length\x3a\s+-\d+/+/smi
http /((^)|(\n+))[cC][oO][nN][tT][eE][nN][tT]-[lL][eE][nN][gG][tT][hH]\x3a[\x20\x09\x0b]+-[0-9]+\/+/
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
<delete>
payload /.*[cC][oO][nN][tT][eE][nN][tT]-[lL][eE][nN][gG][tT][hH]\x3A/
</delete>
</augment>
<augment 2265-4>
active T
comment SMTP SOML FROM sendmail prescan too many addresses overflow
comment "pcre: /^SOML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^"
payload "/((^)|(\n+))[sS][oO][mM][lL] [fF][rR][oO][mM]\x3a[\x20\x09\x0b]*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/smtp.rules
<delete>
payload /.*[sS][oO][mM][lL] [fF][rR][oO][mM]\x3A/
</delete>
</augment>
<augment 240-2>
active T
comment "DDOS shaft agent to handler"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 398-6>
active F
comment "ICMP Destination Unreachable Host Unreachable for Type of Service"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 888-5>
active T
comment "WEB-CGI wwwadmin.pl access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 493-5>
active F
comment "INFO psyBNC access"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/info.rules
</augment>
<augment 948-6>
active T
comment "WEB-FRONTPAGE form_results access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 1489-5>
active T
comment "WEB-MISC /~nobody access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1713-4>
active F
comment "WEB-CGI cgforum.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1153-5>
active T
comment "WEB-MISC Domino log.nsf access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1654-4>
active T
comment "WEB-CGI cart32.exe access"
dst-ip == local_nets
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2083-8>
active T
comment "RPC rpc.xfsmd xfs_export attempt UDP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 960-6>
active T
comment "WEB-FRONTPAGE service.stp access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 1018-9>
active T
comment "WEB-IIS iisadmpwd attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1257-8>
active T
comment "DOS Winnuke attack"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/dos.rules
</augment>
<augment 2442-6>
active T
comment WEB-MISC Quicktime User-Agent buffer overflow attempt
comment pcre: /^User-Agent\x3a[^\n]{244,255}/smi
http /((^)|(\n+))[uU][sS][eE][rR]-[aA][gG][eE][nN][tT]\x3a[^\n]{244,255}/
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
<delete>
payload /.*[uU][sS][eE][rR]-[aA][gG][eE][nN][tT]\x3A/
</delete>
</augment>
<augment 484-4>
active T
comment "ICMP PING Sniffer Pro/NetXRay network scan"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp.rules
</augment>
<augment 1565-8>
active T
comment "WEB-CGI eshop.pl arbitrary commane execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1016-10>
active T
comment "WEB-IIS global.asa access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1607-5>
active F
comment "WEB-CGI HyperSeek hsx.cgi access"
comment "informational only"
comment "old signature based on NT 4.0 and Linux 2.3x kernel"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 721-7>
active F
comment "VIRUS OUTBOUND bad file attachment"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/virus.rules
</augment>
<augment 467-3>
active T
comment "ICMP Nemesis v1.1 Echo"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp.rules
</augment>
<augment 987-12>
active T
comment "WEB-IIS .htr access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 2338-5>
active T
comment FTP LIST buffer overflow attempt
comment "pcre: /^LIST\s[^\n]{100,}/smi"
ftp "/((^)|(\n+))[lL][iI][sS][tT][\x20\x09\x0b][^\n]{100,}/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload "/.*[lL][iI][sS][tT]/"
</delete>
</augment>
<augment 1040-6>
active T
comment "WEB-IIS srchadm access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 2463-6>
active T
comment "EXPLOIT IGMP IGAP message overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 1192-6>
active T
comment "WEB-MISC Trend Micro OfficeScan access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1603-5>
active T
comment "WEB-MISC DELETE attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
<delete>
payload /[dD][eE][lL][eE][tT][eE] /
</delete>
http /.{0,7}[dD][eE][lL][eE][tT][eE] /
</augment>
<augment 363-7>
active F
comment "ICMP IRDP router advertisement"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1584-4>
active T
comment "WEB-MISC Domino bookmark.nsf access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1830-5>
active T
comment "WEB-MISC Tomcat SnoopServlet servlet access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1976-6>
active T
comment FTP RMD overflow attempt
comment "pcre: /^RMD\s[^\n]{100}/smi"
eval dataSizeG100
ftp "/((^)|(\n+))[rR][mM][dD][\x20\x09\x0b][^\n]{100}/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload "/.*[rR][mM][dD]/"
</delete>
</augment>
<augment 476-4>
active T
comment "ICMP webtrends scanner"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/icmp.rules
</augment>
<augment 602-5>
active T
comment "RSERVICES rlogin bin"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rservices.rules
</augment>
<augment 1897-8>
active T
comment "EXPLOIT kadmind buffer overflow attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 336-10>
active T
comment FTP CWD ~root attempt
comment "pcre: /^CWD\s+~root/smi"
payload "/((^)|(\n+))[cC][wW][dD][\x20\x09\x0b]+~[rR][oO][oO][tT]/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload "/.*[cC][wW][dD].{1}.*~[rR][oO][oO][tT]/"
</delete>
</augment>
<augment 2039-4>
active T
comment "MISC bootp hostname format string attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 2194-6>
active T
comment "WEB-CGI CSMailto.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1564-6>
active F
comment "WEB-MISC login.htm access"
comment "this is removed since *any* login.htm will match "
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1341-5>
active T
comment "WEB-ATTACKS /usr/bin/gcc command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 2295-4>
active T
comment "WEB-PHP Advanced Poll admin_settings.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 2345-4>
active T
comment "WEB-PHP PhpGedView search.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 2509-7>
active F
comment "NETBIOS SMB DCERPC LSASS unicode bind attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1471-5>
active T
comment "WEB-CGI mailnews.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2036-6>
active T
comment "RPC portmap network-status-monitor request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 257-8>
active T
comment "DNS named version attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/dns.rules
</augment>
<augment 958-6>
active T
comment "WEB-FRONTPAGE service.cnf access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 2289-4>
active T
comment "WEB-PHP Advanced Poll admin_embed.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1249-10>
active T
comment "WEB-FRONTPAGE frontpage rad fp4areg.dll access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-frontpage.rules
</augment>
<augment 1583-4>
active T
comment "WEB-MISC Domino mailw46.nsf access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1775-2>
active T
comment "MYSQL root login attempt"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/mysql.rules
</augment>
<augment 1808-6>
active T
comment "WEB-MISC apache chunked encoding memory corruption exploit attempt"
requires-signature ! http_msie_client
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1528-8>
active T
comment "WEB-MISC BBoard access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2270-4>
active T
comment SMTP RCPT TO sendmail prescan too long addresses overflow
comment "pcre: /^RCPT TO\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"
payload "/((^)|(\n+))[rR][cC][pP][tT] [tT][oO]\x3a[\x20\x09\x0b]+[a-zA-Z0-9\x5f\x20\x09\x0b\x40\.]{0,200}\x3b[a-zA-Z0-9\x5f\x20\x09\x0b=x40\.]{200,}\x3b[a-zA-Z0-9\x5f\x20\x09\x0b\x40\.]{0,200}/"
sigaction SIG_LOG
requires-reverse-signature ! smtp_server_fail
snort-rule-file snort_rules/rules2.2/smtp.rules
<delete>
payload /.*[rR][cC][pP][tT] [tT][oO]\x3A/
</delete>
</augment>
<augment 2128-5>
active T
comment "WEB-CGI swsrv.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1416-9>
active T
comment "SNMP broadcast trap"
requires-reverse-signature snmp_userver_ok_return
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/snmp.rules
</augment>
<augment 2387-4>
active T
comment "WEB-CGI view_broadcast.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 273-7>
active T
comment "DOS IGMP dos attack"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/dos.rules
</augment>
<augment 2232-5>
active T
comment "WEB-MISC ContentFilter.dll access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1102-7>
active T
comment "WEB-MISC Nessus 404 probe"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 456-5>
active F
comment "ICMP Traceroute"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/icmp-info.rules
</augment>
<augment 1285-6>
active T
comment "WEB-IIS msdac access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1548-9>
active T
comment "WEB-CGI csSearch.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
eval isApacheLt1325
</augment>
<augment 1765-6>
active T
comment "WEB-CGI Nortel Contivity cgiproc access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 712-8>
active T
comment "TELNET ld_library_path"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/telnet.rules
</augment>
<augment 1027-8>
active T
comment "WEB-IIS perl-browse space attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1420-11>
active T
comment "SNMP trap tcp"
requires-reverse-signature snmp_tserver_ok_return
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/snmp.rules
</augment>
<augment 282-7>
active T
comment "DOS arkiea backup"
sigaction SIG_QUIET
snort-rule-file snort_rules/rules2.2/dos.rules
</augment>
<augment 360-7>
active T
comment "FTP serv-u directory transversal"
requires-reverse-signature ! ftp_server_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ftp.rules
</augment>
<augment 1705-7>
active T
comment "WEB-CGI echo.bat arbitrary command execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1821-7>
active T
comment "EXPLOIT LPD dvips remote command execution attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/exploit.rules
</augment>
<augment 2452-4>
active F
comment "CHAT Yahoo IM ping"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 504-6>
active T
comment "MISC source port 53 to <1024"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 267-5>
active T
comment "DNS EXPLOIT sparc overflow attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/dns.rules
</augment>
<augment 1001-7>
active T
comment "WEB-MISC carbo.dll access"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1931-3>
active T
comment "WEB-CGI rpc-nlog.pl access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1116-6>
active T
comment "WEB-MISC Lotus DelDoc attempt"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 288-6>
active T
comment "POP3 EXPLOIT x86 Linux overflow"
requires-reverse-signature ! pop_return_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/pop3.rules
</augment>
<augment 1281-7>
active T
comment "RPC portmap listing UDP 32771"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 1655-4>
active T
comment "WEB-CGI pfdispaly.cgi arbitrary command execution attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1262-9>
active F
comment "RPC portmap admind request TCP"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/rpc.rules
</augment>
<augment 118-5>
active T
comment "BACKDOOR SatansBackdoor.2.0.Beta"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 1646-5>
active T
comment "WEB-CGI test.cgi access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 289-6>
active T
comment "POP3 EXPLOIT x86 SCO overflow"
requires-reverse-signature ! pop_return_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/pop3.rules
</augment>
<augment 2371-2>
active T
comment "WEB-MISC Sample_showcode.html access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1377-14>
active F
comment "FTP wu-ftp bad file completion attempt ["
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
</augment>
<augment 1112-6>
active F
comment "WEB-MISC http directory traversal"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1820-7>
active T
comment "WEB-MISC IBM Net.Commerce orderdspc.d2w access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1364-5>
active T
comment "WEB-ATTACKS lsof command attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-attacks.rules
</augment>
<augment 1026-9>
active T
comment "WEB-IIS perl-browse newline attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1387-7>
active T
comment "MS-SQL raiserror possible buffer overflow"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/sql.rules
</augment>
<augment 2090-8>
active T
comment "WEB-IIS WEBDAV exploit attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1703-7>
active T
comment "WEB-CGI auktion.cgi directory traversal attempt"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 2381-5>
active T
comment WEB-MISC schema overflow attempt
comment pcre: /^[^\/]{14,}?\x3a\/\//U
http /^[^\/]{14,}?\x3a\/\//
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
<delete>
http /.*\x3A[\/\\][\/\\]/
</delete>
</augment>
<augment 1139-7>
active T
comment "WEB-MISC whisker HEAD/./"
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1432-6>
active F
comment "P2P GNUTella client request"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/p2p.rules
</augment>
<augment 2328-3>
active T
comment "WEB-PHP authentication_index.php access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 631-6>
active T
comment "SMTP ehlo cybercop attempt"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/smtp.rules
</augment>
<augment 621-6>
active F
comment "SCAN FIN"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/scan.rules
</augment>
<augment 2257-5>
active T
comment "NETBIOS DCERPC Messenger Service buffer overflow attempt"
sigaction SIG_FILE
# sigaction SIG_SUMMARY
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 1632-6>
active F
comment "CHAT AIM send message"
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 1295-9>
active T
comment "NETBIOS nimda RICHED20.DLL"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/netbios.rules
</augment>
<augment 2527-3>
active F
comment "SMTP STARTTLS attempt"
requires-reverse-signature ! smtp_server_fail
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/smtp.rules
</augment>
<augment 195-5>
active T
comment "BACKDOOR DeepThroat 3.1 Server Response"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 2117-5>
active T
comment "WEB-IIS Battleaxe Forum login.asp access"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1252-13>
active T
comment "TELNET bsd telnet exploit response"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/telnet.rules
</augment>
<augment 1007-6>
active T
comment "WEB-IIS cross-site scripting attempt"
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1761-3>
active T
comment "OTHER-IDS ISS RealSecure 6 daemon connection attempt"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/other-ids.rules
</augment>
<augment 1942-4>
active T
comment FTP RMDIR overflow attempt
comment "pcre: /^RMDIR\s[^\n]{100}/smi"
eval dataSizeG100
ftp "/((^)|(\n+))[rR][mM][dD][iI][rR][\x20\x09\x0b][^\n]{100}/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload "/.*[rR][mM][dD][iI][rR]/"
</delete>
</augment>
<augment 1466-8>
active T
comment "WEB-CGI cgiforum.pl access"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1481-4>
active T
comment WEB-CGI upload.cgi access
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 517-1>
active T
comment MISC xdmcp query
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/misc.rules
</augment>
<augment 634-2>
active T
comment SCAN Amanda client version request
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/scan.rules
</augment>
<augment 2067-2>
active F
comment WEB-MISC Lotus Notes .exe script source download attempt
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2154-1>
active T
comment WEB-PHP autohtml.php access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 2144-1>
active T
comment WEB-PHP b2 cafelog gm-2-b2.php access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 211-3>
active T
comment BACKDOOR MISC r00t attempt
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 2406-1>
active T
comment TELNET APC SmartSlot default admin account attempt
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/telnet.rules
</augment>
<augment 2314-1>
active T
comment SHELLCODE x86 0x90 NOOP unicode
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/shellcode.rules
</augment>
<augment 218-4>
active F
comment BACKDOOR MISC Solaris 2.5 attempt
comment "too general"
comment "too many false positives"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 285-6>
active T
comment POP2 x86 Linux overflow
requires-reverse-signature ! pop_return_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/pop2.rules
</augment>
<augment 234-2>
active T
comment DDOS Trin00 Attacker to Master default password
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ddos.rules
</augment>
<augment 1667-5>
active T
comment WEB-MISC cross site scripting HTML Image tag set to javascript attempt
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2134-2>
active T
comment WEB-IIS register.asp access
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 2359-2>
active T
comment WEB-PHP Invision Board ipchat.php file include
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 2434-1>
active T
comment WEB-CGI MDaemon form2raw.cgi access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1061-6>
active T
comment WEB-MISC xp_cmdshell attempt
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1653-4>
active F
comment WEB-CGI campus access
comment NCSA web server only, depricate sig
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-cgi.rules
</augment>
<augment 1676-3>
active T
comment "ORACLE select union attempt"
sigaction SIG_FILE
snort-rule-file snort_rules2.2/oracle.rules
</augment>
<augment 1681-3>
active T
comment "ORACLE all_views access"
sigaction SIG_FILE
snort-rule-file snort_rules2.2/oracle.rules
</augment>
<augment 1688-3>
active T
comment ORACLE user_tablespace access
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/oracle.rules
</augment>
<augment 2394-1>
active F
comment WEB-MISC Compaq web-based management agent denial of service attempt
comment "too general"
comment "too many false positives"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2330-1>
active T
comment IMAP auth overflow attempt
comment "pcre: /AUTH\s[^\n]{100}/smi"
payload "/((^)|(\n+))[aA][uU][tT][hH][\x20\x09\x0b][^\n]{100}/"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/imap.rules
<delete>
payload "/.*[aA][uU][tT][hH]/"
</delete>
</augment>
<augment 107-6>
active T
comment BACKDOOR subseven DEFCON8 2.1 access
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 1424-6>
active T
comment SHELLCODE x86 0xEB0C NOOP
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/shellcode.rules
</augment>
<augment 1530-6>
active T
comment FTP format string attempt
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
</augment>
<augment 1144-5>
active T
comment WEB-MISC /cgi-bin/// access
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1935-4>
active T
comment POP2 FOLD arbitrary file attempt
comment "pcre: /^FOLD\s+\//smi"
payload "/((^)|(\n+))[fF][oO][lL][dD][\x20\x09\x0b]+\//"
requires-reverse-signature ! pop_return_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/pop2.rules
<delete>
payload /.*FOLD/
</delete>
</augment>
<augment 2078-2>
active T
dst-ip == local_nets
comment WEB-PHP phpBB privmsg.php access
requires-reverse-signature ! http_error
http /.*[\/\\]privmsg\.php.{1,}?[Ff][Oo][Ll][Dd][Ee][Rr]=.{1,}[Mm][Oo][Dd][Ee]=.{1,}[Cc][Oo][Nn][Ff][Ii][Rr][Mm]=[Yy][Ee][Ss]/
<delete>
http /.*[\/\\]privmsg\.php/
</delete>
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1991-1>
active F
comment CHAT MSN login attempt
comment "informational only"
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/chat.rules
</augment>
<augment 1622-5>
active F
comment FTP RNFR ././ attempt
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
</augment>
<augment 1677-3>
active T
comment ORACLE select like '%' attempt
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/oracle.rules
</augment>
<augment 2400-1>
active T
comment WEB-MISC edittag.pl access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1541-4>
active T
comment FINGER version query
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/finger.rules
</augment>
<augment 1993-4>
active T
comment IMAP login literal buffer overflow attempt
comment "pcre: /\sLOGIN\s[^\n]*?\s\{/smi"
payload "/((^)|(\n+))[lL][oO][gG][iI][nN][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/"
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/imap.rules
<delete>
payload "/.*[lL][oO][gG][iI][nN]/"
</delete>
</augment>
<augment 2343-1>
active T
comment FTP STOR overflow attempt
comment "pcre: /^STOR\s[^\n]{100}/smi"
eval dataSizeG100
ftp "/((^)|(\n+))[sS][tT][oO][rR][\x20\x09\x0b][^\n]{100}/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload "/.*[sS][tT][oO][rR]/"
</delete>
</augment>
<augment 1499-5>
active T
comment WEB-MISC SiteScope Service access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 2108-3>
active T
comment POP3 CAPA overflow attempt
comment "pcre: /^CAPA\s[^\n]{10}/smi"
payload "/((^)|(\n+))[cC][aA][pP][aA][\x20\x09\x0b][^\n]{10}/"
requires-reverse-signature ! pop_return_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/pop3.rules
<delete>
payload "/.*[cC][aA][pP][aA]/"
</delete>
</augment>
<augment 1983-1>
active T
comment BACKDOOR DeepThroat 3.1 Connection attempt [4120]
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 1977-1>
active T
comment WEB-MISC xp_regwrite attempt
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1754-2>
active T
comment WEB-IIS as_web4.exe access
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 1927-2>
active T
comment FTP authorized_keys
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/ftp.rules
</augment>
<augment 2075-2>
active T
comment WEB-PHP Mambo upload.php upload php file attempt
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 1981-1>
active T
comment BACKDOOR DeepThroat 3.1 Connection attempt [3150]
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 1874-1>
active T
comment WEB-MISC Oracle Java Process Manager access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 1201-7>
active F
comment ATTACK-RESPONSES 403 Forbidden
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/attack-responses.rules
</augment>
<augment 1567-5>
active T
comment WEB-IIS /exchange/root.asp attempt
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-iis.rules
</augment>
<augment 2362-2>
active T
comment WEB-PHP YaBB SE packages.php file include
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 2356-2>
active T
comment WEB-PHP WebChat db_mysql.php file include
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
</augment>
<augment 2142-1>
active F
comment WEB-PHP shoutbox.php access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-php.rules
comment "Informational only"
</augment>
<augment 1684-3>
active T
comment ORACLE all_tab_columns access
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/oracle.rules
</augment>
<augment 1944-1>
active T
comment WEB-MISC /ecscripts/ecware.exe access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 212-3>
active T
comment BACKDOOR MISC rewt attempt
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/backdoor.rules
</augment>
<augment 2407-1>
active F
comment WEB-MISC util.pl access
comment "too general"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
</augment>
<augment 660-7>
active T
comment SMTP expn root
comment "pcre: /^expn\s+root/smi"
payload "/((^)|(\n+))[eE][xX][pP][nN][\x20\x09\x0b][rR][oO][oO][tT]/"
sigaction SIG_FILE
requires-reverse-signature ! smtp_server_fail
snort-rule-file snort_rules/rules2.2/smtp.rules
<delete>
payload "/.*[eE][xX][pP][nN]/"
payload "/.*[rR][oO][oO][tT]/"
</delete>
</augment>
<augment 1559-5>
active F
comment WEB-MISC /doc/packages access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/web-misc.rules
comment "too many false positives"
</augment>
<augment 2250-1>
active T
comment POP3 USER format string attempt
requires-reverse-signature ! pop_return_error
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/pop3.rules
</augment>
<augment 1229-7>
active T
comment FTP CWD ...
comment "pcre: /^CWD\s[^\n]*?\.\.\./smi"
payload "/((^)|(\n+))[cC][wW][dD][\x20\x09\x0b][^\n]*?\.\.\./"
requires-reverse-signature ! ftp_server_error
sigaction SIG_FILE
snort-rule-file snort_rules/rules2.2/ftp.rules
<delete>
payload "/.*[cC][wW][dD].*.*\.\.\./"
</delete>
</augment>
<augment 604-5>
active T
comment RSERVICES rsh froot
sigaction SIG_LOG
snort-rule-file snort_rules/rules2.2/rservices.rules
</augment>
<augment 556-5>
active F
comment P2P Outbound GNUTella client request
comment "informational only"
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/p2p.rules
</augment>
<augment 717-6>
active T
comment TELNET not on console
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/telnet.rules
</augment>
<augment 1857-3>
active F
comment WEB-MISC robot.txt access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 2321-1>
active T
comment WEB-IIS foxweb.exe access
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
</augment>
<augment 1076-6>
active T
comment WEB-IIS repost.asp access
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
</augment>
<augment 1946-3>
active T
comment WEB-MISC answerbook2 admin attempt
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 2276-1>
active T
comment WEB-MISC oracle portal demo access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 658-5>
active T
comment SMTP exchange mime DOS
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/smtp.rules
</augment>
<augment 659-6>
active T
comment SMTP expn decode
comment "pcre: /^expn\s+decode/smi?"
payload "/((^)|(\n+))[eE][xX][pP][nN][\x20\x09\x0b][dD][eE][cC][oO][dD][eE]/"
sigaction SIG_FILE
requires-reverse-signature ! smtp_server_fail
snort-rule-file s2b_data_on_weed/rules2.1/smtp.rules
<delete>
payload "/.*[eE][xX][pP][nN]/"
payload "/.*[dD][eE][cC][oO][dD][eE]/"
</delete>
</augment>
<augment 2409-1>
active T
comment POP3 APOP USER overflow attempt
comment "pcre: /^APOP\s+USER\s[^\n]{256}/smi"
payload "/((^)|(\n+))[aA][pP][oO][pP][\x20\x09\x0b]+[uU][sS][eE][rR][\x20\x09\x0b][^\n]{2,56}/"
requires-reverse-signature ! pop_return_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/pop3.rules
<delete>
payload "/.*[aA][pP][oO][pP]/"
</delete>
</augment>
<augment 1520-6>
active T
comment WEB-MISC server-info access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 1879-5>
active T
dst-ip == local_nets
http /.*[\/]book.cgi\?.{1,}\|.{2,}\|/
comment WEB-CGI book.cgi arbitrary command execution attempt
requires-reverse-signature ! http_error
<delete>
http /.*[\/\\]book\.cgi/
payload /.*[cC][uU][rR][rR][eE][nN][tT]=\x7C/
</delete>
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
</augment>
<augment 2342-1>
active T
comment WEB-PHP DCP-Portal remote file include attempt
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 2304-2>
active T
comment WEB-PHP files.inc.php access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 2135-1>
active T
comment WEB-MISC philboard.mdb access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 2341-1>
active T
comment WEB-PHP DCP-Portal remote file include attempt
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 1831-3>
active T
comment WEB-MISC jigsaw dos attempt
comment "not iis or apache web server"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
eval isNotIIS
eval isNotApache
</augment>
<augment 2398-1>
active T
comment WEB-PHP WAnewsletter newsletter.php file include attempt
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 2354-2>
active T
comment WEB-PHP IdeaBox notification.php file include
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 930-5>
active T
comment WEB-COLDFUSION snippets attempt
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/web-coldfusion.rules
</augment>
<augment 2156-1>
active T
comment WEB-MISC mod_gzip_status access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 1329-5>
active F
comment WEB-ATTACKS ps command attempt
comment this sig is *yoo* general to be useful
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-attacks.rules
</augment>
<augment 1059-6>
active T
comment WEB-MISC xp_filelist attempt
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 913-5>
active T
comment WEB-COLDFUSION cfappman access
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/web-coldfusion.rules
</augment>
<augment 1670-4>
active T
comment WEB-MISC /home/ftp access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 2127-1>
active T
comment WEB-CGI ikonboard.cgi access
dst-ip == local_nets
payload /Cookie: [^\=]{1,}\=\/[^\x0D\x0A]{2,}\x0D\x0A\x0D\x0A/
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
</augment>
<augment 1984-1>
active T
comment BACKDOOR DeepThroat 3.1 Server Response [4120]
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
</augment>
<augment 1671-4>
active F
comment WEB-MISC /home/www access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
comment "Informational only"
</augment>
<augment 1463-6>
active T
comment CHAT IRC message
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/chat.rules
</augment>
<augment 2062-1>
active T
comment WEB-MISC iPlanet .perf access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 1867-1>
active T
comment MISC xdmcp info query
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/misc.rules
</augment>
<augment 2322-1>
active T
comment WEB-IIS foxweb.dll access
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
</augment>
<augment 1623-6>
active T
comment FTP invalid MODE
comment "pcre: /^MODE\s+[^ABSC]{1}/msi"
ftp "/((^)|(\n+))[mM][oO][dD][eE][\x20\x09\x0b]+[^aAbBsScC]{1}/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
<delete>
payload "/.*[mM][oO][dD][eE]/"
</delete>
</augment>
<augment 1666-5>
active T
comment ATTACK-RESPONSES index of /cgi-bin/ response
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/attack-responses.rules
</augment>
<augment 1694-3>
active T
comment ORACLE alter table attempt
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
</augment>
<augment 2319-1>
active T
comment EXPLOIT ebola PASS overflow attempt
comment "pcre: /^USER\s[^\n]{49}/smi"
payload "/((^)|(\n+))[uU][sS][eE][rR][\x20\x09\x0b][^\n]{49}/"
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/exploit.rules
<delete>
payload "/.*[pP][aA][sS][sS]/"
</delete>
</augment>
<augment 1044-6>
active T
comment WEB-IIS webhits access
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
</augment>
<augment 214-4>
active T
comment BACKDOOR MISC Linux rootkit attempt lrkr0x
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
</augment>
<augment 563-6>
active F
comment P2P Napster Client Data
comment "informational only"
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/p2p.rules
</augment>
<augment 2074-2>
active T
comment WEB-PHP Mambo uploadimage.php upload php file attempt
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 1967-1>
active T
comment WEB-PHP phpbb quick-reply.php arbitrary command attempt
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 1928-3>
active T
comment FTP shadow retrieval attempt
requires-reverse-signature ! ftp_server_error
requires-signature got_ftp_root
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
</augment>
<augment 1756-2>
active T
comment WEB-IIS NewsPro administration authentication attempt
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
</augment>
<augment 2059-1>
active F
dst-ip == local_nets
comment WEB-MISC MsmMask.exe access
comment "informational only"
comment "verify that the application is not vulnerable"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 217-3>
active T
comment BACKDOOR MISC sm4ck attempt
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
</augment>
<augment 628-3>
active F
comment SCAN nmap TCP
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/scan.rules
</augment>
<augment 2353-2>
active T
comment WEB-PHP IdeaBox cord.php file include
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 2373-1>
active T
comment FTP XMKD overflow attempt
comment "pcre: /^XMKD\s[^\n]{100}/smi"
eval dataSizeG100
payload "/((^)|(\n+))[xXmMkKdD][\x20\x09\x0b][^\n]{100}/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
<delete>
payload "/.*[xX][mM][kK][dD]/"
</delete>
</augment>
<augment 711-5>
active T
comment TELNET SGI telnetd format bug
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/telnet.rules
</augment>
<augment 1791-2>
active F
comment BACKDOOR fragroute trojan connection attempt
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
</augment>
<augment 2071-1>
active T
comment WEB-MISC post32.exe access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 2152-1>
active F
comment WEB-PHP test.php access
comment "informational only"
requires-reverse-signature ! http_error
http /.*[\/\\]test\.php(\?.{1,}|$)/
<delete>
http /.*[\/\\]test\.php/
</delete>
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 1687-3>
active T
comment ORACLE dba_tables access
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
</augment>
<augment 714-4>
active T
comment TELNET resolv_host_conf
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/telnet.rules
</augment>
<augment 2076-2>
active T
comment WEB-PHP Mambo uploadimage.php access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 1058-6>
active T
comment WEB-MISC xp_enumdsn attempt
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 1773-3>
active T
comment WEB-PHP php.exe access
requires-reverse-signature ! http_error
http /.*\/php\/php\.exe\?[cCdD]\:\//
<delete>
http /.*[\/\\]php\.exe/
</delete>
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 284-6>
active T
comment POP2 x86 Linux overflow
requires-reverse-signature ! pop_return_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/pop2.rules
</augment>
<augment 1753-2>
active T
comment WEB-IIS as_web.exe access
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
</augment>
<augment 1938-4>
active T
comment POP3 XTND overflow attempt
comment pcre: /^XTND\s[^\n]{50}/smi
payload /((^)|(\n+))[xX][tT][nN][dD][\x20\x09\x0b][^\n]{50}/
requires-reverse-signature ! pop_return_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/pop3.rules
</augment>
<augment 1142-5>
active T
comment WEB-MISC /.... access
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 2397-2>
active T
comment WEB-CGI CCBill whereami.cgi access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
</augment>
<augment 2060-1>
active T
comment WEB-MISC DB4Web access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 1551-3>
active F
comment WEB-MISC /CVS/Entries access
comment "informational only"
comment "not exploit worthy"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 636-1>
active T
comment SCAN cybercop udp bomb
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/scan.rules
</augment>
<augment 2346-2>
active T
comment WEB-PHP myPHPNuke chatheader.php access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 561-6>
active F
comment P2P Napster Client Data
comment "informational only"
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/p2p.rules
</augment>
<augment 2224-1>
active T
comment WEB-CGI psunami.cgi access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
</augment>
<augment 2112-3>
active T
comment POP3 RSET overflow attempt
comment "pcre: /^RSET\s[^\n]{10}/smi"
payload "/((^)|(\n+))[rR][sS][eE][tT][\x20\x09\x0b][^\n]{10}/"
requires-reverse-signature ! pop_return_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/pop3.rules
<delete>
payload "/.*[rR][sS][eE][tT]/"
</delete>
</augment>
<augment 209-4>
active T
comment BACKDOOR w00w00 attempt
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
</augment>
<augment 1673-3>
active T
comment ORACLE EXECUTE_SYSTEM attempt
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
</augment>
<augment 2132-2>
active T
comment WEB-IIS Synchrologic Email Accelerator userid list access attempt
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
</augment>
<augment 2253-3>
active T
comment SMTP XEXCH50 overflow attempt
comment pcre: /^XEXCH50\s+-\d/smi
payload /((^)|(\n+))[xX][eE][xX][cC][hH]50[\x20\x09\x0b]+-[0-9]/
sigaction SIG_LOG
requires-reverse-signature ! smtp_server_fail
snort-rule-file s2b_data_on_weed/rules2.1/smtp.rules
<delete>
payload "/.*[xX][eE][xX][cC][hH]50/"
</delete>
</augment>
<augment 2433-1>
active T
comment WEB-CGI MDaemon form2raw.cgi overflow attempt
comment "pcre: /\Wfrom=[^\x3b&\n]{100}/si"
http "/[^a-zA-Z0-9_][fF][rR][oO][mM]=[^\x3b&\n]{100}/"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
<delete>
http "/.*[\/\\]form2raw\.cgi/"
</delete>
</augment>
<augment 210-3>
active T
comment BACKDOOR attempt
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
</augment>
<augment 1978-1>
active T
comment WEB-MISC xp_regdeletekey attempt
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 2364-2>
active T
comment WEB-PHP Cyboards options_form.php access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 2360-2>
active T
comment WEB-PHP myphpPagetool pt_config.inc file include
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 1696-3>
active T
comment ORACLE create database attempt
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
</augment>
<augment 2332-1>
active T
comment FTP MKDIR format string attempt
comment "pcre: /^MKDIR\s[^\n]*?%[^\n]*?%/smi"
ftp "/((^)|(\n+))[mM][kK][dD][iI][rR][\x20\x09\x0b][^\n]*?%[^\n]*?%/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
<delete>
payload "/.*[mM][kK][dD][iI][rR]/"
</delete>
</augment>
<augment 2358-2>
active T
comment WEB-PHP Typo3 translations.php file include
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 1744-3>
active T
comment WEB-MISC SecureSite authentication bypass attempt
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 1686-3>
active T
comment ORACLE dba_tablespace access
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
</augment>
<augment 1659-3>
active T
comment WEB-COLDFUSION sendmail.cfm access
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/web-coldfusion.rules
</augment>
<augment 2365-2>
active T
comment WEB-PHP newsPHP Language file include attempt
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 1689-3>
active T
comment ORACLE sys.all_users access
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
</augment>
<augment 1772-4>
active T
comment WEB-IIS pbserver access
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
</augment>
<augment 2333-1>
active T
comment FTP RENAME format string attempt
comment "pcre: /^RENAME\s[^\n]*?%[^\n]*?%/smi"
ftp "/((^)|(\n+))[rR][eE][nN][aA][mM][eE][\x20\x09\x0b][^\n]*?%[^\n]*?%/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
<delete>
payload "/.*[rR][eE][nN][aA][mM][eE]/"
</delete>
</augment>
<augment 1518-5>
active T
comment WEB-MISC nstelemetry.adp access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 715-6>
active T
comment TELNET Attempted SU from wrong group
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/telnet.rules
</augment>
<augment 1692-3>
active T
comment ORACLE drop table attempt
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
</augment>
<augment 2449-1>
active T
comment FTP ALLO overflow attempt
comment "pcre: /^ALLO\s[^\n]{100}/smi"
payload "/((^)|(\n+))[aAlLlLoO][\x20\x09\x0b][^\n]{100}/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
<delete>
payload "/.*[aA][lL][lL][oO]/"
</delete>
</augment>
<augment 2066-2>
active T
comment WEB-MISC Lotus Notes .pl script source download attempt
comment "requires lotus notes web server"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
eval isNotApache
eval isNotIIS
</augment>
<augment 1498-4>
active T
comment WEB-MISC PIX firewall manager directory traversal attempt
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 1056-6>
active F
comment WEB-MISC Tomcat view source attempt
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
comment "Informational only"
comment "Too general"
</augment>
<augment 2344-1>
active T
comment FTP XCWD overflow attempt
comment "pcre: /^XCWD\s[^\n]{100}/smi"
eval dataSizeG100
ftp "/((^)|(\n+))[xX][cC][wW][dD][\x20\x09\x0b][^\n]{100}/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
<delete>
payload "/.*[xX][cC][wW][dD]/"
</delete>
</augment>
<augment 237-2>
active T
comment DDOS Trin00 Master to Daemon default password attempt
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/ddos.rules
</augment>
<augment 2153-1>
active T
comment WEB-PHP autohtml.php directory traversal attempt
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 2405-1>
active T
comment WEB-PHP phptest.php access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 1075-6>
active T
comment WEB-IIS postinfo.asp access
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
</augment>
<augment 1568-5>
active T
comment WEB-IIS /exchange/root.asp access
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
</augment>
<augment 235-2>
active T
comment DDOS Trin00 Attacker to Master default mdie password
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/ddos.rules
</augment>
<augment 2110-3>
active T
comment POP3 STAT overflow attempt
comment "pcre: /^STAT\s[^\n]{10}/smi"
payload "/((^)|(\n+))[sS][tT][aA][tT][\x20\x09\x0b][^\n]{10}/"
requires-reverse-signature ! pop_return_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/pop3.rules
<delete>
payload "/.*[sS][tT][aA][tT]/"
</delete>
</augment>
<augment 1968-1>
active T
comment WEB-PHP phpbb quick-reply.php access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 213-4>
active T
comment BACKDOOR MISC Linux rootkit attempt
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
</augment>
<augment 1143-5>
active T
comment WEB-MISC ///cgi-bin access
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 2131-2>
active T
comment WEB-IIS IISProtect access
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
</augment>
<augment 1621-10>
active T
comment FTP CMD overflow attempt
comment "pcre: /^CMD\s[^\n]{100}/smi"
eval dataSizeG100
ftp "/((^)|(\n+))[cC][mM][dD][\x20\x09\x0b][^\n]{100}/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
<delete>
payload "/.*[cC][mM][dD]/"
</delete>
</augment>
<augment 2331-2>
active T
comment WEB-PHP MatrikzGB privilege escalation attempt
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 2001-1>
active T
comment WEB-CGI smartsearch.cgi access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
</augment>
<augment 557-6>
active F
comment P2P GNUTella client request
comment "informational only"
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/p2p.rules
</augment>
<augment 1239-5>
active T
comment NETBIOS RFParalyze Attempt
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/netbios.rules
</augment>
<augment 1980-1>
active T
comment BACKDOOR DeepThroat 3.1 Connection attempt
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
</augment>
<augment 2275-2>
active T
comment SMTP AUTH LOGON brute force attempt
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/smtp.rules
</augment>
<augment 1111-5>
active T
comment WEB-MISC Tomcat server exploit access
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 1690-3>
active T
comment ORACLE grant attempt
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
</augment>
<augment 1982-1>
active T
comment BACKDOOR DeepThroat 3.1 Server Response [3150]
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
</augment>
<augment 2393-1>
active F
dst-ip ==local_nets
comment "WEB-PHP /_admin access"
comment "Lots of false positives are possible as this attack really requires multiple steps to be successful"
comment "Suggestion: analyze site and test for vulnerability, make any adjustments, and then disable this rule."
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 2408-1>
active F
comment WEB-MISC Invision Power Board search.pl access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
comment "Informational only"
comment "Too general"
</augment>
<augment 629-2>
active T
comment SCAN nmap fingerprint attempt
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/scan.rules
</augment>
<augment 1540-5>
active F
comment WEB-COLDFUSION ?Mode=debug attempt
comment "not exploit worthy"
comment "informational only"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-coldfusion.rules
</augment>
<augment 2305-2>
active T
comment WEB-PHP chatbox.php access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 2064-2>
active T
dst-ip == local_nets
comment WEB-MISC Lotus Notes .csp script source download attempt
comment "verify that the application is not vulnerable"
comment "informational only"
requires-reverse-signature ! http_error
<delete>
payload /.*\.csp\./
</delete>
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 1592-4>
active T
comment WEB-CGI /fcgi-bin/echo.exe access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
</augment>
<augment 1933-1>
active F
comment WEB-CGI cart.cgi access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
comment "Informational only"
</augment>
<augment 1682-3>
active T
comment ORACLE all_source access
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
</augment>
<augment 2416-1>
active T
comment FTP invalid MDTM command attempt
comment "pcre: /^MDTM \d+[-+]\D/smi"
ftp "/((^)|(\n+))[mMdDtTmM][0-9]+[-+][^0-9]/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
<delete>
payload "/.*[mM][dD][tT][mM]/"
</delete>
</augment>
<augment 2107-3>
active T
comment IMAP create buffer overflow attempt
comment "pcre: /\sCREATE\s[^\n]{1024}/smi"
payload "/((^)|(\n+))[\x20\x09\x0b][cC][rR][eE][aA][tT][eE][\x20\x09\x0b][^\n]{1024}/"
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/imap.rules
<delete>
payload "/.*CREATE/"
</delete>
</augment>
<augment 1697-3>
active T
comment ORACLE alter database attempt
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
</augment>
<augment 1491-6>
active T
comment WEB-PHP Phorum /support/common.php access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 632-5>
active T
comment SMTP expn cybercop attempt
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/smtp.rules
</augment>
<augment 2357-2>
active T
comment WEB-PHP WebChat english.php file include
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 2484-1>
active T
comment WEB-MISC source.jsp access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 2114-3>
active T
comment "RSERVICES rexec password overflow attempt"
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/rservices.rules
</augment>
<augment 2113-3>
active T
dst-ip == local_nets
comment "RSERVICES rexec username overflow attempt"
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/rservices.rules
</augment>
<augment 2246-1>
active T
comment WEB-MISC webadmin.dll access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 1626-4>
active T
comment WEB-IIS /StoreCSVS/InstantOrder.asmx request
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
</augment>
<augment 2141-1>
active T
comment WEB-PHP shoutbox.php directory traversal attempt
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 2157-2>
active T
comment WEB-IIS IISProtect globaladmin.asp access
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
</augment>
<augment 1683-3>
active T
comment ORACLE all_tables access
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
</augment>
<augment 1382-9>
active T
comment EXPLOIT CHAT IRC Ettercap parse overflow attempt
comment "pcre: /^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi"
payload "/((^)|(\n+))[pP][rR][iI][vV][mM][sS][gG][\x20\x09\x0b]+[nN][iI][cC][kK][sS][eE][rR][vV][\x20\x09\x0b]+[iI][dD][eE][nN][tT][iI][fF][yY][\x20\x09\x0b][^\n]{100}/"
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/exploit.rules
<delete>
payload "/.*[pP][rR][iI][vV][mM][sS][gG]/"
payload "/.*[nN][iI][cC][kK][sS][eE][rR][vV]/"
payload "/.*[iI][dD][eE][nN][tT][iI][fF][yY]/"
</delete>
</augment>
<augment 215-4>
active T
comment BACKDOOR MISC Linux rootkit attempt
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
</augment>
<augment 2363-2>
active T
comment WEB-PHP Cyboards default_header.php access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 1850-3>
active T
comment WEB-CGI way-board.cgi access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
</augment>
<augment 565-6>
active F
comment P2P Napster Server Login
comment "informational only"
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/p2p.rules
</augment>
<augment 1069-6>
active T
comment WEB-MISC xp_regread attempt
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 233-3>
active T
comment DDOS Trin00 Attacker to Master default startup password
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/ddos.rules
</augment>
<augment 1490-6>
active T
comment WEB-PHP Phorum /support/common.php attempt
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 1693-4>
active T
comment ORACLE create table attempt
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
</augment>
<augment 2320-1>
active T
comment EXPLOIT ebola USER overflow attempt
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/exploit.rules
<delete>
payload /.*[uU][sS][eE][rR]/
</delete>
payload /((^)|(\n+))[uU][sS][eE][rR][^\x0a]{49}/
</augment>
<augment 2140-1>
active T
comment WEB-PHP p-news.php access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 2000-1>
active T
comment WEB-PHP readmsg.php access
comment "Possible many false positives"
commnet "If running this webmail server check version to make sure it's not vulnerable and then disable this signature or adjust the notice action."
dst-ip == local_nets
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 489-7>
active T
comment INFO FTP no password
comment "pcre: /^PASS\s*\n/smi"
ftp "/((^)|(\n+))[\x20\x09\x0b][pP][aA][sS][sS][\x20\x09\x0b]*\n/"
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/info.rules
<delete>
payload "/.*[pP][aA][sS][sS]/"
</delete>
</augment>
<augment 1936-4>
active T
comment POP3 AUTH overflow attempt
comment "pcre: /^AUTH\s[^\n]{50}/smi"
payload "/((^)|(\n+))[aA][uU][tT][hH][\x20\x09\x0b][^\n]{50}/"
requires-reverse-signature ! pop_return_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/pop3.rules
<delete>
payload "/.*[aA][uU][tT][hH]/"
</delete>
</augment>
<augment 2361-2>
active F
comment WEB-PHP news.php file include
comment "Too general"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 2058-1>
active T
comment WEB-MISC MsmMask.exe attempt
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 2355-2>
active T
comment WEB-PHP Invision Board emailer.php file include
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 1680-3>
active T
comment ORACLE all_constraints access
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
</augment>
<augment 1826-4>
active T
comment WEB-MISC WEB-INF access
requires-reverse-signature ! http_error
http /.*[\/\\]WEB-INF \./.{1,}/
<delete>
http /.*[\/\\]WEB-INF/
</delete>
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 2077-2>
active T
comment WEB-PHP Mambo upload.php access
comment "very general"
comment "only matters if dest is local_nets and then may be too noisy"
dst-ip == local_nets
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 1695-3>
active T
comment ORACLE truncate table attempt
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
</augment>
<augment 1126-6>
active T
comment WEB-MISC AuthChangeUrl access
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 1464-3>
active T
comment ATTACK-RESPONSES oracle one hour install
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/attack-responses.rules
</augment>
<augment 1818-3>
active T
comment WEB-IIS MS Site Server admin attempt
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
</augment>
<augment 2347-2>
active T
comment WEB-PHP myPHPNuke partner.php access
comment "adjusted sig based on attack example - this may be too limiting"
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
http /.*\x3d.*\x3cscript\x3e.*document.cookie.*\x3c\x2fscript\x3e/
</augment>
<augment 1685-4>
active T
comment ORACLE all_tab_privs access
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
</augment>
<augment 562-5>
active F
comment P2P Napster Client Data
comment "informational only"
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/p2p.rules
</augment>
<augment 1497-6>
active T
comment WEB-MISC cross site scripting attempt
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 1478-3>
active T
comment WEB-CGI swc access
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
</augment>
<augment 1379-7>
active T
comment FTP STAT overflow attempt
comment "pcre: /^STAT\s[^\n]{100}/smi"
eval dataSizeG100
ftp "/((^)|(\n+))[sS][tT][aA][tT][\x20\x09\x0b][^\n]{100}/"
requires-reverse-signature ! ftp_server_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
<delete>
payload "/.*[sS][tT][aA][tT]/"
</delete>
</augment>
<augment 2399-1>
active T
comment WEB-PHP WAnewsletter db_type.php access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 1376-5>
active T
comment WEB-MISC jrun directory browse attempt
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 912-5>
active T
comment WEB-COLDFUSION parks access
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/web-coldfusion.rules
</augment>
<augment 2369-1>
active T
comment WEB-MISC ISAPISkeleton.dll access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
</augment>
<augment 1750-3>
active T
comment WEB-IIS users.xml access
requires-signature http_iis_server
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
</augment>
<augment 1966-2>
active T
comment MISC GlobalSunTech Access Point Information Disclosure attempt
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/misc.rules
</augment>
<augment 321-5>
active T
comment FINGER account enumeration attempt
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/finger.rules
</augment>
<augment 1990-1>
active F
comment CHAT MSN user search
comment "informational only"
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/chat.rules
</augment>
<augment 1482-4>
active T
comment WEB-CGI view_source access
requires-reverse-signature ! http_error
sigaction SIG_FILE
snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
</augment>
<augment 2109-3>
active T
comment POP3 TOP overflow attempt
comment "pcre: /^TOP\s[^\n]{10}/smi"
payload "/((^)|(\n+))[tT][oO][pP][\x20\x09\x0b][^\n]{10}/"
requires-reverse-signature ! pop_return_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/pop3.rules
<delete>
payload "/.*[tT][oO][pP]/"
</delete>
</augment>
<augment 1745-3>
active T
comment WEB-PHP Messagerie supp_membre.php access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
</augment>
<augment 2111-3>
active T
comment POP3 DELE overflow attempt
comment "pcre: /^DELE\s[^\n]{10}/smi"
payload "/((^)|(\n+))[dD][eE][lL][eE][\x20\x09\x0b][^\n]{10}/"
requires-reverse-signature ! pop_return_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/pop3.rules
<delete>
payload "/.*[dD][eE][lL][eE]/"
</delete>
</augment>
<augment 1521-6>
active F
comment WEB-MISC server-status access
requires-reverse-signature ! http_error
sigaction SIG_LOG
snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
comment "Informational only"
comment "Could point to a default install or an incorrectly configured Apache server"
</augment>
<augment http-shell-check>
active T
comment http_shell_check used for filtering shell reference from man pages
sigaction SIG_IGNORE
</augment>
###############################
## Augment file compiled on 2004-07-12 from Snort rules dated 2004-07-09
###############################
Reference in a new issue View git blame Copy permalink